India's new data protection era has formally begun with the DPDP Rules 2025, setting a phased yet demanding compliance roadmap under the DPDP Act. With the DPBI now operational and core obligations taking effect over the next 18 months, organisations must realign their governance, technology, and consent frameworks without delay. The key highlights include:‣ 3-Stage Rollout – Immediate DPBI Activation → Consent Manager Ecosystem (1 year) → Full Compliance by May 2027‣ Digital-first Enforcement – DPBI operates entirely as a digital office—requiring strong logs, audit trails, and rapid response readiness‣ High-standard Consent – Clear, informed, easy-to-withdraw consent; anti–dark pattern requirements‣ Security & Breach Obligations – Mandatory safeguards, 1-year log retention, and 72-hour breach reporting‣ Data Erasure & Retention – Automated erasure based on inactivity thresholds + 48-hour notice to users‣ Elevated SDF Duties – Annual DPIA/audit, India-based DPO, independent auditor, and algorithmic risk check
