Introduction
When the DPDP Act was introduced in 2023, it shaped the basic rules for how personal data should be processed in India. Now that the Final DPDP Rules have been implemented in 2025, it’s worth comparing them with the Draft Rules to see what’s new and how these changes affect compliance responsibilities.
This blog outlines the key differences between:
- The Draft Rules (consultation version), and
- The Final DPDP Rules, 2025,
Background – Understanding the DPDP Framework
The DPDP Act, 2023
The Act establishes a rights-based framework for the processing of digital personal data, recognizing the rights of the Data Principal, and defining obligations for the Data Fiduciary and Data Processor.
Key DPDP concepts:
- Data Principal – The individual to whom the personal data relates
- Data Fiduciary – The entity determining the purpose and means of processing
- Data Processor – The entity processing personal data on behalf of a Data Fiduciary
- Consent Manager – A MeitY-notified platform enabling Data Principals to give, withdraw, manage consent
- Personal Data Breach – Any unauthorised processing, disclosure, or breach of security safeguards
- Significant Data Fiduciary –SDFs require a DPO, yearly DPIAs and audits, compliance reporting, and safe algorithmic practices.
- Data Protection Board of India – The adjudicatory body established under the Act
Draft Rules vs Final DPDP Rules – Simplified Comparison
| Area | Draft Rules | Final DPDP Rules, 2025 |
|---|---|---|
| Compliance Timeline | No defined obligation schedule. | Phased compliance within 18 months from notification for all Data Fiduciaries. |
| Notice & Consent (Rule 3) | Basic requirements for privacy notice and consent. | Data Fiduciaries must issue a clear, itemized notice containing the purposes of processing before seeking consent. |
| Consent Manager (Rule 4) | Concept introduced with high-level guidelines. | Includes all registration conditions: ₹2 crore net worth, interoperability certification, and seven-year record retention. |
| Personal Data Breach (Rule 7) | Reporting obligations are unclear. | Fiduciaries must issue quick breach alerts, provide detailed reports within 72 hours, and directly notify impacted Data Principals. |
| Rights of Data Principals (Rule 14) | General mention of rights with no timelines. | Data Fiduciary must respond to Data Principal requests (access, correction, erasure, grievance) within 90 days. |
| Significant Data Fiduciary (SDF) (Rule 13) | Classification parameters are not detailed. | SDFs must conduct Data Protection Impact Assessments, periodic audits, and appoint a Data Protection Officer (DPO) in India. |
| Processing of Children’s Data (Rule 10) | Basic protection for minors. | Verifiable parental consent required; stricter obligations for processing of personal data of children and persons with disabilities. |
| Cross-Border Data Transfer (Rule 15) | Ambiguous, with potential broad restrictions. | Permitted except for countries specifically restricted by the Central Government; SDFs may have additional obligations. |
Implications for Data Fiduciaries
Strengthening Consent Architecture
Redesign consent workflows to ensure:
- Clear and specific notice
- Freely given consent
- Clear consent withdrawal options
- Integration with Consent Manager platforms
Enhanced Breach-Response Obligations
In the event of a personal data breach:
- Notify the affected Data Principals
- Notify the Data Protection Board (where required)
- Communicate in clear, simple language
- Initiate remedial and containment measures
Data Principal Rights Management
Must ensure mechanisms for:
- Access to personal data
- Correction of inaccurate personal data
- Erasure when lawful
- Grievance redressal
- Timely responses within 90 days
Obligations for Significant Data Fiduciaries
SDFs must implement:
- Mandatory Data Protection Impact Assessments (DPIA)
- Periodic data audits
- Appointment of a Data Protection Officer (DPO) based in India
- Higher levels of risk management for processing operations
Compliance Roadmap for Organizations
- Data Mapping: Identify all categories of personal data, processing purposes, and Data Processors.
- Consent & Notice Compliance: Update notices to reflect mandatory DPDP disclosures.
- Processor Agreements: Ensure Data Processing Agreements (DPAs) meet DPDP standards.
- Breach Management Framework: Establish incident-response plans and communication templates.
- Cross-Border Data Flow Review: Evaluate international transfers and ensure compliance with permitted jurisdictions.
- Training & Awareness: Educate employees on DPDP concepts, obligations, and penalties.
- Audit Readiness: Build internal documentation for accountability and audit trials.
Why the Changes Matter
The shift from the draft Rules to the final Rules reflects two important priorities:
- Balancing protection and innovation:
The draft Rules were viewed by some as overly burdensome, particularly for start-ups and smaller firms.
The final Rules incorporate stakeholder feedback to make the framework more practicable while preserving robust protections. - Aligning with global standards:
By strengthening individual rights (access, correction, erasure), transparency and accountability, India’s framework moves closer to international norms (e.g., the General Data Protection Regulation).
This has implications for global companies operating in India and cross-border data flows.
For users/consumers, these changes mean greater clarity about how their digital data is used, more control over consent, and a stronger mechanism for recourse in case of misuse.
For businesses, it signals that data-privacy compliance is now a key strategic and operational imperative — not just a legal after-thought.
Conclusion
The evolution of the Draft Rules to the Final DPDP Rules represents a more structured ,enforcable and practical framework.
While the Draft Rules outlined broad expectations, the final DPDP Rules clearly define operational obligations for Data Fiduciaries, Data Processors, and Significant Data Fiduciaries.
Organizations must now priorities a compliant data-governance framework — not only to meet legal obligations, but to build long-term trust with Data Principals in India’s rapidly digitizing economy.
