Finalised Digital Personal Data Protection Rules, 2025 & Compliance Implications for Non-profits in India

This Note is designed to be read as a refresher of the provisions of the Act in the wake of the finalised DPDP Rules. Please do go through our Primers (Data Protection Primer for Non-Profits, Mitigating Legal and Ethical Risks for non-profits in use of AI, Digital Data Protection & Consent Protocols for Persons with Disabilities) and Pulse by Pacta edition (Part I, Part II, Part III) for more in-depth analysis into the impact of Data Protection legislation on non-profits.

The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 (“the Rules”) on 14 November 2025, marking the full operationalisation of the Digital Personal Data Protection Act, 2023 (DPDP Act). While there haven’t been major changes made in the notified Rules when compared to the draft Rules released in January 2025, in this Note, we go through the provisions of the finalised Rules, and identify actionables for non-profit organisations collecting, processing, storing or sharing personal data.

1. Timeline for Implementation of the Rules

Rule 1 provides for the staggered implementation of the DPDP Act’s provisions:

1. Rules relating to the setting up of the Data Protection Board shall come into force immediately.

2. Rules relating to the registration of Consent Managers shall come into force one year from the notification of the Rules, i.e., November 2026.

3. All other rules, including the obligations of Data Fiduciaries and Data Processors, come into force 18 months from the notification of the Rules, i.e., May 2027.

   
   

   2. Obligations of Data Fiduciary

   
   

Data Fiduciaries have the responsibility to:

1. Provide clear and understandable notice to the Data Principal, with an itemised description of the personal data to be collected, the purpose for which it is being collected, and the manner in which the Data Principal can withdraw their consent, exercise their rights, or complain to the Data Protection Board. [Rule 3]

2. Implement reasonable security safeguards, including measures for encryption, obfuscation, access control measures, maintaining logs, maintaining processing in case of a breach of confidentiality, detection and investigation of unauthorised access, and other technical or organisational safeguards. Data Fiduciaries must also provide for provisions relating to Data Protection in contract between them and any Data Processors. [Rule 6]

3. Intimate Data Fiduciary and the Data Protection Board in case of a data breach within 72 hours. [Rule 7]

4. Retain personal data, associated traffic data and other logs for a period of one year from the date of processing such data. After that period of one year, if retention is not mandated under any law, then it must be deleted. 48 hours before deleting the personal data, the Data Fiduciary must inform the Data Principal that their data will be deleted unless the Data Principal logs into their account or otherwise contacts the Data Fiduciary for the performance of the purpose of the processing of that data, or to exercise her rights in relation to that data. This is an important new obligation under the DPDP Rules that was not present in the draft rules. [Rule 8(3)]

5. Mention the business contact details of a Data Protection Officer (phone number or email address), or any employee who can answer questions about processing from any Data Principal. [Rule 9]

6. Collect verifiable consent for processing data of children or persons with disabilities. [The draft Rules dealt with this under one Rule, but the notified Rules have split the same into two Rules, Rule 10 and 11].

7. Share personal data outside India in compliance with any orders released by the Central Government. While such orders have not yet been notified with respect to any country, the Government is likely to notify such orders soon. [Rule 15].

   
   

   3. Aspects Awaiting Further Clarity for Compliance

   1. The Government is yet to notify the standards that determine the basis for declaring any Data Fiduciary as a Significant Data Fiduciary. Significant Data Fiduciaries (SDFs) have greater obligations under the DPDPA and Rules and are likely to be determined on the basis of number of users.

   2. The Government will soon also release orders dealing with cross-border transfer of personal data. Such orders are likely to restrict transfers to certain territories and must be complied with.