The Centre has notified the Digital Personal Data Protection (DPDP) Rules, 2025, putting into full effect the DPDP Act, 2023 and establishing a comprehensive framework for safeguarding digital personal data. The Rules, along with the Act passed by Parliament in August 2023, are designed to provide a simple and citizen-centric approach to data protection.
The DPDP framework outlines the responsibilities of entities processing personal data (Data Fiduciaries) and the rights of individuals (Data Principals). It is built on seven principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. The government has adopted a “SARAL” approach – simple, accessible, rational and actionable – through the use of plain language and illustrations.
Broad Consultations Shaped Final Rules
Before finalising the Rules, the Ministry of Electronics and IT conducted consultations in several cities, including Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai. Inputs from startups, MSMEs, industry bodies, civil society groups and government departments informed revisions to the draft rules.
Phased Compliance Timeline
The Rules introduce an 18-month phased implementation schedule, giving organisations time to adapt. Data Fiduciaries must issue clear and standalone consent notices explaining why data is being collected and how it will be used. Consent Managers- platforms that help individuals manage permissions -must be Indian-registered companies.
Mandatory Breach Notifications
In the event of a personal data breach, organisations are required to inform affected individuals in plain language, describing the nature of the breach, its possible impact and the corrective measures undertaken.
Additional Safeguards for Children and Persons with Disabilities
Processing of children’s personal data requires verifiable consent, with limited exemptions for essential functions such as healthcare, education and safety. For persons with disabilities who cannot provide informed consent, approval must be obtained from a lawful guardian recognised under existing laws.
Obligations for Data Fiduciaries
Entities handling personal data must provide accessible contact details – such as a designated officer or Data Protection Officer -for grievance redressal. Significant Data Fiduciaries will face additional requirements, including audits, impact assessments and strict due diligence on technologies used. They must also adhere to any government-mandated restrictions such as data localisation.
Strengthened Rights for Individuals
The framework reinforces the rights of citizens to access, correct, update or erase their personal data, and to appoint a nominee to exercise these rights. Organisations must respond to such requests within 90 days.
Digital-First Data Protection Board
The DPDP Rules formalise the functioning of the Data Protection Board as a fully digital authority. Citizens will be able to file and track complaints through an online platform and mobile app. Appeals against Board decisions will be heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
According to the government, the DPDP framework seeks to balance privacy protection with innovation and economic growth, offering a supportive compliance regime for startups and smaller enterprises while maintaining strong data protection standards.
The DPDP Act, Rules and related documents are available on the Ministry of Electronics and IT website.