DPDP Rules 2025: The Clinic Compliance Timeline
By Patient Square Team · · 7 min read
Your clinic has until 13 May 2027 for most of what the DPDP Rules 2025 ask, and a couple of milestones land sooner. The Rules were notified on 13 November 2025, but they switch on in stages, not all at once. So the right move isn't panic; it's a calendar. This page is that calendar: what hits when, what a clinic actually has to do, and how to vet any AI tool that touches patient data before the deadline arrives.
A quick honesty note first. This is reporting, not legal advice, and the Data Protection Board is still standing up its machinery. Treat the dates below as the published schedule and confirm specifics for your practice with counsel. If you want the broader obligation primer rather than the dated timeline, our DPDP Act for clinics guide covers the what; this page covers the when.
Key takeaways
- The DPDP Rules 2025 were notified 13 November 2025 and commence in phases, not on day one.
- Definitions and the Data Protection Board provisions are already live. The Consent Manager rule follows on 13 November 2026.
- The bulk clinic obligations, notice, consent, breach, retention, and patient rights, take effect on 13 May 2027.
- Breach rule: notify patients and the Board without delay, then file a detailed report to the Board within 72 hours.
- The 3-year record-keeping expectation comes from the operative 2002 medical-council rules, not the abeyed NMC 2023 regulations.
DPDP Rules 2025 notified; definitions and Board provisions live
Consent Manager registration framework (Rule 4) in force
Bulk obligations live: notice, consent, breach, retention, rights
The phased timeline, with real dates
The thing most coverage gets wrong is treating "DPDP is here" as a single switch. It isn't. The DPDP Act 2023 got Presidential assent on 11 August 2023; the Rules that make it operational were notified on 13 November 2025 (through Gazette notifications G.S.R. 843 to 846(E)). And the Rules themselves commence in three waves.
| Phase | Date | What switches on | What a clinic does |
|---|---|---|---|
| On notification | 13 Nov 2025 | Definitions (Rules 1, 2) and Data Protection Board constitution and functioning (Rules 17–21) | Nothing operational yet; the enforcement body is being built |
| One year out | 13 Nov 2026 | Consent Manager framework (Rule 4): registration, eligibility, obligations | Understand how Consent Managers will mediate consent; plan for it |
| Eighteen months out | 13 May 2027 | The bulk: notice, consent, security safeguards, breach reporting, retention and erasure, children's data, data-principal rights, cross-border (Rules 3, 5–16, 22, 23) | This is your real deadline; the consent-and-rights build must be done |
Read that as good news with a deadline. You have until May 2027 for the obligations that actually reshape a clinic's data handling. But "until 2027" is not "later"; the consent workflow, the breach process, and the vendor due diligence all take time to build and test, and the tools you choose now should already meet the bar.
What a clinic has to do, in plain terms
When the bulk obligations land, a clinic, as a Data Fiduciary, owes its patients (the Data Principals) a specific set of things. None of it is exotic; most of it is good practice you can start today.
Consent, done properly. Processing patient data needs consent that's free, specific, informed, unconditional, and unambiguous, with an itemised notice telling the patient what you collect and why, purpose by purpose. Bundled, take-it-or-leave-it consent doesn't meet the bar.
Purpose limitation. Use the data for the purpose you stated, not for whatever else turns out to be convenient.
Breach reporting, stated precisely. This is widely misquoted, so here's the actual rule. Under Rule 7 you notify affected patients without delay, and you notify the Data Protection Board without delay, and then you file a detailed report to the Board within 72 hours (or longer if the Board allows). So the "72 hours" you've seen is the detailed-report clock. The first alarm, to patients and to the Board, is immediate.
Patient rights. Patients can ask for a summary of their data and how it's processed, request correction or completion, request erasure, nominate someone, and use a grievance-redress route you must publish.
Children's data. Processing a child's data (under 18) needs verifiable parental or guardian consent, and you can't run tracking or targeted advertising to children.
One thing you don't have to do: the time-bound three-year retention written into the Rules applies to large platforms, big social media, e-commerce, online gaming, not to a clinic. Your retention is governed by purpose limitation plus your sector's record-keeping rules, which brings us to the question every doctor asks next.
How long must you keep records, and which rule governs?
The operative expectation is three years, and the source matters because there's a trap here. The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 are the live rules, and they carry the three-year medical-record retention expectation. The NMC Registered Medical Practitioner (Professional Conduct) Regulations 2023 restated and modernised this, but they were held in abeyance in August 2023 and have not commenced. So when you cite "three years," cite the 2002 regulations, the ones actually in force, not the 2023 ones a lot of blog posts quote as if they were law.
DPDP and the record-keeping rules pull in the same direction: keep what you need for as long as the purpose (and the medical-council expectation) requires, then erase it. A tool that lets you export or delete any patient record on demand makes both obligations easier to honour.
And no, DPDP doesn't force your data to stay in India
Worth clearing up because it drives a lot of nervous procurement. The DPDP Act uses a negative-list model for cross-border transfer (Section 16): data may be transferred to any jurisdiction except those the central government specifically restricts by notification. There's no blanket data-localization mandate in the Act itself. Individual sector regulators may impose their own localization rules, and those still apply, but they don't flow from DPDP. So "DPDP requires my patient data to live in India" is an overstatement. Where your data lives is still a fair buying question; just don't fight a battle the statute didn't pick.
