Government Notifies Digital Personal Data Protection Rules 2025

• 15 Nov 2025
• 318 Views

Recently, the Government of India notified the Digital Personal Data Protection Rules 2025. The implementation of these rules marks the full operation of the DPDP Act 2023. Together, the Act and the Rules establish a straightforward, citizen focused and innovation friendly framework for the responsible use of digital personal data in the country. 

The Act was enacted by Parliament on 11 August 2023. It provides a well-detailed framework to protect digital personal data of individuals. It outlines all the obligations of entities that handle such data, known as Data Fiduciaries, as well as the rights and responsibilities of individuals referred to as Data Principals. 

The Act is designed using the SARAL principles, i.e., Simple, Accessible, Rational and Actionable, employing plain language and illustrations to increase understanding as well as compliance. The Act is guided by seven core principles, i.e., consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards and accountability.

For the purpose of ensuring broad stakeholder participation, MeitY had released the draft DPDP Rules for public comment and also held consultations in various cities like Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai. The inputs gathered from startups, MSMEs, industry bodies, civil society and government departments moulded the notified rules’ final version. 

Phased and Practical Implementation

The DPDP Rules 2025 provide an 18-month phased compliance timeline. This would allow organisations sufficient time for ensuring smooth transition. They also require Data Fiduciaries to issue standalone, clear and simple consent notices that transparently mention the specific purpose for which personal data is being collected and used. Entities that assist individuals in managing their permissions, known as Consent Managers, must be registered as Indian companies.

Protocols for Personal Data Breach Notification

In case of breach of personal data, the individuals affected must be informed by Data Fiduciaries in a language that is plain, and explain the nature and possible consequences of breach, steps to take for dealing with it and contact details for assistance.

Reinforcing Rights of Data Principals

The framework of DPDP enhances rights of individuals to access, correct, update or fully erase their personal data. It also allows individuals to nominate someone else to exercise these rights on their behalf. Data fiduciaries are required to respond to all such requests within a maximum of 90 days.

Data Protection Board

The Data Protection Board will operate as a fully digital institution and allow citizens to file and track complaints online through a dedicated platform and mobile app. This approach promotes transparency and efficiency as well as ease of living. Appeals against its decisions can be made to the Appellate Tribunal, TDSAT.

The DPDP Act and Rules aim to strengthen privacy, enhance trust and support responsible innovation. The DPDP Act, DPDP Rules, and the SARAL summary of stakeholder feedback are available on the Ministry’s website at https://www.meity.gov.in/.

Source: Press Information Bureau (PIB)