DPDP Rules 2025

The DPDP Rules 2025 were officially notified on 14 November 2025, giving complete effect to the Digital Personal Data Protection Act, 2023. Together, the Act and the Rules establish India’s first citizen-centric digital data protection framework, balancing privacy rights with lawful and responsible data use.

Why the Digital Personal Data Protection Rules Matter?

• Operationalise the DPDP Act, 2023
• Strengthen privacy and responsible digital governance
• Create enforcement mechanisms through the Digital Data Protection Board
• Balance innovation with security
• Essential for competitive exams (Govt schemes, Acts, digital governance)

Key Highlights of DPDP Rules 2025

1. Phased Implementation (18-Month Transition)

The rules provide an 18-month compliance window, ensuring organisations can:

• Update systems
• Create consent notices
• Appoint officers
• Adopt responsible digital practices

Consent Managers must be India-based companies.

2. Mandatory Consent Requirements

A separate, clear, purpose-based consent notice is compulsory. Consent must be:

• Informed
• Specific
• Revocable
• Transparent

3. Data Breach Notification Protocol

Every Data Fiduciary must:

• Notify affected individuals immediately
• Explain the breach in plain language
• Mention possible impact
• Provide support contact details

4. Transparency & Accountability

All Data Fiduciaries must publicly display:

• Contact details of designated officer or DPO
• Redressal points
• Processing purpose

Significant Data Fiduciaries Face Additional Duties:

• Independent audits
• Data protection impact assessments
• Restrictions on sensitive tech use
• Compliance with government directions

5. Rights Strengthened for Citizens (Data Principals)

The rules enhance all rights given under the DPDP Act.

Every citizen now has:

• Right to consent or refuse
• Right to withdraw consent
• Right to know how data is used
• Right to access personal data
• Right to correct inaccurate data
• Right to update personal details
• Right to erase data (as applicable)
• Right to nominate another person

Mandatory Response Timeline:

All requests must be resolved within 90 days.

6. Child & Disability Protection Rules

• Parental consent required for children’s data
• Special protection for persons with disabilities through verified guardians

7. Digital-First Data Protection Board

• Fully online
• Four-member board
• Complaint filing via portal + mobile app
• Appeals handled by TDSAT

Major Penalties Under the DPDP Act

Violation	Penalty (Up to)
Failure to maintain security safeguards	₹250 crore
Failure to notify data breach	₹200 crore
Violation relating to children’s data	₹200 crore
General non-compliance with Act/Rules	₹50 crore

How Digital Personal Data Protection Rules Align with RTI Act

• Section 8(1)(j) updated to balance privacy + transparency
• Does not weaken RTI
• Personal information can still be disclosed if public interest > privacy harm (Section 8(2))
• Follows Supreme Court’s Puttaswamy privacy principles

DPDP Key Terms: Simple Explanation for Aspirants

Who are the “organisations” required to comply with DPDP Rules?

The 18-month compliance window applies to all organisations that collect, store, process, share or use personal data of individuals within India.
These include:

• Government departments
• Private companies
• Banks & financial institutions
• Hospitals & schools
• Startups, MSMEs
• E-commerce platforms
• Apps and websites collecting user data

Anyone who handles personal data becomes responsible under the DPDP Act.

2. Who is a Data Fiduciary?

A Data Fiduciary is any organisation that decides why and how your personal data will be used.

Examples:

• A bank collecting your KYC
• A hospital storing your medical records
• A social media app collecting your photos
• A university handling student data

Think of the Data Fiduciary as the data controller (the one who decides).

3. Who is a Consent Manager?

A Consent Manager is a digital platform that helps citizens give, manage, review, or withdraw consent across multiple services.

Key points:

• They must be registered as a company in India
• Citizens can manage all their data permissions from a single dashboard
• They act as a neutral, trusted intermediary, not owned by any company whose data they manage

Example: In the future, India may approve official apps (like how UPI has BHIM, PhonePe, etc.) that allow people to check who has access to their data.

4. Who gives consent — and to whom?

• Citizens (Data Principals) give consent
• Data Fiduciaries (companies/organisations) receive and store that consent

Example: When you install a mobile app → it shows a consent notice → you decide whether to allow or deny.

5. Who files requests for correction, erasure or access — and who must resolve them within 90 days?

• Citizens ask for access, correction, updating or deletion of their personal data
• Data Fiduciaries must respond within 90 days

Request Type	Filed By	Must Resolve
View my data	Citizen	Data Fiduciary
Correct my wrong name/number	Citizen	Data Fiduciary
Delete my old account	Citizen	Data Fiduciary

6. What does “separate, clear, purpose-based consent notice” mean?

Before collecting any data, every organisation must give a clear and simple consent notice explaining:

• What data they are collecting
• Why they need it
• How long they will keep it
• How you can withdraw consent

👉 Go to Daily Current Affairs Section

FAQs on Digital Personal Data Protection Rules

Source: MEITY