The DPDP Rules, Without Missing What Matters
How to read India's new data-protection framework as a compliance system—not a flat document—using structural AI.
The DPDP Act, 2023 and DPDP Rules, 2025 form a web of role-based duties, conditional obligations, and exceptions. This article breaks them into structured compliance tables—which obligations apply to which roles, which duties activate above thresholds, and how the consent lifecycle flows from notice to erasure. Scroll down for the comparison matrices.
Why DPDP Compliance Is Not Static
Digital regulation moves faster than most organisations can keep up with, and data-protection law moves fastest of all. Anyone familiar with GDPR knows that compliance is never static; obligations grow, definitions shift, and what counted as compliant last quarter may no longer be enough. This pattern is well documented, including in systematic reviews showing how GDPR obligations continually expand over time.
India has followed a similar trajectory. The DPDP Act, 2023 and the DPDP Rules, 2025 mark the end of an eight-year journey that began with the Puttaswamy judgment in 2017 and passed through multiple drafts and rewrites, with more than two years between the Act's passage and the operational Rules. The challenge is not just reading the Rules. It is understanding their structure as they evolve.
India's Data Protection Journey: 2017 → 2025
Puttaswamy (2017)
Constitutional Right to Privacy
↓
DPDP Act (2023)
Primary Legislation
↓
DPDP Rules (2025)
Operational Framework
Suit by jhana
Built for exactly this. It does not just summarise regulatory text; it breaks it into obligations, dependencies, roles, flows, and checklists so users can extract real value without missing what matters.
Data Fiduciary vs Significant Data Fiduciary: Full Comparison
The DPDP Rules are not a simple regulatory document. They are a web of role-based duties, conditional obligations, and exceptions that change meaning depending on how the pieces connect. A lawyer or compliance team does not just "read" the Rules. They have to reconstruct them.
The Reconstruction Challenge
That means mapping which obligations apply to Data Fiduciaries versus Significant Data Fiduciaries, which duties activate only above certain thresholds, which exceptions override which clauses, and how definitions shift the scope of an obligation.
Even a quick look at the Rules shows this: consent mechanics are split across multiple clauses, security safeguards sit separately, and breach-reporting loops depend on specific triggers. Meaning emerges only when these parts are held together as a system, not in isolation.
Data Fiduciary
Any entity determining purpose & means
Obtain valid consent before processing
Provide itemised notice to Data Principals
Implement reasonable security safeguards
Report breaches to Board & affected persons
Erase data upon withdrawal or purpose completion
Respond to Data Principal requests
Significant Data Fiduciary
Notified based on volume, sensitivity, risk
All Data Fiduciary obligations, plus:
Appoint a Data Protection Officer (DPO)
Conduct periodic Data Protection Impact Assessments
Appoint an independent Data Auditor
Submit annual compliance reports
Enhanced breach notification timelines
How Suit Reconstructs the Framework
This is exactly the kind of complexity Suit is built to handle. Instead of flattening the Rules into a summary, Suit reads them structurally. It detects each defined role, identifies every obligation tied to that role, traces dependencies across clauses, and assembles the hidden flows that sit underneath the text.
How Suit Reconstructs the DPDP Framework
| Layer | What Suit Extracts | Value to User |
|---|---|---|
| Roles | Data Fiduciary, Significant Data Fiduciary, Data Processor, Data Principal | Know exactly which obligations apply to your entity |
| Obligations | Consent, notice, security, breach reporting, erasure, response timelines | Complete checklist without missing conditional triggers |
| Thresholds | Volume, sensitivity, risk factors for SDF classification | Understand when enhanced duties activate |
| Flows | Consent lifecycle, breach notification sequence, erasure workflow | See procedures as connected sequences, not isolated clauses |
| Exceptions | Legitimate uses, state exemptions, processing without consent | Know when obligations are modified or overridden |
Suit turns the Rules into a map: what applies to a Data Fiduciary, what applies only to a Significant Data Fiduciary, what duties activate only when a condition is triggered, and which exceptions restrict or override an obligation. By breaking the Rules into obligations, thresholds, roles, and flows, Suit lets users see the framework the way regulators intended it, not purely as obligations or rules but as a compliance system.
