Rule 1: Short Title and Commencement
This rule specifies that the regulations shall be called the Digital Personal Data Protection Rules, 2025.
It also states that the rules will come into effect on dates notified by the Central Government. Different provisions may commence at different times, allowing for a phased implementation approach.
Why does this matter?
For organizations, knowing the commencement date is critical. Compliance cannot be built overnight.
If the government says that all breach notifications must follow Rule 7 from 1st July 2025, then a bank, an insurance company, or even a small e-commerce startup must have its breach reporting systems ready before that date.
Example scenario
Imagine XYZ Insurance Ltd. is processing health claims and holding sensitive medical data. If Rule 6 (reasonable security safeguards) is enforced from 1st September 2025, the company must have encryption, access control, and audit logs implemented before that date. Otherwise, any breach that occurs after enforcement could lead to heavy penalties.
Similarly, a social media platform like ABC Connect cannot delay setting up its consent withdrawal feature just because it is technically challenging. Once the rule comes into effect, excuses won’t matter — compliance becomes mandatory.