Overview
- IT Minister Ashwini Vaishnaw said the government will amend the rules to compress the current 12–18 month compliance window for large companies after consultations with industry.
- The DPDP Rules, 2025 are now in force with a phased schedule that brings the Data Protection Board into effect immediately, activates the consent‑manager framework at 12 months, and starts most fiduciary obligations at 18 months.
- Breach reporting is mandatory within six hours to CERT‑In and within 22 hours to the Data Protection Board, with prompt notices to affected individuals and penalties that can reach Rs 250 crore per contravention.
- The rules allow the Centre to designate significant data fiduciaries and restrict cross‑border transfers of specified personal and related traffic data via a government committee, signaling potential localisation requirements.
- Companies must implement verifiable parental consent mechanisms for processing children’s data, with experts warning of substantial compliance and engineering costs across sectors.