The DPDP question set for any AI tool
If a tool, a scribe, an EMR, anything, touches patient data, run it through these before May 2027 quietly arrives:
| Ask the vendor | A DPDP-aligned answer |
|---|---|
| How do you handle consent and purpose limitation? | Consent-first, purpose-bound, with a clear notice; not buried in a ToS |
| What happens to visit audio, and when is it deleted? | A one-sentence answer with a timeline; ideally "never stored" |
| How would a breach be reported to me? | A defined process matching Rule 7's without-delay and 72-hour structure |
| Can I export or delete any patient record? | Yes, anytime, no ticket; the data belongs to the practice |
| Where does the data live, and who can access it? | A clear location, role-scoped and logged access |
Here's how we answer, on the record. AI Scribe by Patient Square is an ambient AI medical scribe that listens during the visit and hands back a structured SOAP note, ICD-10 suggestions, and a prescription draft, ready to review and sign about two minutes after the visit. Data is handled to DPDP Act 2023 standards, consent-first and purpose-limited. Visit audio is processed in memory and discarded the moment the note drafts, so there's no audio archive to breach or produce. Notes are encrypted (TLS 1.2+ in transit, AES-256 at rest), access is role-scoped and logged, and the notes belong to your practice, export or delete any visit anytime. A SOC 2 Type II audit is underway, that phrase exactly. The full posture is on our security page. One honest line we won't blur: ABDM integration is on our roadmap, not live; we never claim to be ABDM-compliant, because we're not yet. If you want to walk the five questions against a live tool, book a demo and ask each one out loud.
What to do this quarter
You have until 2027 for the big obligations, so spend the runway building, not panicking:
- Map your patient-data flows. What you collect, why, where it goes, who can see it. You can't write a consent notice for data you haven't mapped.
- Draft the consent notice and the patient-rights process now, even though the deadline is 2027. Testing it on real patients takes iterations.
- Vet every data-touching vendor with the five questions above, and get the audio-retention answer in writing.
- Pin your record-retention policy to the operative 2002 rules (three years), and make sure you can produce records on request.
- Plan for the Consent Manager framework arriving 13 November 2026, ahead of the bulk deadline.
The companion buyer's scorecard, what to demand on price, language, and DPDP posture when choosing a scribe, is in our India AI scribe buyer's guide. When you're vetting tools, book a demo and ask each vendor the five DPDP questions directly, then run the 7-day free trial on a real OPD day to see how the consent and audio handling work in practice, not on a slide. The deadline is fixed. The build is yours to start now.
Common questions
When did the DPDP Rules 2025 come into force?
They were notified on 13 November 2025, but commencement is phased. Definitions and the Data Protection Board provisions (Rules 1, 2, and 17 to 21) took effect on notification. The Consent Manager rule follows on 13 November 2026, and the bulk operational obligations, including notice, consent, breach, retention, and rights, take effect on 13 May 2027.
What must a clinic do under the DPDP Rules, and by when?
By 13 May 2027 a clinic must process patient data on free, specific, informed consent, give an itemised notice per purpose, support patient rights of access, correction, and erasure, and have a breach process. The Consent Manager registration framework is live a bit earlier, from 13 November 2026. You have time, but the build starts now.
Does DPDP require a 72-hour breach notification?
Not exactly. Under Rule 7 you must notify affected patients without delay and notify the Data Protection Board without delay, then file a detailed report to the Board within 72 hours, or longer if the Board permits. So 72 hours is the detailed-report clock, not the deadline to first raise the alarm, which is immediate.
How long must an Indian clinic keep medical records?
The operative expectation is three years, from the Indian Medical Council 2002 conduct regulations. The NMC 2023 regulations that restated this were held in abeyance in August 2023, so the 2002 rules govern. The DPDP Rules' time-bound three-year retention applies to large platforms like big social media and e-commerce, not to a clinic.
Does DPDP force patient data to stay in India?
No, not broadly. The Act uses a negative-list model: cross-border transfer is allowed except to jurisdictions the central government specifically restricts. There is no blanket data-localization mandate in DPDP itself. Sector regulators may impose their own localization rules, but those do not come from the DPDP Act.
What should I ask an AI scribe vendor about DPDP?
Ask how they handle consent and purpose limitation, what happens to visit audio and when it is deleted, how a breach would be reported to you, whether you can export or delete any patient record, and where data lives. A vendor that handles data to DPDP standards can answer each in a sentence. Vagueness is the answer.
Sources
- PIB / MeitY: notification of the Digital Personal Data Protection Rules 2025 (13 November 2025; G.S.R. 843–846(E))
- Mondaq: DPDP Rules 2025 phased commencement schedule (Rules 1, 2, 17–21 on notification; Rule 4 at one year; bulk obligations at eighteen months)
- DPDP Rules, Rule 7: intimation of personal data breach (notify without delay; detailed report within 72 hours)
- DPDP Act 2023, Section 16: cross-border transfer (negative-list model)
- Medical Dialogues: NMC puts its Registered Medical Practitioner (Professional Conduct) Regulations 2023 in abeyance (August 2023)