New Delhi: The Government of India has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operational framework of the Digital Personal Data Protection Act, 2023. Together, the Act and Rules establish a simplified, citizen-centric and innovation-friendly data governance regime aimed at protecting digital personal data while promoting growth in India’s digital economy.
Passed by Parliament on August 11, 2023, the DPDP Act outlines obligations for organisations handling personal data (Data Fiduciaries) and defines the rights and duties of individuals (Data Principals). Built on the SARAL design approach — Simple, Accessible, Rational and Actionable — the legislation uses clear language and examples to ease compliance, particularly for emerging enterprises.
At its core, the Act is anchored on seven principles: informed consent and transparency, purpose limitation, data minimisation, data accuracy, storage restriction, security safeguards and accountability.
Consultative & Inclusive Rule-Making
The Ministry of Electronics and Information Technology (MeitY) formulated the Rules following extensive consultations across major Indian cities including Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai. Feedback from startups, MSMEs, industry associations, civil society organisations and government bodies informed the final framework.
Phased Compliance Framework
To enable a smooth transition, the DPDP Rules introduce an 18-month phased compliance timeline. Data Fiduciaries must issue standalone, plain-language consent notices clearly explaining the purpose of data collection and usage. Additionally, Consent Managers — service entities that enable individuals to manage permissions — must be incorporated in India.
Data Breach Reporting Protocol
In case of a data breach, companies must promptly notify affected individuals, outlining the nature, potential risks, corrective actions and contact details for assistance, all in simple language.
Protections for Minors & Persons with Disabilities
Processing of children’s personal data will require verifiable parental consent, with exemptions only for essential services such as education, healthcare and safety. For persons with disabilities unable to provide informed consent, approvals must be obtained from a legally recognised guardian.
Enhanced Oversight for Significant Data Fiduciaries
Entities classified as Significant Data Fiduciaries will face higher accountability standards, including independent audits, impact assessments and rigorous due diligence for deployed technologies. They must comply with any notified data localisation requirements and publish clear Data Protection Officer (DPO) or grievance contact details.
Rights of Data Principals Strengthened
Individuals will have the right to access, correct, update or erase their personal data and nominate a representative to exercise these rights. Organisations must acknowledge and respond to such requests within 90 days.
Digital-First Enforcement Ecosystem
A fully digital Data Protection Board will handle complaints via an online platform and mobile app, ensuring accessible, efficient and transparent grievance redressal. Appeals will be heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Balancing Growth and Protection
By combining simplified regulations, technology-neutral provisions and transition support, the DPDP framework aims to strengthen privacy, enhance trust and foster responsible digital innovation. The rules are expected to support India’s ambition to build a secure, resilient and globally competitive digital economy, while ensuring a compliance-friendly ecosystem for startups and smaller enterprises.
