Digital Personal Data Protection Rules 2025 — Check provisions, implementation plan, penalties

Vikas Bansal - Partner - IT Risk Advisory and Assurance

The Digital Personal Data Protection Rules 2025 give citizens control over their personal data and privacy in online spaces and mitigate misuse. While some provisions will be implemented immediately, others will come in a phased manner over 12-18 months. 

The central government on 14 November notified its Digital Personal Data Protection Rules 2025 (DPDP Rules 2025), aimed at providing Indian citizens with control over their personal data and privacy in online spaces.

“Now, therefore, in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby makes the following rules, ... These rules may be called the Digital Personal Data Protection Rules, 2025,” the notification said.

The long-awaited framework is set to be implemented over 12-18 months, with some provisions coming into effect immediately, while others will be introduced in a phased manner.

What are some provisions under DPDP Rules 2025?

Provisions in the new rules include registration and obligations of consent managers, notice from data fiduciaries to individuals for processing their data and some other major norms related to processing of personal data.

The rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means.

For example, you can use the DPDP Rules to address leaked phone numbers and unauthorised calls by investigating and identifying which entity was responsible. Penal actions are available for leaking an individual's phone number without their consent.

Here are some of the protections extended to citizens:

  • Proper display and statement of data collected, its use, and reason for collection to be made in clear and plain language.

  • Consent manager to be registered to oversee implementation of the DPDP Rules 2025.

  • Reasonable safeguards to be implemented to protect personal data in possession or under control of a data fiduciary, including security measures such as encryption, firewalls, and more.

  • In case of a data breach, affected parties must be intimated in a concise, clear and plain manner and without delay, through the user account or any mode of communication registered by them. Nature and timing of the breach, impact and future safeguards to be outlined.

  • Data is not to be stored beyond a one-year period unless required for compliance under law. Users must be intimated 48 hours before erasure of personal data barring continued use of account / platform.

  • All data fiduciaries are required to prominently publish the contact information of person to answer questions about data processing.

  • Verifiable consent to be taken from parent or guardian before processing personal data of children (citizens under 18 years of age).

  • Verifiable consent of lawful guardian to be obtained to process personal data of person with disability.

The rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means.

For example, you can use the DPDP Rules to address leaked phone numbers and unauthorised calls by investigating and identifying which entity was responsible. Penal actions are available for leaking an individual's phone number without their consent.

Here are some of the protections extended to citizens:

  • Proper display and statement of data collected, its use, and reason for collection to be made in clear and plain language.

  • Consent manager to be registered to oversee implementation of the DPDP Rules 2025.

  • Reasonable safeguards to be implemented to protect personal data in possession or under control of a data fiduciary, including security measures such as encryption, firewalls, and more.

  • In case of a data breach, affected parties must be intimated in a concise, clear and plain manner and without delay, through the user account or any mode of communication registered by them. Nature and timing of the breach, impact and future safeguards to be outlined.

  • Data is not to be stored beyond a one-year period unless required for compliance under law. Users must be intimated 48 hours before erasure of personal data barring continued use of account / platform.

  • All data fiduciaries are required to prominently publish the contact information of person to answer questions about data processing.

  • Verifiable consent to be taken from parent or guardian before processing personal data of children (citizens under 18 years of age).

  • Verifiable consent of lawful guardian to be obtained to process personal data of person with disability.

What do the experts say?

“With the strict consent requirements, enhanced data security and breach notification protocols, and data retention and erasure being regulated India moves to a more global compliance level for data protection,” feels Sajai Singh, Partner at JSA Advocates & Solicitors.

On the protection for minors, Vikas Bansal, Partner, IT Risk Advisory and Assurance, BDO India noted that to comply with this requirement, a data fiduciary would have to ensure that the user providing consent is an identifiable adult. He added that this can be done using information already held or through details voluntarily submitted by the parent or guardian.

He further noted that the exceptions for such requirement have been waived for healthcare, education and child safety services, “where children’s data is processed solely for health-protection purposes or for educational activities… for ensuring child safety.”

According to Supratim Chakraborty, Partner at Khaitan & Co also felt that businesses have an 18-month window to comply with core obligations such as privacy notice, consent, transfer obligations, security safeguards, and children’s data handling, while consent manager registration carries a one-year timeline. “This staggered approach gives businesses vital breathing room, but they must move quickly, taking concrete steps now to identify and close compliance gaps before the obligations kick in,” he added.

What are the penalties laid out?

As per the notification, a Data Protection Board will be established in order to impose penalties based on the nature of the breach as listed in the DPDP Act 2023. The mechanism levies penalties of up to ₹250 per breach on data fiduciaries.

To protect small businesses, the penalty system is graded.

DPDP Rules: Background and key highlights

  • The DPDP rules came into force on August 24, 2017, after the Supreme Court of India eight years back, held that the Right to Privacy is a Fundamental Right with restrictions specified and relatable to fundamental rights as embedded in the Constitution.

  • In 2023, the Digital Personal Data Protection Act was published granting citizens the right to protect their data, while not suppressing information from government-issued IDs or documents, refrain from filing false or frivolous complaints, and provide only verifiable information when requesting data correction or deletion.

  • Further, provisions of the rules exempts rights of citizen in case of enforcing legal rights, court orders, prevention, detection, investigation or prosecution of any offence, an individual is overseas and signed any contract or given consent to a foreign entity, ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan and in cases where the Centre decides to exempt certain data fiduciaries including start-ups mainly for implementing government schemes, research and innovation purposes.

Source: Livemint