Govt notifies Digital Personal Data Protection Rules 2025; rollout stretched over 18 months
The DPDP rules outline how companies must obtain consent, process personal data, and respond to breaches, while establishing an enforcement system through the Data Protection Board.
India has notified the long-awaited Digital Personal Data Protection (DPDP) Rules 2025 on Friday, laying out how the country will operationalise its new privacy law through a staggered rollout over the next 12 to 18 months.
The rules outline how companies must obtain consent, process personal data, and respond to breaches, while establishing an enforcement system through the Data Protection Board.
Some provisions take effect immediately, while others—including the registration of consent managers, detailed notice requirements for data fiduciaries, and new obligations around consent—will only apply after the phased transition period.
The government said the framework is meant to give citizens more control over their personal information and reduce misuse ranging from spam calls to unauthorised access to videos, voice recordings or other sensitive data. The DPDP Rules were introduced eight years after the Supreme Court’s 2017 judgment, which declared privacy a fundamental right.
Under the Act, penalties can run up to Rs 250 crore per breach for data fiduciaries, though the rules retain a graded system to avoid overwhelming smaller businesses.
The regime also places responsibilities on citizens: individuals cannot suppress personal details when applying for government IDs, must avoid filing false or frivolous complaints, and must provide verifiable information when asking for data correction or deletion.
A key part of the implementation involves operationalising the Data Protection Board, which will levy penalties, issue orders, and conduct proceedings digitally. The rules detail how the Board will be set up, how members will be appointed, and how virtual hearings will function.
Citizens now have a clearer route to seek redress if their phone numbers or other data are leaked. Fiduciaries must notify affected individuals and the Board after a breach, disclose what happened, and outline steps to mitigate harm.
The framework also spells out exceptions. Citizens’ rights may not apply in cases involving enforcement of legal rights, court orders, crime prevention and investigation, cross-border situations where an individual has already consented to a foreign entity, recovery of financial assets from loan defaulters, and scenarios where the Centre exempts certain entities, including startups, for government schemes, research, or innovation.
As the rollout begins, businesses, government agencies and intermediaries will now face a year-long grind of updating systems, reworking consent flows, tightening data retention practices and preparing for stricter breach reporting.
The government argues the rules will ultimately strengthen trust in India’s digital economy, even if the compliance scramble starts now.
Edited by Suman Singh