India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) is in effect since November 2025 when the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) were published in the official Gazzette. However, companies have a 12 to 18-month window to implement the various requirements and they must be in full compliance by May 2027. The DPDP statute and the DPDP rules have a direct impact on how immigration law firm’s managet personal data that they gather from clients.
What the DPDP Act, 2023 Established
The DPDP Act, 2023 defines key elements of India’s data-protection regime, including:
- Personal data, data principal and data fiduciary
- Conditions for consent and legitimate uses
- Rights of individuals relating to access, correction and erasure
- Obligations of data fiduciaries for lawful processing
- Establishment, powers and functions of the Data Protection Board of India
The DPDP Act outlines the governing principles but leaves operational mechanisms, such as procedures, timelines, formats and specific safeguards that are defined in the DPDP Rules, 2025.
Importance of the DPDP Rules, 2025
The DPDP Rules translate the DPDP Act’s broad statutory principles into:
- Practical steps for obtaining, withdrawing and managing consent
- Standards for retaining, deleting and documenting data
- Procedures for breach reporting
- Additional obligations for certain categories of data fiduciaries
- DPDP Rules governing interactions with the newly operational Data Protection Board
The DPDP Rules bring clarity to the processes governing how applicants’ personal data is to be collected, stored and erased.
For practitioners managing immigration files, these DPDP Rules provide needed clarity on how applicants’ personal data must be collected, stored and ultimately erased, particularly where documents contain identity details, travel histories and compliance-related records.
Key Operational Developments Under the DPDP Rules, 2025
1. Clear and Verifiable Consent
The DPDP Rules require that consent notices be:
- Specific, meaning the notice must clearly state the exact categories of personal data needed for immigration processing.
- Simple and clear in language, so applicants who may not be native English speakers can understand how their information will be used.
- Itemized, with each purpose such as visa filing, document verification, travel history checks and compliance reporting explained separately.
- Free of any pre-selected or bundled options, so applicants are not pressured into giving broad or implied consent.
The DPDP Rules also require that applicants be able to withdraw their consent easily. This supports the principle that consent should always be freely given, informed, and capable of being revoked. For immigration firms, this means setting up straightforward processes that allow applicants to withdraw consent while still meeting legal retention and compliance obligations.
2. Significant Data Fiduciaries (SDFs)
A data fiduciary is an entity that determines the purpose and means of processing personal data and is legally obligated to handle that data in a responsible, transparent, and accountable manner. The term is widely used in modern privacy laws, including India’s Digital Personal Data Protection Act, 2023 (DPDPA), and carries obligations similar to those imposed on a “data controller” under the EU’s GDPR.
Under the DPDP Act, certain data fiduciaries may be classified as Significant Data Fiduciary (SDF) based on factors notified by the Government. The Act provides that the Government may notify any data fiduciary, or a class of data fiduciaries, as an SDF after assessing “relevant factors, including the volume and sensitivity of personal data processed; risk to the rights of data principals; potential impact on the sovereignty and integrity of India; risk to electoral democracy; security of the State; public order.” This tiered structure ensures closer oversight of entities whose data-processing activities present higher risks.
Once notified as an SDF, the entity must appoint a Data Protection Officer (DPO), based in India and accountable to the Board or governing body, who will act as the point of contact for grievance redressal under the Act. Further, the SDF must appoint an independent Data Auditor and conduct regular Data Protection Impact Assessments (DPIAs) and periodic audits. As per the DPDP Rules, these assessments and audits must be carried out once every twelve months from the date of notification (or inclusion in a notified class), and a report containing “significant observations” must be furnished to the statutory Board.
Moreover, the SDF must undertake due diligence to verify that any technical or algorithmic software used for processing (hosting, storage, modification, publishing, transmission, sharing, etc.) does not pose a risk to the rights of data principals. The DPDP Rules also empower the Government, based on recommendations of a committee, to mandate that personal data (and related traffic data) processed by an SDF must be subject to data-localization or restrictions on cross-border transfers for certain classes of data
3. Children’s Data
The DPDP Act provides specific protections for the personal data of children, and the DPDP Rules make these protections practical. They require verifiable consent from a parent or legal guardian to process the data of anyone under 18 and restrict any processing that could harm the child.
In immigration cases, this is especially important for dependent visas, family-based petitions, or student applications, where firms handle minors’ passports, birth certificates, and school records. The DPDP Rules ensure that firms obtain proper consent and take extra care when processing children’s information.
4. Data Retention, Deletion and Processing Logs
The DPDP Rules specify that:
- Personal data may be retained only for as long as is necessary to fulfil the purpose for which it was collected
- Large platforms must delete the personal data of users who remain inactive for three years, after issuing a 48-hour notice
- Processing logs must be retained for one year after data deletion or withdrawal of consent
These requirements translate the DPDP Act’s principle of “storage limitation” into measurable procedures.
5. Notifying a Breach
Consistent with the DPDP Act’s provisions, in case there is a breach of data security, the DPDP Rules require:
- Notification to the Data Protection Board of India within 72 hours of a personal-data breach
- Notification to affected individuals in clear, accessible language
This ensures transparency, early intervention and structured handling of breach events.
6. The Data Protection Board’s Operational Framework
With the notification of the DPDP Rules on 13 November 2025, the Government of India has formally constituted the Data Protection Board of India (DPB) under the DPDP Act. The Rules specify that the Board is headquartered in the National Capital Region and will consist of a Chairperson and three members appointed through a government-led selection process.
The DPDP Act empowers the Board to receive complaints, conduct inquiries, issue directions, and impose monetary penalties, including those up to ₹250 crore for certain violations. The DPDP Rules further mandate that the Board function as a digital-first body, enabling electronic filing, tracking, and adjudication of complaints.
For immigration practitioners, this digital system supports efficient handling of data-related grievances and ensures a transparent, government-regulated mechanism for managing sensitive personal information.
Applicability to Government Departments
As per the DPDP Act:
- The framework applies to government entities
- Specific exemptions exist for areas such as national security or public order, as notified by the Central Government
- Even with exemptions, the Act’s underlying principles of lawful, purpose-driven and accountable data processing continue to guide government handling of digital personal data
This ensures that the data-protection regime maintains uniformity while accommodating sovereign functions.
Conclusion
The notification of the DPDP Rules, 2025 represents a significant turning point in India’s data-governance framework. By operationalizing the DPDP Act, 2023, the DPDP Rules create a structured and enforceable system governing the processing of digital personal data.
For those who regularly manage diverse categories of personal data, this new legal framework reshapes the backdrop against which documentation, identity verification, applicant communications and data retention are carried out. As the DPDP Rules come into force in phases over the next eighteen months, India’s digital ecosystem moves toward a more transparent, rights-based and accountable model of data governance.