India’s DPDP Rules, 2025

 

1. The Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025, giving full operational effect to the Digital Personal Data Protection Act, 2023.

2. Before finalisation, the consultation process on the draft Rules received 6,915 inputs from startups, Micro, Small and Medium Enterprises (MSMEs), industry bodies, civil society groups, government departments, and citizens.

3. Consultations on the draft Rules were held in Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru, and Chennai before notification of the final framework.

4. The Digital Personal Data Protection Act was enacted on 11 August 2023 as India’s core legal framework for protection of digital personal data.

5. The Act follows the SARAL approach, meaning Simple, Accessible, Rational and Actionable, using plain language and illustrations for easier understanding.

6. Key entities under the law include Data Fiduciary, Data Principal, Data Processor, Consent Manager, and the Appellate Tribunal identified as Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

7. The framework rests on seven principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.

8. The Data Protection Board of India was created as an independent body to oversee compliance, inquire into breaches, and ensure corrective action under the law.

9. The highest penalty under the Act is up to ₹250 crore for failure by a Data Fiduciary to maintain reasonable security safeguards.

10. Not informing the Board or affected individuals about a personal data breach, and violations relating to children, can each attract penalties of up to ₹200 crore.

11. Any other violation of the Act or Rules by a Data Fiduciary may attract a penalty of up to ₹50 crore.

12. The Rules provide an eighteen-month phased compliance period so organisations can adjust systems and adopt responsible data-processing practices.

13. Data Fiduciaries must issue separate, clear consent notices explaining the specific purpose for which personal data is collected and processed.

14. The Digital Personal Data Protection Rules establish a fully digital Data Protection Board of India with four members and online complaint filing through a portal and mobile application.

15. Data Fiduciaries must respond within ninety days to requests relating to access, correction, updating, or erasure of personal data.

 

Must Know Terms :

1.DPDP

Digital Personal Data Protection (DPDP) refers to India’s legal and regulatory framework for protection and responsible use of digital personal data. It consists of the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025. The Rules were notified on 14 November 2025. Together they create a citizen-centred structure balancing individual rights with lawful and accountable data processing.

2.Data Fiduciary

Data Fiduciary means the entity that decides the purpose and means of processing personal data, either alone or jointly with others. Under the DPDP framework, Data Fiduciaries must provide clear consent notices, maintain security safeguards, respond to citizen requests within ninety days, and notify breaches properly. They may face penalties up to ₹250 crore for failure to maintain reasonable data security.

3.Consent Manager

Consent Manager is an entity that provides a single, transparent, and interoperable platform through which a Data Principal can give, manage, review, or withdraw consent. Under the Rules, Consent Managers must be companies based in India. Their role is important because they make consent handling easier, more traceable, and more user-controlled within India’s digital personal data protection system.

4.TDSAT

Telecom Disputes Settlement and Appellate Tribunal (TDSAT) is the Appellate Tribunal under the DPDP framework. It hears appeals against decisions of the Data Protection Board of India. Its role is significant because it provides a formal appellate mechanism for reviewing data protection decisions. This strengthens legal accountability and ensures that grievance redressal does not end at the Board level itself.

5.Data Protection Board

The Data Protection Board of India is the independent enforcement body created under the DPDP framework. Under the Rules, it is structured as a fully digital body with four members. It oversees compliance, inquires into breaches, ensures corrective action, and enables online complaint filing and tracking through a dedicated portal and mobile application, making enforcement more accessible and technology-driven.

6.SARAL

SARAL means Simple, Accessible, Rational and Actionable. It describes the drafting approach followed in the Digital Personal Data Protection Act, 2023. The law uses plain language and illustrations so that citizens, businesses, and institutions can understand obligations and rights more easily. This approach is important because it reduces interpretational complexity and makes compliance and awareness more practical for wider users.

Key Takeaways

a) DPDP Rules notifiedon 14 November 2025 after nationwide consultations.

b) Consultation process received 6,915 inputsshaping the final Rules.

c) Rules give full effectto the Digital Personal Data Protection Act, 2023.

MCQ

1. The Digital Personal Data Protection Rules, 2025 were notified on:
A) 11 August 2023
B) 14 November 2025
C) 17 November 2025
D) 14 October 2025

2. The consultation process on the draft DPDP Rules received how many inputs?
A) 5,915
B) 6,115
C) 6,915
D) 7,915

3. The Digital Personal Data Protection Act was enacted on:
A) 11 August 2023
B) 14 November 2025
C) 17 November 2025
D) 11 July 2024

4. SARAL in the context of the DPDP Act stands for:
A) Secure, Assured, Responsible and Legal
B) Safe, Accountable, Regulated and Lawful
C) Simple, Accessible, Rational and Actionable
D) Standard, Adaptive, Reliable and Linked

5. Which body hears appeals against decisions of the Data Protection Board?
A) Supreme Court of India
B) Telecom Disputes Settlement and Appellate Tribunal
C) National Company Law Tribunal
D) Central Information Commission

6. The highest penalty under the DPDP Act applies to failure to:
A) appoint a grievance officer
B) maintain reasonable security safeguards
C) register a startup
D) submit an annual tax return

7. The maximum penalty for failure to maintain reasonable security safeguards is:
A) ₹50 crore
B) ₹100 crore
C) ₹200 crore
D) ₹250 crore

8. Violations relating to children can attract penalties of up to:
A) ₹50 crore
B) ₹100 crore
C) ₹200 crore
D) ₹250 crore

9. The DPDP Rules provide what period for phased compliance?
A) six months
B) twelve months
C) eighteen months
D) twenty-four months

10. Under the Rules, Consent Managers must be:
A) foreign audit firms
B) companies based in India
C) public sector units only
D) charitable trusts only

11. Data Fiduciaries must respond within how many days to requests for access, correction, updating, or erasure?
A) 30 days
B) 60 days
C) 75 days
D) 90 days

12. The Data Protection Board of India under the Rules will consist of:
A) two members
B) three members
C) four members
D) five members

13. Which of the following is a core principle under the DPDP framework?
A) unlimited storage
B) purpose limitation
C) unrestricted sharing
D) automatic disclosure

14. In the case of a child, the Data Principal includes:
A) only the school principal
B) the parent or lawful guardian
C) the nearest police officer
D) the local municipal authority

15. The DPDP framework revises Section 8(1)(j) of which law?
A) Information Technology Act
B) Right to Information Act
C) Consumer Protection Act
D) Indian Evidence Act