The Impressive TimesThe Government of India has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operational framework of the DPDP Act, 2023. Together, the Act and the newly notified Rules establish a simplified, citizen-centric, and innovation-friendly data protection regime that strengthens privacy and supports India’s rapidly advancing digital economy.
Passed by Parliament on 11 August 2023, the DPDP Act lays out a comprehensive structure to protect digital personal data, defining the responsibilities of Data Fiduciaries and the rights and duties of Data Principals. Built on the SARAL design philosophy—Simple, Accessible, Rational and Actionable—the Act uses plain language and illustrations to enhance ease of understanding and compliance.
Guided by seven core principles—consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability—the framework aims to ensure responsible processing of personal data across all sectors.
In a bid to ensure broad-based participation, the Ministry of Electronics and Information Technology (MeitY) sought public feedback on the draft Rules and conducted consultations across major cities including Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai. Inputs from startups, MSMEs, industry bodies, civil society and government officials have significantly shaped the final Rules.
The DPDP Rules provide an 18-month phased compliance period to help organisations transition gradually. Data Fiduciaries must issue clear, standalone consent notices explaining the exact purpose of collecting and processing personal data. Consent Managers—entities helping individuals manage personal data permissions—must be Indian companies.
In case of a personal data breach, Data Fiduciaries are required to promptly notify affected individuals in clear language, explaining the nature of the breach, its potential consequences, remedial measures taken and contact details for support.
Processing children’s personal data now requires verifiable consent, with exemptions only for essential services like healthcare, education and real-time safety. For persons with disabilities unable to make legal decisions, consent must be provided by a lawful guardian verified under relevant laws.
Data Fiduciaries must provide clear contact details—such as those of a designated officer or Data Protection Officer—to handle queries on data processing. Significant Data Fiduciaries will face enhanced compliance standards, including mandatory audits, data protection impact assessments, stronger due diligence, and adherence to government directives such as data localisation when required.
The DPDP framework reinforces the rights of Data Principals, including accessing, correcting, updating or erasing their personal data and nominating another individual to exercise these rights. All such requests must be addressed within a maximum of 90 days.
The Data Protection Board will function as a fully digital body, allowing citizens to file and track complaints online via a dedicated platform and mobile application. Appeals against its decisions will lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Designed to balance privacy protection with economic growth, the DPDP framework provides a simplified and facilitative compliance structure—particularly supporting startups and smaller enterprises—while ensuring that innovation continues to thrive alongside strong data safeguards. With its technology-neutral approach and phased implementation roadmap, the DPDP Act and Rules aim to enhance digital trust and build a secure, resilient, and globally competitive digital economy for India.
The DPDP Act, Rules and SARAL summary of stakeholder feedback are available on the Ministry’s website.
No Comments: