Skip to main content

Rule 1: Short Title and Commencement

Statutory Text — Rule 1: Short title and commencement. (click to expand)
  1. (1) These rules may be called the Digital Personal Data Protection Rules, 2025.
    (2) Rules 3 to 15, rule 21 and rule 22 shall come into force with effect from __________.
    (3) These rules, except rules 3 to 15 and rules 21 and 22, shall come into force on the date of their publication in the Official Gazette.

This rule specifies that the regulations shall be called the Digital Personal Data Protection Rules, 2025. It also explains that the rules will come into effect on dates notified by the Central Government. Certain provisions will start immediately, while others will begin later as announced officially.

Rules 3 to 15, 21, and 22—which deal with core compliance obligations such as consent, breach notification, data processing standards, and appeals—will come into force on a later date. Rules 1, 2, and 16 to 20 will take effect immediately upon publication in the Official Gazette. These primarily relate to the creation and functioning of the Data Protection Board, ensuring the regulatory body is operational before enforcement begins.

This phased implementation allows both organisations and public bodies to prepare before compliance becomes mandatory. It ensures that the regulatory ecosystem and enforcement authority are established first, followed by the operational rollout of obligations on businesses and data fiduciaries.

Significance
Understanding commencement timelines is essential because once a rule becomes active, compliance is no longer optional. Every organisation handling personal data must be ready by the notified date.

Critical Point

If the government declares that all data breach notifications must follow Rule 7 from 1st November 2025, then every bank, insurance company, or e-commerce startup must have its breach-reporting system in place before that date.
Delays or “work in progress” setups will not be accepted once the rule is in force.

Example Scenario

Example

Imagine XYZ Insurance Ltd. processes health claims and holds sensitive medical data. If Rule 6 (Reasonable security safeguards) takes effect from 1st January 2026, the company must already have encryption, access control, and audit logs in place. If a breach occurs after that date without these safeguards, it could face penalties for non-compliance.

Example

Similarly, a social media platform such as ABC Connect cannot postpone adding a consent withdrawal feature because of technical challenges. Once the rule starts, excuses will not protect the company, compliance becomes a legal duty.

  • Rule 1 marks the beginning of India’s data protection framework under the 2025 Rules.
  • It provides a structured rollout: the Data Protection Board is established first, followed by the implementation of operational obligations.
  • For organisations, this rule signals the start of compliance readiness - planning, system development, and internal training must begin the moment these Rules are published.