Current Affairs: National: Wednesday, 19 November 2025.
Government of India officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the implementation of the Digital Personal Data Protection Act, 2023.
Government of India
officially notified the Digital Personal Data Protection (DPDP) Rules, 2025,
completing the implementation of the Digital Personal Data Protection Act,
2023. This milestone lays down a comprehensive and citizen-centric legal
framework that protects individual privacy while supporting the responsible use
of digital personal data by organisations. The notification follows an
inclusive national consultation process that received 6,915 inputs from
stakeholders including startups, civil society groups, industry bodies,
government departments, and concerned citizens.
A New Era of Responsible Data Governance
Together, the DPDP Act and Rules aim to establish a balanced ecosystem where privacy, innovation, and digital growth can thrive in tandem. The framework is based on the SARAL principle: Simple, Accessible, Rational, and Actionable.
The law applies to all digital personal data, providing clear rules, citizen rights, and corporate responsibilities, making it easy for individuals to understand, access, and control their data.
Key Highlights of the DPDP Rules, 2025
1. Phased Implementation
A practical 18-month compliance period gives organisations time to adapt their systems, adopt privacy-by-design practices, and align operations with the Act’s requirements.
2. Mandatory Consent Notices
All Data Fiduciaries must issue simple, clear, purpose-specific consent notices before processing any personal data. Consent Managers must be India-based entities offering transparent, interoperable platforms for users to manage permissions.
3. Personal Data Breach Protocol
In the event of a data breach, organisations must promptly notify affected individuals in plain language, detailing the nature, impact, response, and support mechanisms available.
4. Citizen Empowerment through Digital Rights
The Rules reaffirm and operationalise citizens’ digital rights,
5. Clear Grievance Mechanism
Organisations must publish contact details for data-related queries. Significant Data Fiduciaries have enhanced duties like independent audits, risk impact assessments, and government-mandated data localisation when applicable.
6. Fully Digital Data Protection Board
The Data Protection Board of India will operate as a digital-first authority, consisting of four members. Citizens can file complaints online, track cases through a portal, and appeal decisions before TDSAT, the designated Appellate Tribunal.
Penalties Under the DPDP Act
The framework includes strict penalties for non-compliance,
The DPDP Act amends Section 8(1)(j) of the RTI Act to align with the Supreme Court’s recognition of privacy as a fundamental right. It ensures,
Government of India officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the implementation of the Digital Personal Data Protection Act, 2023.
A New Era of Responsible Data Governance
Together, the DPDP Act and Rules aim to establish a balanced ecosystem where privacy, innovation, and digital growth can thrive in tandem. The framework is based on the SARAL principle: Simple, Accessible, Rational, and Actionable.
The law applies to all digital personal data, providing clear rules, citizen rights, and corporate responsibilities, making it easy for individuals to understand, access, and control their data.
Key Highlights of the DPDP Rules, 2025
1. Phased Implementation
A practical 18-month compliance period gives organisations time to adapt their systems, adopt privacy-by-design practices, and align operations with the Act’s requirements.
2. Mandatory Consent Notices
All Data Fiduciaries must issue simple, clear, purpose-specific consent notices before processing any personal data. Consent Managers must be India-based entities offering transparent, interoperable platforms for users to manage permissions.
3. Personal Data Breach Protocol
In the event of a data breach, organisations must promptly notify affected individuals in plain language, detailing the nature, impact, response, and support mechanisms available.
4. Citizen Empowerment through Digital Rights
The Rules reaffirm and operationalise citizens’ digital rights,
- Right to Consent or Refuse
- Right to Know Purpose and Use
- Right to Access, Correct, Update, or Erase Data
- Right to Nominate Another Person
- Right to Timely Response (within 90 days)
- Right to Protection During Breach
5. Clear Grievance Mechanism
Organisations must publish contact details for data-related queries. Significant Data Fiduciaries have enhanced duties like independent audits, risk impact assessments, and government-mandated data localisation when applicable.
6. Fully Digital Data Protection Board
The Data Protection Board of India will operate as a digital-first authority, consisting of four members. Citizens can file complaints online, track cases through a portal, and appeal decisions before TDSAT, the designated Appellate Tribunal.
Penalties Under the DPDP Act
The framework includes strict penalties for non-compliance,
- Up to ₹250 crore for failing to implement security safeguards
- Up to ₹200 crore for data breach non-disclosure or violations involving children
- Up to ₹50 crore for other rule violations
- These penalties are designed to enforce accountability and good data practices.
The DPDP Act amends Section 8(1)(j) of the RTI Act to align with the Supreme Court’s recognition of privacy as a fundamental right. It ensures,
- Personal data is protected from disclosure unless public interest outweighs the harm
- Section 8(2) of the RTI Act remains intact, preserving transparency in governance
- A clear and court-aligned balance between privacy and access to public information
- Notified on: 14 November 2025
- Act Enacted on: 11 August 2023
- Consultation Feedback Received: 6,915 inputs
- Compliance Period: 18 months
- Governing Authority: Data Protection Board of India
- Key Concepts: Data Principal, Data Fiduciary, Consent Manager, Data Processor
- Appellate Authority: TDSAT
- Penalties: Up to ₹250 crore for serious violations
.JPG)
.JPG)
