Data Protection

The DPDP Rules, Without Missing What Matters

How to read India's new data-protection framework as a compliance system—not a flat document—using structural AI.
Pranav RamakrishnanAdvocate & Legal Engineer
November 26, 2025
10 min read
TwLiLink

Headnote

The DPDP Act, 2023 and DPDP Rules, 2025 form a web of role-based duties, conditional obligations, and exceptions. This article breaks them into structured compliance tables—which obligations apply to which roles, which duties activate above thresholds, and how the consent lifecycle flows from notice to erasure.

Why DPDP Compliance Is Not Static

Digital regulation moves faster than most organisations can keep up with, and data-protection law moves fastest of all. Anyone familiar with GDPR knows that compliance is never static; obligations grow, definitions shift, and what counted as compliant last quarter may no longer be enough. This pattern is well documented, including in systematic reviews showing how GDPR obligations continually expand over time.

India has followed a similar trajectory. The DPDP Act, 2023 and the DPDP Rules, 2025 mark the end of an eight-year journey that began with the Puttaswamy judgment in 2017 and passed through multiple drafts and rewrites, with more than two years between the Act's passage and the operational Rules. The challenge is not just reading the Rules. It is understanding their structure as they evolve.

India's Data Protection Journey: 2017 → 2025

01

Puttaswamy (2017)

Constitutional Right to Privacy

02

DPDP Act (2023)

Primary Legislation

03

DPDP Rules (2025)

Operational Framework

Feature: Suit by jhana

Built for exactly this. It does not just summarise regulatory text; it breaks it into obligations, dependencies, roles, flows, and checklists so users can extract real value without missing what matters.

Data Fiduciary vs Significant Data Fiduciary

The DPDP Rules are not a simple regulatory document. They are a web of role-based duties, conditional obligations, and exceptions that change meaning depending on how the pieces connect. A lawyer or compliance team does not just "read" the Rules. They have to reconstruct them.

The Reconstruction Challenge
That means mapping which obligations apply to Data Fiduciaries versus Significant Data Fiduciaries, which duties activate only above certain thresholds, which exceptions override which clauses, and how definitions shift the scope of an obligation.

Even a quick look at the Rules shows this: consent mechanics are split across multiple clauses, security safeguards sit separately, and breach-reporting loops depend on specific triggers. Meaning emerges only when these parts are held together as a system, not in isolation.

Data Fiduciary

Determines purpose & means

Obtain valid consent

Provide itemised notice

Implement security safeguards

Report breaches to Board

Erase data upon withdrawal

Respond to grievances

Significant Data Fiduciary

Notified based on risk/volume

All Data Fiduciary obligations

Appoint Data Protection Officer

Conduct Impact Assessments

Appoint Independent Auditor

Submit periodic audits

Enhanced breach timelines

How Suit Reconstructs the Framework

This is exactly the kind of complexity Suit is built to handle. Instead of flattening the Rules into a summary, Suit reads them structurally. It detects each defined role, identifies every obligation tied to that role, traces dependencies across clauses, and assembles the hidden flows that sit underneath the text.

Suit's DPDP Extraction Model
LayerWhat Suit ExtractsValue to User
RolesData Fiduciary, SDF, ProcessorKnow exactly which obligations apply
ObligationsConsent, notice, security, breach reportingChecklist without missing triggers
ThresholdsVolume, sensitivity, risk factorsUnderstand when enhanced duties activate
FlowsConsent lifecycle, breach sequenceSee procedures as connected sequences
ExceptionsLegitimate uses, state exemptionsKnow when obligations are modified
Suit turns the Rules into a map—not a flat summary.

Suit turns the Rules into a map: what applies to a Data Fiduciary, what applies only to a Significant Data Fiduciary, what duties activate only when a condition is triggered, and which exceptions restrict or override an obligation. By breaking the Rules into obligations, thresholds, roles, and flows, Suit lets users see the framework the way regulators intended it, not purely as obligations or rules but as a compliance system.

Consent Lifecycle

STEP 1

Notice

Itemised, clear, accessible

STEP 2

Consent

Free, specific, informed

STEP 3

Processing

Purpose-bound, minimal

STEP 4

Withdrawal

Easy as giving consent

STEP 5

Erasure

Complete, verifiable

Once Suit reconstructs the DPDP framework, users can immediately begin working with it. They can extract a clean checklist of obligations for Data Fiduciaries or Significant Data Fiduciaries, generate a flow of the consent lifecycle, review breach-reporting requirements as a structured sequence, or map retention and erasure rules without missing conditional triggers.

Immediate Extractions

[ ]

Checklist of obligations for Data Fiduciaries

[ ]

Flow of the consent lifecycle from notice to erasure

[ ]

Breach-reporting requirements sequence

[ ]

Retention and erasure rules with triggers

[ ]

Comparative analysis: DF vs. SDF duties

[ ]

Timeline table: response periods, deadlines

Because Suit holds the entire Rules document together as one structure, users do not have to worry about losing context or skipping a dependency. The value is not in producing a summary. It is in giving lawyers and compliance teams a clear, reliable picture of what the law actually requires.

Compliance Matrix

One of the clearest examples of this is how users run full compliance-mapping exercises through Suit. A regulatory team can input a structured prompt asking Suit to generate a DPDPA compliance matrix built directly from the Act and the Rules.

Sample Compliance Matrix Output
EntityObligationRule/SectionTimelineStep
Data FiduciaryValid ConsentRule 3, S.6Pre-processConsent mechanism
Data FiduciaryNoticeRule 4, S.5At collectionPrivacy notice
Data FiduciaryBreach ReportRule 7, S.872 hoursIncident protocol
SDFAppoint DPORule 10On noticeDesignate officer
SDFDPIARule 11PeriodicConduct assessment
SDFData AuditorRule 12AnnualEngage auditor
Suit identifies obligations, ties them to Rules, and converts them into steps.

Suit then identifies obligations for each regulated entity, ties every requirement to the exact Rule or Section, and converts them into practical operational steps. It produces a consolidated timeline table covering response periods, notification deadlines, retention windows, and other statutory time limits. It can also generate a short comparative analysis between Data Fiduciaries and Significant Data Fiduciaries or between controller-level and processor-level duties.

Instead of a flat summary, users receive a structured and complete view of the entire compliance landscape, built strictly from the text.

Staying Current

The DPDP Act and the DPDP Rules will continue to evolve, and compliance will only get more complex from here. Suit gives lawyers, founders, and compliance teams a way to keep pace without losing structure. It turns regulation into something legible, traceable, and complete, so users can work with confidence instead of guesswork.

Key Takeaway

The DPDP Rules are not a document to be read—they are a system to be reconstructed. Suit by jhana does exactly that: breaking regulation into obligations, roles, thresholds, and flows so compliance teams see the framework the way regulators intended.

Index Keywords
DPDP Act 2023DPDP Rules 2025Data FiduciarySignificant Data FiduciaryDPDP compliance checklistconsent managementbreach notification DPDPDPDP vs GDPRIndia data protectionPuttaswamy judgmentDPO appointmentDPIA requirementsdata protection auditLegal AIjhana Suitcompliance mappingdpdpadpdprdpdp rules
See Also

Procurement Guidance for Government AI

Jan 2026Strategic Vision

My Daily Driver Tech Stack in 2026

Jan 2026Strategic Vision

Suit: The Ontological Layer for Law

Jan 2026Strategic Vision

Discussion