MeitY notifies digital personal data protection Rules, 2025, begins phased rollout

New Delhi: Nearly 18 months after Parliament passed it, the government has notified the DPDP Rules, 2025 and kicked off the staggered rollout of the Digital Personal Data Protection Act, 2023. 

The framework sets clear rules for how companies, digital platforms, and government bodies must collect, store, process, and manage the personal data of individuals (“Data Principals”). 

It defines the obligations of entities handling this data (“Data Fiduciaries”), mandates explicit and informed user consent, requires strong security safeguards, and outlines penalties for misuse, non-compliance, or data breaches. 

While the law itself came into force earlier, the operational rules now specify which provisions take effect immediately, which will apply after one year, and which come into force after 18 months, giving organisations a structured timeline to comply. 

Specifically, general duties, grievance redressal provisions, and other foundational obligations under Rules 1, 2, and 17‑21 are effective immediately; the registration and governance of Consent Managers under Rule 4 will be applicable one year from notification; and the detailed notice formats, security measures, processing conditions, data retention norms, and remaining operational rules under Rules 3, 5‑16, 22‑23 will apply in full after 18 months.

A significant addition through the new rules is the establishment of a formal framework for Consent Managers, who must be registered with the Data Protection Board and comply with governance, transparency, and security requirements, with the Board empowered to suspend or cancel registrations for violations. 

The Rules also lay down standards for encryption, masking, tokenisation, access controls, activity logging, backup systems, and business-continuity planning, making these safeguards mandatory for all fiduciaries. 

Organisations are required to maintain traffic logs and processing logs for a minimum of one year. In the event of a data breach, fiduciaries must provide immediate intimation to the Board and deliver a fuller report within 72 hours while simultaneously informing affected users about the nature of the breach, potential harm, and mitigation steps.

The Digital Personal Data Protection (DPDP) Act is India’s first full-scale privacy law, introducing explicit and affirmative consent for data processing and codifying a clear set of rights for individuals, including withdrawing consent, correcting or erasing data, and seeking timely grievance redressal. 

For organisations, it brings new responsibilities, ranging from appointing Data Protection Officers to carrying out Data Protection Impact Assessments and independent audits in the case of significant data fiduciaries. 

These significant entities must also ensure that their algorithmic and technical processes do not adversely affect user rights, submit their findings to the Data Protection Board, and may be subject to additional data-localisation mandates for categories that the government notifies.

The Rules further create guardrails for processing children’s data, requiring verifiable parental consent through existing identity or age data, new details, or authorised tokens issued by competent entities, and impose corresponding safeguards for processing data of persons with disabilities by verifying the legal guardianship of authorised representatives. 

They also clarify data-retention requirements by mandating that certain categories of data be deleted once a user has been inactive for a specified period, unless retention is required by law. Cross-border transfers are permitted but will be governed by government-notified terms specifying eligible jurisdictions and entities.

The Act also requires mandatory breach notifications to both regulators and affected users and imposes steep penalties up to Rs 250 crore for violations. With the final Rules now in place, the DPDP framework aims to strengthen India’s digital ecosystem by embedding accountability and transparency into data-handling practices, ensuring that business innovation moves in tandem with user privacy and trust. 

Passed in August 2023 after multiple drafts and years of deliberation, the landmark legislation now enters its operational phase with a clear compliance roadmap over the next 18 months, marking India’s transition into a robust, rights-based data-protection era.