The Government of India has issued the Digital Personal Data Protection (DPDP) Rules, 2025, completing the implementation of the DPDP Act, 2023. Together, the Act and Rules establish a clear, citizen-focused and innovation-friendly framework for the responsible use of digital personal data.
Passed by Parliament on 11 August 2023, the DPDP Act sets out a comprehensive system for safeguarding digital personal data. It outlines the obligations of organisations handling such data—referred to as Data Fiduciaries—and the rights and duties of individuals, known as Data Principals. Designed with the SARAL principles of Simple, Accessible, Rational and Actionable, the Act uses plain language and practical illustrations to support easier understanding and compliance.
The Act is built on seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability.
Inclusive and Consultative Rule-Making
To ensure broad engagement, the Ministry of Electronics and Information Technology released draft DPDP Rules for public comments and held consultations across Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai. Inputs from startups, MSMEs, industry groups, civil society and government departments informed the final Rules.
Phased and Practical Implementation
The Rules introduce an 18-month phased compliance period to support a smooth transition for organisations. Data Fiduciaries must issue clear, standalone consent notices that transparently state the specific purpose for which personal data is collected and used. Consent Managers—platforms that help individuals manage their permissions—must be Indian-registered companies.
Clear Protocols for Personal Data Breach Notification
In the event of a personal data breach, Data Fiduciaries are required to promptly notify affected individuals in plain language. Notifications must explain the nature of the breach, its possible consequences, the steps taken in response and provide relevant contact information for assistance.
Safeguards for Children and Persons with Disabilities
Stronger protections apply when processing the personal data of children, requiring verifiable consent from a parent or lawful guardian, with limited exemptions for essential services such as healthcare, education and real-time safety. For individuals with disabilities who cannot make legal decisions even with support, consent must be given by a lawful guardian verified under applicable law.
Transparency and Accountability Measures
Data Fiduciaries must display clear contact information—such as that of a designated officer or Data Protection Officer—so individuals can raise questions about personal data processing. Significant Data Fiduciaries have additional responsibilities, including independent audits, impact assessments and enhanced due diligence for deployed technologies. They must also comply with government-mandated restrictions on specific categories of data, including localisation where required.
Strengthening Rights of Data Principals
The DPDP framework reinforces individuals’ rights to access, correct, update or erase their personal data. It also permits them to nominate someone else to exercise these rights on their behalf. Data Fiduciaries must respond to all such requests within 90 days.
Digital-First Data Protection Board
The Data Protection Board will function entirely online, enabling citizens to file and track complaints through a dedicated portal and mobile application. Appeals against its decisions will be heard by the Appellate Tribunal, TDSAT.
The Rules aim to strike a balance between protecting privacy and promoting innovation. India’s data governance model supports economic growth while ensuring citizen welfare and provides a facilitative compliance pathway for startups and smaller enterprises.
With simplified processes, adequate transition time and a technology-neutral approach, the DPDP Act and Rules are designed to strengthen privacy, build trust and promote responsible digital innovation—helping position India’s digital economy as secure, resilient and globally competitive.
The DPDP Act, DPDP Rules and SARAL summary of stakeholder feedback are available on the Ministry’s website.