loader
  • Home
  • Tech Governance
  • India activates full digital privacy regime with notification of DPDP Rules 2025

DPDP Rules 2025

India activates full digital privacy regime with notification of DPDP Rules 2025

The Data Protection Board of India will operate as a digital regulator. Citizens will be able to file and track complaints online

By BI Bureau
November 18, 2025
India activates full digital privacy regime with notification of DPDP Rules 2025

New Delhi: India has brought its first complete personal data protection framework into force with the notification of the Digital Personal Data Protection (DPDP) Rules 2025. Issued on November 14, the Rules operationalise the Digital Personal Data Protection Act 2023 and mark a major shift in how organisations must collect, process and safeguard personal information.

The Rules introduce a consent-led and rights-based system, with obligations phased in over the next 12 to 18 months. High-impact requirements, including breach reporting and the establishment of the Data Protection Board of India, have taken effect immediately. Other obligations, such as disclosures related to Data Protection Officers and the rollout of Consent Managers, will apply by November 2026.

The DPDP Act, enacted in 2023, laid out the core design for protecting digital personal data. The Rules now provide the detailed procedures required for implementation. The framework rests on principles including transparency, purpose limitation, minimisation, accuracy, storage limits, security safeguards and accountability. Citizens are recognised as Data Principals, while organisations handling their personal information are classified as Data Fiduciaries. Entities processing large volumes of data are designated Significant Data Fiduciaries and must meet stricter requirements.

The government has adopted a staggered implementation plan to give businesses time to upgrade architecture, documentation and internal processes. Some provisions, such as the operationalisation of the Data Protection Board, became effective on the day of notification.

The Rules strengthen informed consent as the foundation of India’s privacy system. Organisations must obtain clear permission before gathering personal data. Pre-selected boxes or bundled approvals are not permitted. Consent notices must be issued in English or any of the 22 scheduled Indian languages and must specify the nature and purpose of data collection, as well as how individuals can withdraw consent. A new category of Consent Managers will help citizens manage permissions across platforms. Citizens can access their data, correct inaccuracies, request erasure and nominate a representative to act on their behalf. Data Fiduciaries have 90 days to respond to such requests.

The Rules place special emphasis on protecting children and persons with disabilities. For children, verifiable parental consent is mandatory. Tracking, behavioural profiling or targeted advertising aimed at minors is prohibited. For persons with disabilities unable to give consent, the approval of a lawful guardian is required.

Data lifecycle requirements mandate that organisations collect only data essential for stated purposes. Large digital platforms, including intermediaries with more than two crore users, e-commerce firms and online gaming platforms with over 50 lakh users, must delete personal data of inactive users after three years. Organisations must give at least 48 hours’ notice before deletion.

Security safeguards form a central part of compliance. Data Fiduciaries must use encryption, masking, backups and access controls. Breach reporting requires organisations to notify the Data Protection Board within 72 hours and inform affected individuals in clear, simple language. Organisations must retain logs of consent and processing activities for at least a year.

Cross-border data transfers are allowed under conditions set by the Union government. Restrictions may apply on making such data available to foreign states or their agencies. Data processed for research, archiving or statistical purposes is exempt from the Act if it complies with standards in the Second Schedule.

Significant Data Fiduciaries face enhanced obligations, including annual impact assessments, independent audits, algorithmic safety checks and appointment of Data Protection Officers. They must also comply with localisation requirements where mandated.

The Data Protection Board of India will operate as a digital regulator. Citizens will be able to file and track complaints online. The Board can investigate violations and impose penalties of up to ₹250 crore per instance. Appeals against its decisions will lie with TDSAT. Citizens must first approach the concerned Data Fiduciary; only unresolved grievances after 90 days can escalate to the Board.

By providing enforceable rules, the DPDP Rules 2025 mark India’s transition from policy intent to a functioning privacy system. They strengthen citizen rights, set clear duties for organisations and introduce structured enforcement. With India’s digital economy expanding rapidly, the framework is expected to increase user confidence and align the country more closely with global data protection practices.

BI Bureau

 
 

Latest News

ONGC bags three honours at 15th India Public Sector Enterprises Awards
ONGC won three honours

ONGC bags three honours at 15th India Public Sector Enterprises Awards

2

Air travel in turmoil
Air travel in turmoil: Nearly 2,000 flights cancelled, passengers stranded as Middle East war worsens

3

Deepak Gupta
Deepak Gupta takes charge as GAIL CMD

Top News

ONGC bags three honours at 15th India Public Sector Enterprises Awards
ONGC won three honours

ONGC bags three honours at 15th India Public Sector Enterprises Awards

2

Air travel in turmoil
Air travel in turmoil: Nearly 2,000 flights cancelled, passengers stranded as Middle East war worsens

3

Deepak Gupta
Deepak Gupta takes charge as GAIL CMD
Related Posts
© 2026, Copyrights Bureaucrats India. All Rights Reserved