Consent Lifecycle Under DPDP
Notice
Itemised, clear, accessible
Consent
Free, specific, informed
Processing
Purpose-bound, minimal
Withdrawal
Easy as giving consent
Erasure
Complete, verifiable
Consent Lifecycle: Notice → Processing → Erasure
Once Suit reconstructs the DPDP framework, users can immediately begin working with it. They can extract a clean checklist of obligations for Data Fiduciaries or Significant Data Fiduciaries, generate a flow of the consent lifecycle, review breach-reporting requirements as a structured sequence, or map retention and erasure rules without missing conditional triggers.
What Users Can Extract Immediately
Clean checklist of obligations for Data Fiduciaries or SDFs
Flow of the consent lifecycle from notice to erasure
Breach-reporting requirements as a structured sequence
Retention and erasure rules with conditional triggers
Comparative analysis: DF vs. SDF duties
Timeline table: response periods, notification deadlines, retention windows
Because Suit holds the entire Rules document together as one structure, users do not have to worry about losing context or skipping a dependency. The value is not in producing a summary. It is in giving lawyers and compliance teams a clear, reliable picture of what the law actually requires.
Compliance Matrix: Obligations, Timelines & Operational Steps
One of the clearest examples of this is how users run full compliance-mapping exercises through Suit. A regulatory team can input a structured prompt asking Suit to generate a DPDPA compliance matrix built directly from the Act and the Rules.
Sample Compliance Matrix Output
| Entity | Obligation | Rule/Section | Timeline | Operational Step |
|---|---|---|---|---|
| Data Fiduciary | Obtain valid consent | Rule 3, S.6 | Before processing | Implement consent mechanism with itemised purposes |
| Data Fiduciary | Provide notice | Rule 4, S.5 | At/before collection | Display privacy notice in accessible format |
| Data Fiduciary | Breach notification | Rule 7, S.8 | 72 hours to Board | Establish incident response protocol |
| SDF | Appoint DPO | Rule 10 | Upon notification | Designate qualified officer, publish contact |
| SDF | DPIA | Rule 11 | Periodic | Conduct assessment, document findings |
| SDF | Data Auditor | Rule 12 | Annual | Engage independent auditor, submit report |
Suit then identifies obligations for each regulated entity, ties every requirement to the exact Rule or Section, and converts them into practical operational steps. It produces a consolidated timeline table covering response periods, notification deadlines, retention windows, and other statutory time limits. It can also generate a short comparative analysis between Data Fiduciaries and Significant Data Fiduciaries or between controller-level and processor-level duties.
Instead of a flat summary, users receive a structured and complete view of the entire compliance landscape, built strictly from the text.
Staying Current as the Law Evolves
The DPDP Act and the DPDP Rules will continue to evolve, and compliance will only get more complex from here. Suit gives lawyers, founders, and compliance teams a way to keep pace without losing structure. It turns regulation into something legible, traceable, and complete, so users can work with confidence instead of guesswork.
The Easter Egg
And for those who look closely, there is an easter egg built into Suit: you can attach your session to jhana's AI paralegal, a system that understands the full context of your file and the work you are doing. You can speak to it the way a real team would.
“The DPDPA Act was enacted in 2023 and the Rules were notified in 2025. Study the Act, the Rules, relevant commentary, textbook jurisprudence, and US or GDPR jurisprudence, along with related Indian caselaw. Then prepare a guidance memo for founders, engineers, and product teams, mapping obligations, definitions, and deviations.”
— , Sample Paralegal Prompt
This is where the system reveals its full value. It does not just explain the law. It works with it. As the DPDP framework grows, Suit keeps the structure intact, the meaning stable, and the compliance picture complete.
KEY TAKEAWAY
The DPDP Rules are not a document to be read—they are a system to be reconstructed. Suit by jhana does exactly that: breaking regulation into obligations, roles, thresholds, and flows so compliance teams see the framework the way regulators intended. As the law evolves, Suit keeps the structure intact and the compliance picture complete.
Contents
Topics
Continue Reading
Gemini vs. Perplexity vs. ChatGPT vs. a Donkey: the "2026 best legal AI" is all of them
Section 149 Reassessment Limitation: Automated Analysis with Page-Linked Citations
Portfolio Review Automation: SEBI PM Compliance + AML/CFT + DPDP Matrix
Discussion
Comments • Share your thoughts and questions below