Digital Personal Data Protection Rules, 2025

The Ministry of Electronics and Information Technology (MeitY) has notified the Digital Personal Data Protection (DPDP) Rules, 2025, giving operational effect to the DPDP Act, 2023. The Rules introduce clear privacy notices, a Consent Manager ecosystem, prescriptive security safeguards, breach‑reporting timelines, data‑retention limits, protection for children and vulnerable persons, and governance provisions for the Data Protection Board (DPB).

PHASED IMPLEMENTATION

REGULATORY OVERVIEW OF THE RULES

1. Standalone Privacy Notices (Rule 3)
   Data Fiduciary shall issue standalone notices that explains exactly what data is being collected and why.
   • An itemized list of personal data being collected.
   • The specific purposes of processing.
   • Direct links and mechanisms for the Data Principal to withdraw consent, exercise their rights, and file complaints.
2. Consent Managers (Rule 4)
   Consent Managers shall meet strict eligibility requirements and register with the Data Protection Board. They shall maintain transparency, ensure security, and offer user‑centric consent dashboards.
3. Security Safeguards and Breach Notification (Rules 6 & 7)
   Security is essential, with minimum mandatory safeguards and a tight breach reporting deadline:

   Area	Requirement	Details
   Security Safeguards (Rule 6)	Mandatory use of appropriate technical and organizational measures.	Includes encryption, masking, obfuscation, and tokenization. Mandates access controls, activity logs, and continuity measures (backups). One-year mandatory retention of logs and personal data for breach detection.
   Breach Notification (Rule 7)	Dual intimation requirement upon becoming aware of a breach.	Immediate notice to affected users with details on the breach, consequences, and mitigation steps. Initial intimation to the Board immediately, followed by a detailed report within 72 hours.

4. Data Retention (Rule 8)
   Data Fiduciaries shall adhere strictly to the principle of purpose limitation:
   • For specific categories (Third Schedule), personal data shall be erased if the user does not engage within a specified time, provided retention is not legally mandated.
   • A 48-hour warning shall be issued to the user before data erasure.
   • A minimum one-year retention of traffic logs and processing logs is compulsory for certain statutory purposes.
5. Children and Vulnerable Users (Rules 10–12)
   Fiduciaries shall obtain verifiable parental consent using identity data, voluntarily provided details, or authorized tokens. Schools, healthcare and childcare services receive targeted exemptions.
6. Significant Data Fiduciary Obligations (Rule 13)
   SDFs shall conduct annual DPIAs, independent audits, algorithmic assessments, comply with data‑localization requirements (if notified), and submit reports to the DPB.
7. Additional Obligations for Significant Data Fiduciaries
   Entities designated as SDFs face the highest compliance burden, including:
   • Mandatory annual Data Protection Impact Assessments (DPIA) and audits.
   • The obligation to ensure their algorithmic and technical measures (e.g., for hosting, sharing, storage) do not harm user rights.
   • Data Localisation: Adherence to data-localisation requirements for categories of data specifically notified by the Central Government, restricting transfer outside India.
8. Key Operational Mandates of the Consent Manager
   While the initial announcement laid out the framework, the Digital Personal Data Protection (DPDP) Rules, 2025, gain their teeth from the detailed requirements specified in their accompanying Schedules. These operational mandates will define the compliance strategy for Data Fiduciaries (DFs) and the State itself.
   • Registration Conditions (Part A):
     The Consent Manager shall be an entity incorporated in India and demonstrate sound financial and technical capabilities, including:
     • Financial Threshold: A minimum Net Worth of ₹2 Crore .
     • Technical Compliance: Operate an interoperable platform that enables Data Principals to consent, manage, review, and withdraw data, compliant with DPB-published standards.
     • Integrity: The directors and management shall be persons of general integrity and honesty.
     • Transparency & Governance: The company’s memorandum shall contain provisions for complying with its obligations, amendable only with DPB approval.
   • Operational Obligations (Part B):
     Once registered, Consent Managers bear significant duties to the Data Principal:
     • Data Integrity: The Consent Manager shall ensure the manner of data sharing prevents the Consent Managers from reading the content of the personal data shared.
     • Record Retention: The Consent Manager shall maintain detailed records of consents given, refused, or withdrawn, accompanying notices, and data sharing activities for a minimum period of seven years, or longer if required by law or agreed with the Data Principal.
     • Transparency: The Consent Manager shall publish, in an easily accessible manner, information about its promoters, directors, and key management personnel, as well as any corporate body in which its management holds more than a two percent shareholding to prevent conflicts of interest.
     • Prohibition: Consent Managers are prohibited from subcontracting or assigning the performance of their core obligations.

WHAT LIES AHEAD…

All organizations from big tech companies and startups to government services now have a clear plan to follow. The government has given them some time, but they have to stick to strict deadlines and rules. Since some rules are already in place, they must start changing how they handle data now. These final rules settle the long debate in India about how personal information should be managed.

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.