Since the passage of the DPDP Act in 2023, there have been ongoing efforts to clarify and operationalize the law, as well as scrutiny from various stakeholders. Here are the key updates and developments:

In early 2025, the government released the draft Digital Personal Data Protection Rules, 2025, for public comment. These Rules supplement the Act by providing details on implementation. They cover practical aspects such as the format and content of consent notices, how Data Fiduciaries should conduct Data Protection Impact Assessments, breach notification procedures (e.g., requiring notice to the DPB within 72 hours of a breach), timelines for responding to data principal requests, and criteria for classifying Significant Data Fiduciaries. The draft Rules also outline technical standards (for security, retention, etc.) and administrative procedures like how the Data Protection Board will function. As of mid-2025, these Rules were still in draft; final Rules are expected to be notified soon, which will signal that the Act’s enforcement can commence. Organizations should review the draft Rules (which are publicly available) to anticipate the compliance steps that will soon become mandatory.