The Indian Government has formally rolled out the Digital Personal Data Protection Rules, 2025, which completes operationalisation of the DPDP Act, 2023. These rules and the Act, together, seek to establish a transparent, citizen-centric, innovation-friendly ecosystem to guarantee the responsible use of personal data in the rapidly growing digital economy of India.
The DPDP Act, which was enacted on 11 August 2023, lays a comprehensive framework for personal data protection for the Indians, which well defines the roles of entities about data collection and processing (Data Fiduciaries) and individual rights of Data Principals.
It follows the SARAL design principle, which is simple, accessible, rational and actionable, ensuring that the intent is easier to understand and comply with through plain language and examples.
Seven core principles of the act
The DPDP framework is based on seven important pillars:
- Consent and transparency
- Purpose limitation
- Data minimisation
- Data Accuracy
- Storage limitation
- Security safeguards
- Accountability
These principles lie at the core of India's privacy protection regime.
Consultative rule-making process
Inclusive participation was ensured in the making through intensive public consultations by the Ministry of Electronics and IT across major cities like:
- Delhi
- Mumbai
- Kolkata
- Hyderabad
- Bengaluru
- Chennai
- Guwahati
The final version of the rules is an outcome of feedback received from startups, MSMEs, civil society, industry bodies, and government departments.
Phased compliance for organisations
The DPDP Rules provide organisations with an 18-month phased compliance window, making the transition smoother. Data fiduciaries are now required to provide clear, standalone consent notices, stating the purpose for which personal data is being collected. Also, Consent Managers—those entities which help users manage permissions—have to be Indian companies.
Compulsory breach notification schemes
In case of a personal data breach, the data user must immediately inform affected individuals in lucid terms. Such notifications should include the nature of the breach, its possible consequences, any corrective steps taken, and contact details for assistance.
Special safeguards for children and individuals with disabilities
Processing of personal data of a child shall be lawful when parental consent is provided, except in those cases that are strictly necessary for education, healthcare or safety – on condition that such exceptions are established in applicable laws.
In cases where persons with disabilities cannot give consent due to a lack of legal capacity, the consent of the legal guardian shall be obtained in accordance with applicable laws.
Stronger transparency and accountability measures data
Users will have to display contact details of a designated officer or data protection officer so that individuals can raise various queries related to privacy.
Significant data users are subject to further responsibilities, including independent audits, impact assessments, and compliance with government restrictions – including, potentially, data localisation.
Data principals' rights strengthened
Individuals now have the right to view, rectify, update, or delete their personal information and to appoint another person to do these things on their behalf. Organisations shall act on such requests within 90 days from receipt.
Digital-first data protection board
The newly constituted DPBI will work completely online; it will accept and track complaints from citizens with the help of a dedicated portal and mobile app. Appeals will be heard by TDSAT.
When do the DPDP Rules apply?
The DPDP Rules, notified on November 14, 2025, provide the legal framework for protecting personal data online. Drawing inspiration from global frameworks such as the GDPR and Singapore's own PDPA, the Act establishes minimum standards that businesses must follow for access control, encryption, and audits for Significant Data Fiduciaries handling large volumes of personal information.