Key Updates in the Final DPDPA Rules (2025)
India’s Digital Personal Data Protection Act (DPDPA) has entered its implementation phase. With the publication of the Digital Personal Data Protection Rules, 2025 on 13th of November 2025, financial institutions, BNPL platforms, and digital lenders finally have a clear regulatory roadmap for compliance over the next 18 months.
These Final Rules define how organisations must handle consent, security safeguards, breach reporting, retention, and cross-border transfers. They also introduce obligations for Significant Data Fiduciaries (SDFs), shaping how large fintechs and digital-first businesses must govern data processing in India.
This guide summarises the key operational requirements and explains how JuicyScore’s zero-PII model ensures full alignment with India’s new data protection framework.
Key Updates in the Final DPDPA Rules (2025)
1. Clear and Itemised Privacy Notices (Rule 3)
Organisations must provide transparent, easy-to-understand notices that include:
- categories of personal data collected
- the specific purpose of processing
- links for consent withdrawal and complaints
- clear instructions for exercising user rights
These requirements apply to apps, onboarding flows, and digital services.
2. Verifiable Consent Requirements (Rules 10–11)
For the processing of children’s data or processing by lawful guardians, consent must be verifiable. Organisations must ensure:
- parental/adult identity checks
- traceable consent records
- comparable ease of giving and withdrawing consent
3. Security Safeguards and Logging (Rule 6)
Data fiduciaries must implement:
- encryption or masking
- access controls
- monitoring and incident logs
- business continuity and backup systems
Access logs must be retained for a minimum of one year.
4. 72-Hour Breach Notification (Rule 7)
In the event of a personal data breach, organisations must notify:
- all affected Data Principals, and
- the Data Protection Board
A detailed report must be submitted within 72 hours.
5. Retention and Erasure Standards (Rule 8)
Data must be erased when the purpose is no longer served. The Rules require:
- mandatory user notification at least 48 hours before erasure
- retention of logs and associated traffic data for at least one year
6. Rights of Data Principals (Rule 14)
Organisations must ensure clear, accessible mechanisms for users to:
- access their personal data
- request correction or deletion
- file grievances
- nominate another individual to exercise rights
Websites and apps must clearly publish the relevant processes.
Compliance Timeline: What Comes Into Force When
What This Means for Banks, Digital Lenders & BNPL Providers
DPDPA introduces significant operational requirements for financial institutions and digital lenders.
- Impact on onboarding and KYC. Onboarding flows must include itemised, purpose-specific privacy notices aligned with Rule 3.
- Impact on fraud prevention stacks. Solutions that rely heavily on personal data will face: greater retention obligations; higher breach-reporting risk; and increased governance expectations.
- Data minimisation, retention, and logging. Institutions must: minimise personal data collection; retain logs for at least a year; delete data when the purpose expires. This increases complexity and cost for PII-heavy systems.
- Cross-border transfers (Rule 15). Permitted unless specifically restricted, meaning institutions must stay adaptable to future government notifications.
How JuicyScore Already Aligns With the DPDPA Requirements
JuicyScore’s risk-scoring architecture is inherently compliant because we do not process personal data at any stage. We analyse device behaviour and environment signals, not user identifiers.
1. No personal data processed
We do not collect names, emails, phone numbers, financial identifiers or government-issued IDs.
2. Only device, environment and behavioural signals
Our models rely exclusively on non-PII metadata.
3. Built-in data minimisation
Because JuicyScore does not handle personal data:
- retention obligations under Rule 8 do not apply, as they concern personal data only
- verifiable consent requirements under Rules 10–11 do not apply
- breach-notification duties under Rule 7 generally do not apply, since they apply only when personal data is compromised
This significantly reduces compliance burden and regulatory risk.
4. Security safeguards (Rule 6)
All data flows are encrypted, access-controlled and logged in line with Rule 6 standards.
5. Cross-border compliant (Rule 15)
Because no personal data is processed, international data flows remain fully compliant with Rule 15.
Read more Manish’s expert blog on how JuicyScore’s PII-free device intelligence models fit perfectly into India’s DPDP era.
What Clients Should Do Now: Checklist
- Update privacy notices to meet Rule 3 requirements.
- Review retention and logging workflows for alignment with Rules 6 and 8.
- Implement breach-response procedures based on Rule 7’s 72-hour standard.
- Update vendor documentation to classify JuicyScore as a non-PII processor.
- Map personal data flows and highlight reductions achieved via device intelligence.
- Assess potential SDF designation based on scale and data-risk profile.
Conclusion
India’s Final DPDPA Rules mark a significant shift in how financial institutions must structure their data governance practices. For lenders, BNPL providers, and digital onboarding platforms, compliance will require new flows, new controls, and new operational discipline.
JuicyScore helps organisations meet these expectations by providing a robust risk-detection layer that does not rely on personal data. Our device intelligence framework reduces regulatory exposure, simplifies compliance workflows, and supports secure, low-friction onboarding.
Prepare your organisation for DPDPA. Download the PDF guide DPDPA Rules 2025: Final Compliance Overview & Client Checklist.
