Digital Personal Data Protection (DPDP) Rules, 2025

On 14th November 2025, the Union government notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operational framework of the DPDP Act, 2023. The move marks a decisive shift from principles to a fully enforceable, citizen-centric data protection regime aimed at strengthening trust while enabling technological growth.

Key Points

Shift to a Unified Data Protection Framework: Before DPDP, India relied on fragmented guidelines and sector-specific rules. The new rules consolidate protections under one clear, enforceable system.
Extensive Public Consultation: Nationwide consultations gathered 6,915 inputs from startups, MSMEs, civil society, industry bodies, and citizens, shaping the final version of the Rules.
Eighteen-Month Phased Rollout: The Rules introduce a gradual compliance timeline, allowing organisations of all sizes to adapt. Requirements include clear consent notices, defined purposes for data use, and India-based consent managers.
Enhanced Breach-Notification System: Organisations must promptly notify individuals of any personal-data breach, strengthening transparency and accountability.
Stronger Rights for Citizens (Data Principals): Individuals can request information on data usage, ask for corrections, update details, or request deletion in certain conditions. Data fiduciaries must respond within 90 days.
Special Protections for Children and Persons with Disabilities: Processing their data requires verifiable guardian consent, ensuring higher safeguards.
Operationalisation of the Data Protection Board (DPB): A fully digital board with four members will allow citizens to file complaints online and track progress via a portal and mobile app.