Government notifies Digital Personal Data Protection (DPDP) Rules, 2025

The Union Ministry of Electronics & IT has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, bringing the DPDP Act, 2023 into full effect. The new rules establish a simplified, citizen-centric framework to safeguard digital personal data in India.

Key Features of the DPDP Rules, 2025

• Citizen-Centric “SARAL” Framework

  • Emphasis on Simple, Accessible, Rational and Actionable processes.
  • Rules written in plain language with practical illustrations.

• Seven Core Principles of DPDP

  1. Consent & Transparency
  2. Purpose Limitation
  3. Data Minimisation
  4. Accuracy
  5. Storage Limitation
  6. Security Safeguards
  7. Accountability

• 18-Month Phased Implementation

  • Organisations get staggered timelines to comply with various provisions.
  • Allows Data Fiduciaries and Consent Managers to upgrade systems gradually.

• Clear Standards for Consent

  • Data Fiduciaries (entities processing personal data) must issue standalone, clear consent notices explaining purpose and usage.
  • Consent Managers must be India-registered companies enabling users to manage permissions easily.

• Breach Notification Requirements

  • In case of a breach, organisations must inform affected individuals in simple, plain language, including:
    • Nature of breach
    • Possible impact
    • Steps taken to mitigate harm

• Protection for Children & Persons with Disabilities

  • Verifiable consent needed for processing children’s data.
  • Limited exemptions for essential functions—healthcare, education, safety.
  • For persons with disabilities, consent must come from a lawful guardian recognised under existing laws.

• Rights of Data Principals (Citizens)

  • Right to access, correct, update or erase personal data.
  • Right to appoint a nominee to exercise these rights.
  • Organisations must respond to such requests within 90 days.

• Grievance Redressal Requirements

  • Entities must provide accessible contact details of a Grievance Officer or Data Protection Officer.
  • Ensures accountability and timely resolution of complaints.

• Digital Functioning of the Data Protection Board

  • The Board will operate as a fully digital authority.
  • Citizens can file and track complaints online or via a mobile app.
  • Appeals against Board decisions will be handled by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Source: DD News

Written by 

Leave a Reply

Your email address will not be published. Required fields are marked *