The morning of 13 November 2025: a Slack ping in caps
The DPDP Rules 2025 landed in the Gazette at 07:14 AM IST on 13 November 2025, and Hiren, who leads tech at a Mumbai cooperative bank, sent me a Slack message in caps. “ARE WE READY? BE HONEST.” I was not, the first time.
Hiren runs a two-branch cooperative bank with a digital lending stack that doubled its book in the last 18 months. 2,847 active borrower accounts. He has been calling me since the DPDP Act notification in 2023. Every six months he asks the same thing. “Priya, when does the clock actually start?”
I told him we had 18 months. We do not. Not for everything. That was the morning of the amber alert I had been ignoring for a year.
What actually changed in the DPDP Rules 2025
The draft floated in January 2025. Most of us read it, made checklists, waited. The final version published 13 November tightens five things that will matter to a 200 to 5,000 person Indian business.
One. The phased timeline. Rule 4 on Consent Managers comes alive 12 months after notification. November 2026. Rules 3, 5 to 16, 22 and 23 come alive 18 months after notification. 13 May 2027. Two deadlines, not one.
Two. Breach notification got teeth. The data fiduciary tells the Data Protection Board “without undue delay” the moment it is aware. A detailed report follows in 72 hours. This sits on top of the existing CERT-In 6-hour incident-reporting requirement. Two parallel filings, two formats, two timelines.
Three. Significant Data Fiduciary obligations. The Board can designate any company an SDF based on volume of data, sensitivity, foreign data flows, sovereignty risk. Once designated, you owe an annual Data Protection Impact Assessment and an annual independent audit. Both reports go to the Board.
Four. Consent notices. Itemised, plain-language, available in the schedule of 22 languages on demand. The boilerplate at the bottom of an onboarding screen does not pass any more.
Five. Log retention. One year minimum for traffic logs and other personal-data processing logs. A lot of Indian fintech and SaaS firms run 90-day rotation today. That is a budget question, not a checkbox.
The conversation at 09:40
Hiren dialled in on Meet with a printed Gazette page on his desk and a coffee already cold. He started with the wrong question. “Are we an SDF?”
Probably not on volume. 2,847 active customers is small. But cooperative banks process sensitive financial data, sit inside the RBI’s data localisation circle, and the Board has signalled it will look hard at financial-sector entities. The right answer was, “Plan as if you will be. Decide later.”
That was the moment I caught my own mistake. I had been telling Hiren the runway was 18 months. The Consent Manager rule turns on in 12. His lending platform takes consent on a third-party Android stack. That stack has to either register as a Consent Manager or integrate with one. Bas, procurement on that cannot start in March 2027. It has to start in March 2026.
“So I have a year, not 18 months.” Hiren said this the way someone does when they are mentally cancelling a vacation.
“For the consent layer, yes. For the rest, May 2027.”
The amber alert I had ignored
I went back into our shared Notion. There it was. November 2024. A note I had filed against the draft rules. “Purpose limitation field on the borrower onboarding screen reads as a single blanket statement. Will fail DPDP itemised-notice test.” Tagged amber. Never closed.
The reason was reasonable at the time. The draft was a draft. The lending team did not want to rewrite onboarding twice. So we parked it.
The final rules did not loosen this. They tightened it. Each purpose has to be listed separately, in plain language, with data categories tied to each purpose. The blanket statement is dead. I have watched this play out four times on other estates. The amber alert always looks small. It is the one thing the auditor notices in the first 15 minutes.
What we put on the whiteboard for the next 14 months
By 11:00 we had a sequenced plan. I am sharing it here because Hiren is not the only Mumbai BFSI head reading the Gazette this week.
| Deadline | What kicks in | What a 200 to 5,000 person firm has to ship |
|---|---|---|
| Nov 2026 (12 months) | Rule 4. Consent Managers | Pick a registered Consent Manager or build the integration. Rework consent UI. Wire the audit log. |
| May 2027 (18 months) | Rules 3, 5-16, 22, 23. Notices, security, breach response, erasure, SDF duties | Itemised notices live. 72-hour breach response runbook tested. SDF readiness pack drafted. DPO appointed if SDF. One-year log retention budget signed. |
| Always-on (from May 2027) | 72-hour Board notification + 6-hour CERT-In | Two-track incident response. Tabletop quarterly. Logging architecture sized for one year retention. |
| Annual (if SDF) | DPIA + independent audit | Auditor empanelment by Q1 2027. Internal DPIA team or a DPO-as-a-service partner. |
Book my free 4-hour DPDP readiness check
200+ Indian businesses. Response within 8 hours. No card, no contract, no sales call.
Where the 72-hour breach clock starts hurting
Hiren’s incident response today is built around the 6-hour CERT-In window. Law since April 2022. The team knows the drill. The 72-hour Board filing is not a relief, it is an additional report. Different reader. Different format. Different content.
CERT-In wants technical detail. IOCs, affected systems, containment. The Board wants the personal-data scope, the categories of data principals affected, remedial measures, prevention steps, identity of the actor if known.
