THE DIGITAL PERSONAL DATA PROTECTION (DPDP) RULES 2025

This is a comprehensive summary of the Digital Personal Data Protection (DPDP) Rules, 2025, which were officially notified on November 14, 2025.

Timeline and Transition (The “Compliance Window”)

A common point of confusion in exams is how quickly companies must comply.

• • 18-Month Phased Implementation: The Rules provide a 18-month grace period for organizations to align their legacy systems with the new data protection standards.
  • Effective Date: While the Act is from 2023, the full operationalization began on November 14, 2025.

The “SARAL” Approach to Transparency

The Rules emphasize the “Simple, Accessible, Rational, and Actionable” (SARAL) framework.

• • Consent Notices: Must be separate, clear, and explain the specific purpose.
  • Language Barrier: Notices must be available in English and the 22 languages of the 8th Schedule of the Indian Constitution.
  • Consent Managers: These must be companies based in India that are registered with the Board.
  • Notification Window: Any “personal data breach” must be reported by the Data Fiduciary (the company) to the Data Protection Board (DPB) and the affected individuals within 72 hours of becoming aware of the breach.

• • Mandatory Appointments: Every SDF must appoint a Data Auditor (to conduct periodic audits) and a Data Protection Officer (DPO) based in India.
  • Data Protection Impact Assessment (DPIA): SDFs must conduct a DPIA before launching any new technology that processes high-risk data.

Institutional Hierarchy & Redressal

The governance of data is now a three-tier structure:

1. Data Fiduciary: The entity collecting data (must respond to requests within 90 days).

2. Data Protection Board (DPB): A digital-first, independent body (4 members) that conducts inquiries and levies penalties.

3. Appellate Tribunal (TDSAT): The Telecom Disputes Settlement and Appellate Tribunal hears appeals against the Board’s orders.

Penalties: The Cost of Non-Compliance

The penalties are significantly higher than previous IT laws:

• • ₹250 Crore: For failure to maintain reasonable security safeguards to prevent a breach.
  • ₹200 Crore: For failure to notify the Board/Individuals of a breach OR violating obligations regarding children’s data.
  • ₹50 Crore: For any other general violation of the Act or Rules.

Privacy vs. Right to Information (RTI)

This is a high-yield topic for “Statement-based” questions.

• • Section 8(1)(j) Amendment: The DPDP Act amended the RTI Act to align it with the Puttaswamy judgment (Privacy as a Fundamental Right).
  • The Balance: Personal info is not “blocked” from RTI; it is assessed for privacy harm. Crucially, Section 8(2) of the RTI Act still allows disclosure if the public interest outweighs the privacy harm.

The Digital Personal Data Protection (DPDP) Act, 2023

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s first comprehensive dedicated data privacy law. It replaces the outdated Section 43A of the IT Act and shifts India toward a “rights-based” digital economy.

Scope and Applicability

• • Digital Focus: The Act applies specifically to personal data that is collected in digital form or collected offline and later digitized.
  • Extra-territorial Reach: It applies to data processing outside India if it involves offering goods or services to individuals (Data Principals) within India.
  • Personal Data Defined: Any data about an individual who is identifiable by or in relation to such data.

The Consent Framework

• • Clear & Affirmative: Consent must be free, specific, informed, unconditional, and unambiguous. It requires a clear affirmative action (no “pre-ticked” boxes).
  • The Right to Withdraw: Individuals can withdraw consent at any time. The process of withdrawing must be as easy as the process of giving consent.
  • Legitimate Uses: In specific cases, data can be processed without explicit consent (e.g., medical emergencies, employment purposes, or when the government provides a benefit/service).

Rights of the Individual (Data Principal)

The Act provides several “Digital Rights” to citizens:

• • Right to Access: Request a summary of what data is held and which third parties it has been shared with.
  • Right to Correction & Erasure: Correct inaccurate data or ask for data to be deleted once its purpose is served.
  • Right to Grievance Redressal: A mandatory mechanism for individuals to register complaints with companies.
  • Right to Nominate: The ability to appoint another person to exercise these rights in the event of death or incapacity.

Obligations of Data Fiduciaries

Entities that determine the “purpose and means” of processing data (Data Fiduciaries) must:

• • Ensure Accuracy: Maintain the completeness and consistency of the data.
  • Data Minimization: Only collect what is necessary and delete it once the purpose is fulfilled.
  • Breach Notification: Inform the Data Protection Board (DPB) and affected individuals immediately in case of a data breach.
  • Significant Data Fiduciaries (SDFs): Larger entities (based on volume/risk) must appoint a Data Protection Officer (DPO) based in India and conduct periodic audits.

Protection of Vulnerable Groups

• • Children (Under 18): Processing a child’s data requires verifiable parental consent. Tracking, behavioral monitoring, or targeted advertising directed at children is strictly prohibited.
  • Persons with Disabilities: Similar protections apply, requiring consent from a lawful guardian for those unable to make legal decisions.

Enforcement and Penalties

• • Data Protection Board of India (DPB): An independent body established to monitor compliance, handle complaints, and impose penalties.
  • Heavy Penalties: Unlike the Jan Vishwas Act which aims to lower burdens, the DPDP Act imposes high financial penalties to act as a deterrent—up to ₹250 crore for failure to prevent a data breach.
  • No Imprisonment: Following the trend of “Decriminalization,” the Act focuses on heavy monetary penalties rather than jail time for corporate defaults.