Digital Personal Data Protection (DPDP) Rules, 2025
The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025, operationalizing the DPDP Act, 2023. OBJECTIVE: Create a comprehensive framework to protect personal data, curb unauthorized commercial data use, reduce digital harms, and create safe space for innovation. KEY FEATURES: - 18-month phased compliance period for organizations - Data Protection Board of India: 4 members, fully digital, complaints via online portal and app - TDSAT (Telecom Disputes Settlement and Appellate Tribunal) is the appellate authority - Children's data: Verifiable parental consent required (exceptions for healthcare, education, safety) - Data fiduciary obligations: clear consent notices, reasonable security, breach reporting, respond to requests within 90 days - Significant Data Fiduciaries: independent audits and impact assessments (12-month cycle) CITIZEN RIGHTS: Consent/refuse data use, access and correct data, request erasure, appoint representatives, nominate guardians PENALTIES: Up to ₹250 crore for inadequate security; ₹200 crore for breach notification failures or children's data violations; ₹50 crore for other violations Developed after 6,915 inputs from consultations in 7 cities
- DPDP Rules 2025 notified on November 14, 2025 operationalizing the DPDP Act 2023 with 18-month phased compliance period for organizations
- Data Protection Board of India with 4 members, fully digital operations; TDSAT is the appellate authority
- Children's data requires verifiable parental consent with exceptions for healthcare, education, and safety
- Citizen rights include consent/refuse data use, access and correct data, request erasure, appoint representatives, and nominate guardians
- Penalties: up to ₹250 crore for inadequate security, ₹200 crore for breach notification failures or children's data violations, ₹50 crore for other violations
- Significant Data Fiduciaries must conduct independent audits and impact assessments on 12-month cycles
When were the DPDP Rules, 2025 notified?
The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025, operationalizing the DPDP Act, 2023 through the Ministry of Electronics and Information Technology.
What compliance timeline do organizations have under DPDP Rules?
Organizations get an 18-month phased compliance period to align systems, consent flows, and breach reporting with the new rules before enforcement takes full effect.
Who handles complaints under the DPDP framework?
The Data Protection Board of India, a fully digital body with 4 members, handles complaints via an online portal and app. TDSAT serves as the appellate authority for appeals.
What are the penalties for non-compliance under DPDP Rules?
Penalties reach up to ₹250 crore for inadequate security safeguards, ₹200 crore for breach notification failures or children's data violations, and ₹50 crore for other violations of the rules.
How do DPDP Rules protect children's data?
Data fiduciaries must obtain verifiable parental consent before processing children's personal data. Exceptions apply for healthcare, education, and safety-related processing purposes.
What rights do citizens have under the DPDP Rules?
Citizens can consent to or refuse data use, access and correct their data, request erasure, appoint representatives, and nominate guardians for managing their personal data.
Practice MCQs on this topic.
Reinforce your understanding with targeted MCQ practice on economy, governance, and current affairs.