The Government of India has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, putting into full effect the DPDP Act, 2023. Together, the Act and Rules create a clear, citizen-friendly and innovation-supportive framework for managing digital personal data responsibly.
The DPDP Act, passed by Parliament on 11 August 2023, lays out how digital personal data should be handled in India. It defines the responsibilities of organisations that collect or use data—called Data Fiduciaries—and the rights of individuals, known as Data Principals.
The Act follows the SARAL approach (Simple, Accessible, Rational and Actionable), using easy language and examples so people can understand their rights and obligations.
To make the rules inclusive and practical, the Ministry of Electronics & IT (MeitY) held consultations across major cities, including Delhi, Mumbai, Hyderabad, Bengaluru and Chennai.
Inputs from startups, MSMEs, civil society and industry groups helped shape the final notified rules.
Phased Implementation
The DPDP Rules offer an 18-month phased compliance window, giving organisations time to adjust. They also mandate simple, standalone consent notices that clearly describe why personal data is being collected. Consent Managers—services that help individuals manage permissions, must be Indian companies.
Stronger Breach Notification Process
If a personal data breach occurs, Data Fiduciaries must promptly inform affected individuals in simple language. The notification should explain the nature of the breach, possible consequences and steps taken to fix the issue, along with contact details for support.
Protection for Children and Persons with Disabilities
The Rules require verifiable consent before processing children’s data, with exemptions only for essential services like healthcare, education and real-time safety.
For persons with disabilities unable to make legal decisions, consent must be provided by a lawful guardian.
Greater Accountability Measures
Data Fiduciaries must display clear contact information of officers responsible for handling data queries. Significant Data Fiduciaries face additional requirements, including independent audits, impact assessments and stronger due diligence.
They must also follow government-specified restrictions, including data localisation where required.
Enhanced Rights for Individuals
Individuals can request access, correction, updating or erasure of their personal data. They may also nominate someone to act on their behalf. All such requests must be addressed within 90 days.
Digital-First Governance
The Data Protection Board will operate fully online, allowing citizens to file complaints and track progress via a dedicated platform and mobile app. Appeals will be heard by TDSAT.
With a tech-neutral design and simplified compliance, the DPDP Rules aim to strengthen user privacy while supporting innovation and economic growth in India’s digital ecosystem.
Doonited Affiliated: Syndicate News Hunt
This report has been published as part of an auto-generated syndicated wire feed. Except for the headline, the content has not been modified or edited by Doonited
