Final DPDP rules welcomed for clarity, yet experts see gaps in SDF designation, data localisation

New Delhi: The Digital Personal Data Protection rules lay out a clear roadmap for enterprises on collecting, processing, securing personal data, many experts said Friday, adding that the transition period and phased roll-out will give companies time to recalibrate data architectures and implement consent mechanisms and other necessary frameworks.

Some, however, felt that the final rules had left many of the operational burdens intact, even after discussions. They flagged the "uncertainty" and lack of clarity around criteria and process for designating an entity as a 'significant data fiduciaries'.

As per Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, the rules set fixed obligations, which lead to increase in the cost of compliance, apart from increase in the legal and operational costs.

"With the DPDP Rules now notified, Indian enterprises have a clear roadmap on how they collect, process, secure and govern personal data," Rao said.

Terming the phased roll-out as crucial, Rao explained that it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly.

Enterprises, Rao said, must immediately prioritise data discovery, classification and data-mapping exercises, implement consent and retention workflows, strengthen breach-response mechanisms, and deploy technology-led governance tools that provide real-time visibility across the data lifecycle," Rao added.

Rao described the latest move as a "regulator-driven opportunity for enterprises" to enforce 'Privacy by Design', 'Security by Design' and hence 'Trust by Design'.

Vinay Butani, Partner, Economic Laws Practice, said the one-year deadline for consent managers effectively pre-positions the consent infrastructure for DPDP compliance.

"By the 18 month enforcement date, a network of certified, neutral consent-service providers will be ready to handle opt-in/out mechanics, easing the shift to the new regime," Butani added.

The phased approach celebrated by experts as a bridge to the new era helps ensure businesses can implement the required consent mechanisms without being caught flat-footed when DPDP's core rules arrive, as per Butani.

Shahana Chatterji, partner, Shardul Amarchand Mangaldas & Co, said with the notification of DPDP Rules, the IT ministry has not only provided the much needed clarity, but has been "judicious in allowing for an adequate transition period with substantive provisions of the Act coming into effect 18 months from now".

"Industry will now need to focus on the work to be done to align their data practices with the requirements of the DPDP Act and MEITY will need to focus on providing regulatory and interpretational clarity that will be inevitably be needed," Chatterji said.

Mayuran Palanisamy, Partner, Deloitte India, noted that the establishment of a definite enforcement timeline for the DPDP Act signals a critical juncture, requiring organisations to align with its enforcement timelines.

"The DPDP rules emphasise on establishing a Data Protection Board, which serves as a key regulatory body. The rules also provide guidance to businesses on data breach reporting requirements, verifiable parental consent, the operational framework of a consent manager, compliance requirements, criteria for classifying a significant data fiduciary, and prescriptive security safeguards for protecting personal data," Palanisamy said.

According to Palanisamy, while these rules are a significant step forward, the successful implementation will require ongoing collaboration among regulators, businesses, and consumers.

Vikram Jeet Singh, Partner at BTG Advaya, observed that the release of the Digital Personal Data Protection Rules, 2025, is the culmination of a seven year long quest for India to put in a place a data protection law.

Lagna Panda, Partner at AP and Partners, highlighted that a lot of provisions proposed by the draft rules (published for public consultation in early 2025) have been retained. This includes additional obligations for significant data fiduciaries (SDFs) and data erasure mandates for certain categories of data fiduciaries.

These obligations, especially the data localisation mandate, appear excessive, believes Panda, highlighting that there is also no clarity on the criteria and process for designating an entity as a significant data fiduciaries.

Shreya Suri, Partner, CMS IndusLaw, said that with the notification of the final DPDP Rules and the constitution of the Data Protection Board, India has moved from broad policy signalling to a concrete enforcement-ready data protection regime.

Several high-impact obligations including verifiable parental consent for children, a fully formalised consent-manager ecosystem, cross-border transfer restrictions, and tight breach-notification timelines, have now been crystallised, largely mirroring the January draft.

"But despite extensive stakeholder feedback, the final rules leave many of the operational burdens intact," she said.

A notable point of uncertainty, she said, is the classification of Significant Data Fiduciaries.

"While the Act prescribes the factors, the government has not yet notified which entities will fall into this category – meaning businesses do not know whether they must prepare for heightened obligations such as data localisation, mandatory audits, DPIAs, and algorithmic risk assessments. Unless this classification emerges soon, this uncertainty compresses the compliance runway for SDF's at a time when the regulator is already in place," she added.

While Data Protection Board coming into existence now, most obligations become enforceable only over the next 12–18 months, she said emphaising that "this creates a rare situation where a regulator exists before its regulatory workload fully materialises for upwards of a year".