India notified the Digital Personal Data Protection Rules, 2025, on Friday to regulate how personal data is processed, secured, and governed. The rules operationalise key provisions of the Digital Personal Data Protection Act, 2023, and lay out detailed responsibilities for data fiduciaries, consent managers, and mechanisms aimed at strengthening individual privacy rights.
The rules introduce a structured framework for verifiable consent, especially for children and persons with disabilities, along with procedural requirements for notices issued by data fiduciaries. They also specify the registration process and obligations for consent managers who oversee consent-based data sharing.
Security Measures, Breach Reporting, and Data Retention
Under the new framework, data fiduciaries must adopt reasonable safeguards such as encryption, masking, and access controls to avoid personal data breaches. In the event of a breach, they must promptly notify both affected individuals and the Data Protection Board (DPB).
Clear timelines have been set for data retention and erasure. Data fiduciaries are required to delete personal data once the specified period ends unless legal requirements justify continued retention. To enhance transparency, organisations must publish the contact details of their data protection officers and grievance redressal officials.
The rules also outline additional obligations for significant data fiduciaries, who must conduct annual data protection impact assessments and audits to evaluate risks from algorithmic systems. Certain categories of personal data have been restricted from being transferred outside India in order to safeguard national security and sovereignty.
Exemptions, Governance, and Implementation
Exemptions have been permitted for processing data for research, archiving, and statistical activities, subject to defined safeguards. The rules also specify the service conditions, compensation, and conduct requirements for the chairperson and members of the DPB, which has been authorised to function entirely through digital systems, including for hearings, meetings, and issuance of orders.
Designed to enhance individual control over personal data and support a safer digital ecosystem, the rules align India’s data protection standards with evolving global norms. While several provisions take effect immediately, others will be phased in over the next 12 to 18 months.
The new regulatory framework is expected to significantly impact technology firms, service providers, and millions of users across the country, promoting responsible data practices and strengthening the protection of digital identities.
