India has notified its Digital Personal Data Protection (DPDP) Rules, 2025, introducing strict consent and data retention requirements that will force large digital platforms and enterprise IT teams to overhaul how they collect, store, and erase personal data.
The rules mandate itemized user notices, verifiable parental consent, and fixed deletion timelines for sectors including e-commerce, gaming, and social media.
The rules also introduce new obligations for Significant Data Fiduciaries, which are large platforms designated based on scale and data sensitivity. These companies must conduct annual data protection impact assessments and audits, and implement additional checks on algorithmic systems that process personal data.
Companies will also need to verify parental identity before processing the data of children, using government-issued credentials or virtual tokens. The rules outline staggered compliance timelines, with most operational requirements taking effect 12 to 18 months after publication, giving enterprises limited time to redesign their data governance systems.
The rules also formalize a new category of Consent Managers, which must be India-incorporated entities with audited, interoperable platforms that let users give, review, and withdraw consent across multiple services. Companies will need to publish grievance timelines, maintain one-year logs of all processing activities before erasure, and appoint officers to handle user queries. At the same time, certain health and allied services receive exemptions for child data processing under tightly defined conditions.
Challenges for enterprise IT teams
For enterprise IT teams, the new rules mean rebuilding core data-handling systems, from consent capture to retention enforcement.
“The new DPDP rules shift compliance from documentation to engineering,” said Sakshi Grover, senior research manager for IDC Asia Pacific Cybersecurity Services. “Large platforms will need unified consent capture and verification across all digital touchpoints, with audit trails that map each data element to a lawful purpose and retention limit.”
Grover pointed to IDC research showing that over 60 percent of Indian enterprises already report moderate to significant disruption to IT operations due to evolving privacy, cybersecurity, and AI regulations, which means these new consent and retention requirements will further tighten operational complexity.
“The rules will necessitate integrating automated consent verification, real-time breach reporting, and data-mapping tools into existing systems, while phasing out legacy practices that lack traceability,” said Biswajeet Mahapatra, principal analyst at Forrester. “The shift moves compliance from a checklist approach to continuous governance, increasing operational complexity and cost for data-heavy enterprises.”
Others pointed out that ensuring data compliance and governance is becoming harder as users generate and share unprecedented volumes of personal information online.
“Since most platforms are free, this makes users and their data the real product,” said Neil Shah, VP for research at Counterpoint Research. “The regulatory challenge is that the lines are continually blurred on how this information, even when anonymized, can be used. This lack of clarity is made even more urgent by the age of AI, where powerful models can generate content without explicit consent or compliance, leading to potential misuse, misrepresentation, and reputational damage.”
According to Grover, organizations will need dynamic data inventories, automated consent withdrawal workflows, and closer collaboration between compliance, DevOps, and security teams to meet the requirements.
Architectural changes required
Analysts point out that meeting erasure deadlines and purpose-based storage limits will require deeper architectural changes.
“Architectural changes include deploying encryption, masking, and tokenization for secure storage, implementing consent managers, and integrating erasure standards like NIST 800-88 or IEEE 2883 for IT asset sanitization,” Mahapatra said. “Cloud-native architectures with granular data classification and retention policies will become essential, along with real-time monitoring and backup deletion protocols to ensure compliance across distributed environments.”
Grover noted that enterprises will need a stronger privacy-by-design architecture built on data discovery and classification tools, encryption, tokenization, and automated deletion workflows that trigger when consent is withdrawn or the purpose expires.
“IDC’s Asia/Pacific Security Study 2025 indicates that data privacy and regulatory management are already among the top challenges for enterprises deploying AI and modern digital systems, which signals that organizations will need platform-level automation rather than manual retention workflows,” Grover added.
She said companies will move toward segregated personal data zones, purpose-linked storage buckets, and centralized consent orchestration so that erasure, minimization, and provenance can be enforced consistently across cloud, on-prem, and SaaS systems.