• India
  • Nov 17
  • Sreesha V.M

Govt notifies DPDP Rules

dpdp

• The government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on November 14. 

• This marks the full operationalisation of the Digital Personal Data Protection Act, 2023 (DPDP Act).

• Together, the Act and the Rules form a clear and citizen-centred framework for the responsible use of digital personal data. 

• They place equal weight on individual rights and lawful data processing.

• The rules aim to give citizens control over their data, allow them to check for misuse, and protect their privacy in the online space.

• The rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means.

• However the rules will become completely operational only after 18 months.

Digital Personal Data Protection Act

• The Digital Personal Data Protection Act, 2023 was passed by the Parliament on August 8, 2023 and got the assent of the President on August 11, 2023.

• The law creates a full framework for the protection of digital personal data in India. 

• It explains what organisations must do when they collect or use such data. 

Key Terms Under the DPDP Act

a) Data Fiduciary: An entity that decides why and how personal data is processed, either alone or with others.

b) Data Principal: The individual to whom the personal data relates. In the case of a child, this includes a parent or lawful guardian. For a person with a disability who cannot act independently, this includes the lawful guardian acting on their behalf.

c) Data Processor: Any entity that processes personal data on behalf of a Data Fiduciary.

d) Consent Manager: An entity that provides a single, transparent and interoperable platform through which a Data Principal may give, manage, review or withdraw consent.

e) Appellate Tribunal: The Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which hears appeals against decisions of the Data Protection Board.

• The objective of the DPDP Act is to protect digital personal data by providing the obligations on the data fiduciaries for processing — collection, storage or any other operation of digital personal data, providing the rights and duties of Data Principals and imposing the financial penalties for breach of rights, duties and obligations.

The Act is applicable to the processing of digital personal data:

i) Within India where the personal data is collected in digital form, and also where it is collected in non-digital form and is digitised subsequently.

ii) Outside the territory of India, if such data is processed for offering of goods or services to Data Principals within India.

The Act is not applicable to the processing of digital personal data:

i) For any personal or domestic purpose.

ii) That is made publicly available by the Data Principal.

iii) Which is made publicly available pursuant to a legal obligation on any entity to disclose it publicly.

• The DPDP Act impacts digital personal data processing by laying down the principles that are to be followed by Data Fiduciaries to protect digital personal data. 

The law rests on seven core principles. 

They are: 

a) Consent and transparency

b) Purpose limitation

c) Data minimisation

d) Accuracy

e) Storage limitation

f) Security safeguards

g) Accountability. 

• These principles guide every stage of data processing. They also ensure that personal data is used only for lawful and specific purposes.

Data Protection Board of India

A central feature of the Act is the creation of the Data Protection Board of India. The Board functions as an independent body that oversees compliance, inquires into breaches and ensures that corrective measures are taken. It plays a key role in enforcing the rights granted under the Act and maintaining trust in the system.

How the DPDP Rules empower citizens?

• The DPDP framework places the individual at the centre of India’s data protection system. 

• It aims to give every citizen clear control over personal data and confidence that it is being handled with care. 

• They also ensure that organisations act responsibly and remain accountable for how they use personal data.

Rights and protections for citizens include:

a) Right to Give or Refuse Consent: Every person has the choice to allow or deny the use of their personal data. Consent must be clear, informed and easy to understand. Individuals may withdraw their consent at any time.

b) Right to Know How Data is Used: Citizens can seek information on what personal data has been collected, why it has been collected and how it is being used. Organisations must provide this information in a simple form.

c) Right to Access Personal Data: Individuals can ask for a copy of their personal data that is held by a data fiduciary.

d) Right to Correct Personal Data: People may request corrections to personal data that is inaccurate or incomplete.

e) Right to Erase Personal Data: Individuals may request the removal of personal data in certain situations. The data fiduciary must consider and act on this request within the permitted time.

f) Mandatory Response within 90 Days: Data fiduciaries are required to address all requests related to access, correction, updating or erasure within a maximum of 90 days, ensuring timely action and accountability.

g) Protection During Personal Data Breaches: If a breach takes place, citizens must be informed at the earliest. The message must explain what happened and what steps they can take. This helps people act quickly to reduce harm.

h) Special Protection for Children: When a child’s personal data is involved, verifiable consent from a parent or guardian is required. This consent is needed unless the processing relates to essential services such as healthcare, education or real-time safety.

Penalties Under the DPDP Act

• The DPDP Act imposes substantial financial penalties for non-compliance by data fiduciaries. 

• The highest penalty up to Rs 250 crore applies to failure of a data fiduciary to maintain reasonable security safeguards. 

• Not notifying the Data Protection Board of India or affected individuals of a personal data breach as well as violations of obligations relating to children can each attract penalties of up to Rs 200 crore. 

• Any other violation of the Act or Rules by a data fiduciary may attract penalties up to Rs 50 crore.

Phased and Practical Implementation

The Rules introduce an 18-month period for phased compliance. This gives organisations enough time to adjust their systems and adopt responsible data practices. Every data fiduciary must issue a separate consent notice that is clear and easy to understand. The notice must explain the specific purpose for which personal data is collected and used. Consent managers, who help people manage their permissions, must be companies based in India.

• The Act may bring in behavioral changes in the data processing activities of the data fiduciaries and prevent the exploitation and misuse of the personal data of the data principals.

(The author is a trainer for Civil Services aspirants.)

Related Topics
RELATED STORIES