I told Hiren to add a second column to the runbook. Same incident, two reports, two reviewers. The Board filing has to be approved by someone with sign-off authority on customer communications. The rules also require the data principal to be informed of certain breach categories. The CISO cannot do that alone. Firms that get this wrong are the ones that treat the 72-hour clock as a CISO problem. It is a board-level workflow.
Why one-year log retention will reshape Indian SIEM budgets
One-year log retention is the quiet rule that will reshape budgets. Most Indian financial SaaS firms I see in audits run a 90-day hot tier and a cold archive that is not always indexed. Forensic readiness needs hot or warm. One year hot is a different sizing exercise.
Hiren’s bank, rough math at 09:48 IST: SIEM ingests 28 GB per day. 90-day retention = 2.5 TB. One year = 10.2 TB. Even with 4:1 compression, the bill jumps. The licensing of his current tool stops scaling linearly at 5 TB indexed. That changes the renewal conversation due in March 2026.
Arre, this is the cost of putting the audit off. We have a window now. Use it. Email DLP coverage on personal-data exfil paths matters for breach prevention. Endpoint controls on USB and screenshot exfil matter too. The 10-question DPDP readiness check is the cleanest way to score yourself today.
The five things Hiren took away from the call
- Consent layer moves first. Procurement on the Consent Manager integration starts March 2026.
- Treat SDF designation as likely, not possible. Empanel the auditor now.
- Rewrite the onboarding consent screen with itemised purpose statements. The November 2024 amber alert closes this quarter.
- Build the second column of the breach runbook. CERT-In 6 hours plus Board 72 hours, two reviewers, one sign-off chain.
- SIEM renewal conversation moves up by six months. One-year retention, not 90 days.
Book my free 4-hour DPDP readiness check
200+ Indian businesses. Response within 8 hours. No card, no contract, no sales call.
What I told Hiren at the end of the call
I have done this exercise with about 40 Indian estates since 2023. The firms that close the May 2027 readiness comfortably are the ones that picked one calendar date in 2026 and made it the line. The ones that struggle wait for the next clarification.
Hiren picked Republic Day 2027. Three months of buffer before May, two months after Diwali for the team. By 11:55 we had a tracker in the DPDP compliance package with eight workstreams, an owner against each, and the first checkpoint in January 2026.
This is the part that gets lost in the conference circuit. The 2025 rules are not a security project. They are a programme. Procurement, legal, customer communications, engineering, finance. Somebody has to write the names on the workstreams.
Key takeaways
- 13 November 2025 was the notification. 13 May 2027 is the deadline for most rules. November 2026 is the earlier deadline for Consent Managers.
- Breach response is now a two-track filing. CERT-In 6 hours, Data Protection Board 72 hours.
- Significant Data Fiduciary designation pulls in annual DPIA and audit, with reports going to the Board.
- One-year log retention is the rule that will quietly break SIEM budgets at mid-size firms.
- The amber alerts already on your DPDP draft tracker are not going to get easier. Close them now.
FAQ
When do the DPDP Rules 2025 come into force?
MeitY notified the rules on 13 November 2025. Rule 4 (Consent Managers) becomes operational on 13 November 2026. Rules 3, 5 to 16, 22 and 23 become operational on 13 May 2027. Some provisions, including establishment of the Data Protection Board, were operational on notification. (Source: MeitY.)
How fast do I have to report a data breach under the DPDP Rules 2025?
You must inform the Data Protection Board “without undue delay” the moment you become aware. A detailed report follows within 72 hours. This is in addition to the existing 6-hour CERT-In reporting window for reportable cybersecurity incidents. The two filings are different in content and audience.
Will my company be a Significant Data Fiduciary?
The Central Government designates SDFs case-by-case using volume of data, sensitivity, sovereignty risk, foreign data flow and other criteria. There is no fixed customer-count threshold. Financial sector entities, large consumer platforms, and firms handling sensitive personal data at scale are the most likely candidates. Plan for SDF readiness if you are inside any of those buckets.
How long do I have to keep logs under the DPDP Rules 2025?
One year minimum for traffic logs and other logs of personal-data processing. This applies to all data fiduciaries, not just SDFs. For most Indian SaaS and BFSI firms running 90-day SIEM hot retention today, this needs a sizing review well before May 2027.
P.S. Sudeep here. Hiren is real. The bank is composite. We have done this readiness conversation with about 40 Indian estates since the DPDP Act notification in 2023. The firms that close the May 2027 ask comfortably are the ones that picked their own calendar date in 2026 and held it. If you want help picking yours, book the 4-hour check. We will not pitch you a tool. We will tell you what closes and what stays open.
Book my free 4-hour DPDP readiness check
200+ Indian businesses. Response within 8 hours. See what ₹250 crore looks like for a mid-size firm.
Cross-read: the DPDP audit-day story from another Mumbai BFSI desk. ISO 27001 is the closest frame for the Rule 6 security obligations (iso.org/27001).
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
