New Delhi— The Centre has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the implementation of the DPDP Act, 2023 and establishing a comprehensive legal framework for safeguarding digital personal data in India.
The Ministry of Electronics and Information Technology (MeitY) said the Act and the newly notified Rules aim to create a citizen-first, transparent and innovation-friendly ecosystem for the responsible handling of digital personal data.
Passed by Parliament in August 2023, the DPDP Act outlines clear duties for organisations managing personal data—referred to as Data Fiduciaries—and enumerates the rights and responsibilities of individuals, known as Data Principals. The framework follows the SARAL design philosophy, ensuring regulations are simple, accessible, rational and actionable, with easy-to-understand language and illustrative examples.
The Act is anchored in seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability.
The final Rules were shaped by extensive public consultations across major cities including Delhi, Mumbai, Chennai, Kolkata, Hyderabad, Bengaluru and Guwahati. MeitY said industry leaders, startups, MSMEs, civil society groups and government departments provided crucial feedback that informed the final draft.
To ensure a smooth shift to the new regime, the DPDP Rules provide an 18-month phased compliance period. Organisations will be required to issue clear, standalone consent notices explaining why personal data is being collected and how it will be used. Consent Managers—platforms designated to help people manage permissions—must be incorporated in India.
In cases of a data breach, Data Fiduciaries will need to promptly notify affected individuals in plain language, detailing the nature of the breach, its possible impact and steps taken to control the damage.
Stronger safeguards have been put in place for protecting minors’ data. Organisations must seek verifiable consent before processing a child’s personal information, with limited exemptions related to healthcare, education and real-time safety. For persons with disabilities who cannot make legal decisions, consent must be obtained from a verified lawful guardian.
Data Fiduciaries must make available the contact details of a designated officer or Data Protection Officer to address queries related to data handling. Significant Data Fiduciaries—those handling large volumes or sensitive categories of data—will face additional requirements, including independent audits, impact assessments and stricter due diligence obligations. They must also follow any government directives on data localisation for specific categories.
The DPDP framework empowers individuals with rights to access, correct, update or erase their personal data. They may also nominate another person to exercise these rights on their behalf. Organisations must respond to such requests within 90 days.
The Data Protection Board, envisioned as a fully digital body, will allow citizens to file complaints online through a dedicated platform and mobile app. Appeals against its decisions will be handled by the TDSAT.
MeitY stated that the DPDP Rules strike a balance between safeguarding privacy and supporting economic innovation. India’s data governance system, it said, is designed to promote growth while ensuring the welfare and trust of citizens. The simplified rules, adequate transition period and technology-neutral approach aim to strengthen privacy protections and reinforce India’s position as a secure and competitive digital economy.
The DPDP Act, Rules and a SARAL summary of stakeholder feedback are available on the Ministry’s website.
