India’s New Data Privacy Rules Are Here: What You Need to Know About DPDP 2025

Government of India officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the implementation of the Digital Personal Data Protection Act, 2023. This milestone lays down a comprehensive and citizen-centric legal framework that protects individual privacy while supporting the responsible use of digital personal data by organisations. The notification follows an inclusive national consultation process that received 6,915 inputs from stakeholders including startups, civil society groups, industry bodies, government departments, and concerned citizens.

A New Era of Responsible Data Governance

Together, the DPDP Act and Rules aim to establish a balanced ecosystem where privacy, innovation, and digital growth can thrive in tandem. The framework is based on the SARAL principle: Simple, Accessible, Rational, and Actionable.

The law applies to all digital personal data, providing clear rules, citizen rights, and corporate responsibilities, making it easy for individuals to understand, access, and control their data.

Key Highlights of the DPDP Rules, 2025

1. Phased Implementation

A practical 18-month compliance period gives organisations time to adapt their systems, adopt privacy-by-design practices, and align operations with the Act’s requirements.

2. Mandatory Consent Notices

All Data Fiduciaries must issue simple, clear, purpose-specific consent notices before processing any personal data. Consent Managers must be India-based entities offering transparent, interoperable platforms for users to manage permissions.

3. Personal Data Breach Protocol

In the event of a data breach, organisations must promptly notify affected individuals in plain language, detailing the nature, impact, response, and support mechanisms available.

4. Citizen Empowerment through Digital Rights

The Rules reaffirm and operationalise citizens’ digital rights,

• Right to Consent or Refuse
• Right to Know Purpose and Use
• Right to Access, Correct, Update, or Erase Data
• Right to Nominate Another Person
• Right to Timely Response (within 90 days)
• Right to Protection During Breach

Special safeguards are included for children and persons with disabilities, ensuring consent is obtained through verified guardians when required.

5. Clear Grievance Mechanism

Organisations must publish contact details for data-related queries. Significant Data Fiduciaries have enhanced duties like independent audits, risk impact assessments, and government-mandated data localisation when applicable.

6. Fully Digital Data Protection Board

The Data Protection Board of India will operate as a digital-first authority, consisting of four members. Citizens can file complaints online, track cases through a portal, and appeal decisions before TDSAT, the designated Appellate Tribunal.

Penalties Under the DPDP Act

The framework includes strict penalties for non-compliance,

• Up to ₹250 crore for failing to implement security safeguards
• Up to ₹200 crore for data breach non-disclosure or violations involving children
• Up to ₹50 crore for other rule violations
• These penalties are designed to enforce accountability and good data practices.

Alignment with RTI Act and Privacy Rights

The DPDP Act amends Section 8(1)(j) of the RTI Act to align with the Supreme Court’s recognition of privacy as a fundamental right. It ensures,

• Personal data is protected from disclosure unless public interest outweighs the harm
• Section 8(2) of the RTI Act remains intact, preserving transparency in governance
• A clear and court-aligned balance between privacy and access to public information

Key Static Facts: DPDP Rules, 2025

• Notified on: 14 November 2025
• Act Enacted on: 11 August 2023
• Consultation Feedback Received: 6,915 inputs
• Compliance Period: 18 months
• Governing Authority: Data Protection Board of India
• Key Concepts: Data Principal, Data Fiduciary, Consent Manager, Data Processor
• Appellate Authority: TDSAT
• Penalties: Up to ₹250 crore for serious violations