NEW DIGITAL PERSONAL DATA PROTECTION
REGIME
The Digital Personal Data
Protection Rules, 2025 (DPDP Rules), published on November 13, 2025, together
with the phased launch of the Digital Personal Data Protection Act , 2023 (DPDP
Act).
A Small write up on it:
1.
Scope & Applicability
DPDP Act – What It Covers
(a)
Applies to digital personal data: that
is, personal data, which is collected in digital form, or collected in
non-digital form and subsequently digitised.
(b)
Also applies extraterritorially: If an
entity outside India processes digital personal data in connection with
offering goods or services to individuals in India (data principals) or
monitoring their behaviour, the Act applies.
(c)
Exemptions: The Act does not apply to (i)
personal data processed by an individual for purely personal or domestic
purposes; (ii) personal data made publicly available by the data principal (or
any other person legally obliged to publish it).
(d)
While the Act was passed in 2023, many
provisions will be brought into force in phases via notifications.
Rules – What They Establish
(a)
The DPDP Rules, 2025 (notified 13/14 November
2025) set out the detailed operational compliance framework: procedures,
timelines, governance, breach-reporting, cross-border flows etc.
(b)
These Rules mark the full operationalization
of the Act (i.e., moving from legislative framework to implementation
requirements) for many entities.
2. Key
Obligations on Organizations (“Data Fiduciaries”)
Under the Act and Rules,
organizations processing personal data must comply with several obligations.
Some of the main ones:
Lawful Processing & Consent
(a)
Processing of personal data must be for a specified
purpose (which must be informed to the data principal) and cannot be
broader than necessary.
(b)
Consent must be free, specific, informed,
unambiguous, given by a clear affirmative act.
(c)
Data principals have the right to withdraw
consent at any time, and the withdrawal should be as easy as giving
consent.
(d)
The notice to the data principal must be in
clear language, and in one of the languages in the Eighth Schedule of the
Constitution (per the Act).
Minimisation, Purpose
Limitation, Accuracy & Retention
(a)
Only data that is necessary for the
specified purpose may be collected.
(b)
Data must be processed fairly and
transparently.
(c)
Organisations must ensure data is accurate, kept
up-to-date, and should not be kept longer than required for the purpose
(storage limitation implied in the Rules).
Governance, Security Measures
& Accountability
(a)
Data fiduciaries must implement reasonable
security safeguards (both technical and organisational) to protect against
unauthorised access, loss, disclosure, etc.
(b)
Entities designated as “Significant Data
Fiduciaries” (SDFs) carry stricter obligations: e.g., appointing a Data
Protection Officer (DPO), conducting Data-Protection Impact Assessments
(DPIAs), independent audits.
(c)
There is a requirement for governance structures
(including internal policies, training, compliance mechanisms) to ensure
accountability.
Breach Notification &
Enforcement
- In the Rules, entities must notify the competent
authority / data protection board and the data principals of data
breaches within prescribed timelines.
- The Act provides for a Data Protection Board of
India (DPB) to adjudicate non-compliance, receive complaints, impose
penalties.
Cross-Border Data Transfers
- The Rules set out conditions for transfer of
personal data outside India – these may include adequacy / assurance of
similar protection or prescribed safeguards.
Special Categories / Children /
Consent Managers
- The Rules also address processing of children’s
data (e.g., verifiable parental consent) in more detail.
- The concept of a “Consent Manager” (on behalf of
data principals) is present in the Act – enabling nomination of a person
to manage rights on behalf of the principal.
3. Rights Of Individuals (Data
Principals)
Under the Act and Rules,
individuals whose data is processed have certain rights:
(a)
Right to access information: About what
personal data is processed, the purpose, categories, etc.
(b)
Right to correct or erase their
personal data (subject to certain limits of law).
(c)
Right to withdraw consent at any time.
(d)
Right to lodge a complaint with the Data
Protection Board for non-compliance by the fiduciary.
3.
Exemptions & Balancing with Public
Interest
(a)
The Act provides that certain processing by
State (government) or its instrumentalities may be exempt if necessary
for tasks like prevention of offence, detection, investigation, for
regulatory/judicial functions, national security, public order etc.
(b)
The Rules emphasise the need to balance
individual privacy with innovation-friendly, digital economy goals, and
national interest.
4.
Implementation Timeline & Compliance
Strategy
(a)
The Act was passed in August 2023. The
notification of the Rules on 13/14 Nov 2025 triggers many of the operational
obligations.
(b)
Now is the time to assess current
data-processing-practices, gap-analyse consent/notice/security frameworks, map
cross-border flows, define whether they are a “Significant Data Fiduciary”, and
begin aligning policies, systems, and contracts.
(c)
The expectation will be that businesses move
from legacy compliance (IT Act structures) into this regime.
