DPDP Indian Data Policy 2025: On 13 November 2025, the Ministry of Electronics and Information Technology (MeitY) issued the Digital Personal Data Protection (DPDP) Rules, 2025. With this, the DPDP Act, 2023 entered its full implementation phase. This step is being seen as a major shift towards a simple, citizen-centric, and innovation-friendly data governance framework.
The Ministry of Electronics and Information Technology (MeitY) has officially implemented the Digital Personal Data Protection (DPDP) Rules, 2025. With this, the DPDP Act, 2023 has now come into full effect.
These new rules will provide users with complete information about the personal data collected and processed by companies. They will also help users understand how companies use their data.
For reference, the DPDP Act was passed by Parliament on 11 August 2023. The Act defines how digital data of individuals in India should be protected and used lawfully.
The government will roll out the DPDP Rules, 2025 in a phased manner and has prepared a structured roadmap for their implementation. The primary objective of these rules is to give citizens greater control over their personal data and to ensure stronger privacy protection in the digital space.
What are the DPDP Rules, 2025?
The Digital Personal Data Protection Rules, 2025 provide an administrative framework through which the government has laid down procedures and obligations to implement the DPDP Act, 2023.
The objective of these rules is to protect individuals’ digital personal data while enabling lawful, innovation-friendly data processing. The rules cover data collected through both online and offline modes.
The DPDP Act, 2023 received Presidential assent on 11 August 2023. Its foundation was laid by the Supreme Court’s 2017 judgment in K.S. Puttaswamy vs Union of India, which declared the right to privacy as a fundamental right.
Subsequently, MeitY released the draft rules on 3 January 2025, and after extensive public consultation, the final rules were notified on 13 November 2025.
Key Provisions of the Digital Personal Data Protection (DPDP) Rules, 2025
Seven Core Principles
The DPDP Rules are based on seven principles—consent, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. These principles ensure that data is collected only for necessary purposes, maintained accurately, and stored securely.
SARAL Design
The rules follow the SARAL framework, meaning Simple, Accessible, Rational, and Actionable. The aim is to enable data fiduciaries to comply through clear and understandable processes, without complex technical or legal jargon, making compliance easier for both citizens and organizations.
Compliance Timeline
The rules provide an 18-month compliance period for data fiduciaries to align their digital systems, record management, and security infrastructure with the new standards. This phased approach especially helps small organizations comply without undue pressure.
Consent Managers
Consent Managers help citizens control their data permissions through easy-to-use digital platforms. The rules clarify that such entities must be registered in India, ensuring accountability and enabling individuals to withdraw consent easily.
Data Breach Notification
In case of any personal data breach, the data fiduciary must promptly inform affected individuals in simple language. The notification must clearly mention the nature of the breach, its potential impact, and corrective actions taken.
Protection of Children’s Data
For processing children’s data, verified parental consent is mandatory. Limited exceptions are allowed only for essential services such as education, healthcare, or safety. For persons with disabilities, decisions may be taken by their lawful guardian.
Accountability and DPO Framework
Every data fiduciary must publicly disclose contact details of its Data Protection Officer (DPO) or designated officer. Significant Data Fiduciaries are subject to additional obligations, including data audits, risk assessments, and enhanced monitoring mechanisms.
Rights of Data Principals
The rules grant individuals the right to access, correct, update, erase their data, and to appoint representatives for exercising these rights. Data fiduciaries must respond to such requests within 90 days, strengthening transparency and citizen control.
Data Protection Board
The rules establish a fully digital Data Protection Board, where individuals can file complaints online. The Board can conduct inquiries, prescribe corrective measures, and in serious cases impose penalties of up to ₹250 crore per violation.
Read More about GDPR
