On November 13, 2025, the Government of India took a historic step by notifying the Digital Personal Data Protection Rules, 2025 (Rules). These Rules operationalise the framework established by the DPDP Act, passed in August 2023, and translate legislative principles into clear, actionable, and enforceable procedures.

Built on the SARAL (Simple, Accessible, Rational, and Actionable) philosophy, these Rules are designed in plain citizen citizen-friendly language with practical illustrations, making data protection comprehensible for every Indian citizen. The framework creates a balanced ecosystem with three key actors: data principals (individuals whose data is processed), data fiduciaries (entities handling personal data), and the newly established data protection board of India, a statutory body set up under the Act to adjudicate disputes, handle grievances, and enforce compliance.

Key Provisions and Compliance Requirements

The Rules introduce several transformative provisions.

1. Strengthened Consent Architecture:
Data Fiduciaries must now obtain verifiable, specific, and informed consent through clear, standalone notices explicitly detailing the description of such personal data, the specified purpose and specific description of the goods or services to be provided or uses to be enabled by such processing. One major highlight of the Rules is the withdrawal of the consent given by the Data Principal, for which the process is as simplified as the process of giving the consent. For individuals under 18 years of age, mandatory parental verification must be conducted through reliable identity systems, including digital locker integration or a government-backed virtual token.

2. Security and Data Management Safeguards:
Fiduciaries are now bound by robust, mandatory security practices, including encryption, access controls, intrusion detection logs, and data backups retained for at least one year. The Rules also require a strict retention and deletion framework, including automatic deletion of personal data of inactive users (typically after three years), and 48-hour prior notice to the Data Principal before such deletion.

3. Mandatory Breach Reporting:
In the event of a data breach, organisations must immediately notify affected individuals in plain language and report the breach to the data protection board within 72 hours, explaining the nature, extent, consequences, and remedial measures.

4. Consent Managers:
The Rules establish consent managers, specialised Indian entities registered with the board, to help citizens manage, review, track and withdraw consent across multiple services through a centralised, interoperable platform. Consent Managers must maintain consent logs for at least seven years, operate an interoperable, certified digital platform, and meet a minimum net worth requirement of INR 2,00,00,000 (Two Crore).

5. Obligations for Significant Data Fiduciaries (SDFs):
Platforms handling large-scale or sensitive personal data, such as major e-commerce, social media, fintech, and gaming companies, are designated as SDFs. They must comply with enhanced obligations, including annual data protection impact assessments, independent compliance audits, algorithmic due diligence, and potential data localisation requirements notified by the government.

6. Rights of Data Principals:
These Rules empower every Indian with meaningful control over their digital footprint. Citizens can now access, correct, update, or erase their personal data, and even nominate trusted individuals to exercise these rights on their behalf. Data Fiduciaries must respond to such requests within 90 days through transparent grievance redressal systems.

7. Digital-First Data Protection Board:
The data protection board functions entirely digitally, enabling citizens to file complaints online through dedicated platforms and mobile apps, promoting transparency and ease of living. With penalties ranging from INR 10,000 (Indian Rupees Ten Thousand) to INR 250,00,00,000 (Indian Rupees Two Hundred Fifty Crore) per violation, the framework creates strong deterrents against non-compliance while fostering trust in India’s digital economy.

Implementation Timeline and Core Principles

The Rules adopt an 18-month phased implementation, allowing businesses, especially startups and MSMEs, time to transition smoothly. Critical provisions like the data protection board’s establishment became effective from November 13, 2025, while major compliance obligations, including consent manager registration and data protection officer appointments, will come into force by May 2027.

The Rules are grounded on seven fundamental data protection principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability, and represent India’s commitment to privacy-centric development, balancing innovation with strong individual rights and responsible data handling across sectors.

Credits: Atishree Sood (Principal Associate) & Jasmine Brar (Associate).