The government has released the Digital Personal Data Protection (DPDP) Rules, 2025, fully operationalising the DPDP Act, 2023. The aim is to build a simple, citizen-centric and innovation-friendly framework for the responsible use of digital personal data.
Passed on August 11, 2023, the DPDP Act forms a comprehensive system for safeguarding digital personal data. It outlines the responsibilities of organisations handling data (Data Fiduciaries) and the rights and duties of individuals (Data Principals). The framework follows the SARAL approach — Simple, Accessible, Rational and Actionable — using clear language and illustrations to support easy compliance.
According to the Ministry of Electronics and IT, the Act is built on seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability.
The new rules introduce an 18-month phased compliance period to help organisations transition smoothly. Data Fiduciaries must issue standalone, easy-to-understand consent notices clearly explaining why personal data is being collected and how it will be used. Consent Managers — entities that help users manage permissions — must be incorporated in India.
In case of a data breach, Data Fiduciaries must quickly notify affected individuals in plain language, detailing the nature of the breach, its possible impact, measures taken, and contact information for support.
Stricter safeguards apply to children’s data. Verifiable consent from parents or guardians is required, with limited exemptions for essential services such as healthcare, education and real-time safety. For persons with disabilities who cannot make legal decisions even with support, consent must be provided by a lawful guardian.
Organisations must also display clear contact details — such as a designated officer or Data Protection Officer — for queries related to personal data processing. Significant Data Fiduciaries have additional responsibilities, including independent audits, impact assessments, stronger due diligence and compliance with government mandates on sensitive data categories, including localisation when required.
The DPDP framework upholds individuals’ rights to access, correct, update or erase their personal data, and to nominate someone to exercise these rights. Data Fiduciaries must address such requests within 90 days.
A fully digital Data Protection Board will handle complaints through an online platform and mobile app, enabling citizens to file and track cases easily. Appeals will go to the Appellate Tribunal (TDSAT).
The Ministry said the rules aim to balance strong privacy protection with innovation and economic growth. India’s data governance model, it noted, supports development while safeguarding citizens and offers a supportive compliance environment for startups and smaller businesses.
