Have you ever wondered where your personal data is stored online? Your personal data is everywhere on websites, mobile apps, SaaS platforms, and backend systems. Billions of internet users in India rely on online services for shopping, communication, payments, and even healthcare. Protecting personal data has become a national priority.
That’s why the Digital Personal Data Protection Rules 2025 (DPDP Rules 2025) were officially notified by the Government of India on 14 November 2025 to operationalize the Digital Personal Data Protection Act 2023 (DPDP Act).
These DPDP Rules are now the legal backbone for data privacy compliance in India. They shape how businesses collect, process, store, secure, and respond to digital personal data. In simple terms, let’s see what amendments have been made in the DPDP Act, key obligations, and practical steps that can help you stay compliant and avoid penalties.
The DPDP Rules, 2025, establish a comprehensive framework for data protection in India, focusing on:
| Rule | Details |
|---|---|
| Rule 1 | Short title and commencement of rules. |
| Rule 2 | Definitions for DPDP Act, 2023; techno-legal measures, and Data Principal with the Data Fiduciary. |
| Rule 3 | Notice given by Data Fiduciary to Data Principal. |
| Rule 4 | Registration and obligations of Consent Manager. |
| Rule 5 | Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities. |
| Rule 6 | Reasonable security safeguards, through encryption or appropriate measures. |
| Rule 7 | Intimation of personal data breach. |
| Rule 8 | Time period for specified purpose to be deemed as no longer being served. |
| Rule 9 | Contact information of person to answer questions about processing. |
| Rule 10 | Verifiable consent for processing of personal data of child. |
| Rule 11 | Verifiable consent for processing of personal data of person with disability who has lawful guardian. |
| Rule 12 | Exemptions from certain obligations applicable to processing of personal data of child. |
| Rule 13 | Additional obligations of Significant Data Fiduciary. |
| Rule 14 | Rights of Data Principals. |
| Rule 15 | Transfer of personal data outside the territory of India. |
| Rule 16 | Exemption from Act for research, archiving or statistical purposes. |
| Rule 17 | Appointment of Chairperson and other Members. |
| Rule 18 | Salary, allowances and other terms and conditions of service of Chairperson and other Members. |
| Rule 19 | Procedure for meetings of Board and authentication of its orders, directions and instruments. |
| Rule 20 | Functioning of Board as digital office. |
| Rule 21 | Terms and conditions of appointment and service of officers and employees of Board. |
| Rule 22 | Appeal to Appellate Tribunal. |
| Rule 23 | Calling for information from Data Fiduciary or intermediary. |
Osano
Starting Price
Price on Request
*Rules 1, 2 and 17 to 21 came into force on the date of their publication in the Official Gazette. Rule 4 came into force one year after the date of publication of Gazette. Rules 3, 5 to 16, 22 and 23 came into force eighteen months after the date of publication of Gazette.
**Please visit DPDPA Knowledge Centre for more information.
A frequent question businesses and compliance teams are asking is: Is the DPDP Rules 2025 a new law or just an update to the DPDP Act 2023? The answer is simple. The DPDP Act 2023 defined what must be protected, and the DPDP Rules 2025 define how it must be protected.
The DPDP Rules 2025 are a set of detailed regulations under the Digital Personal Data Protection Act 2023, published by the Ministry of Electronics and Information Technology (MeitY). These Rules provide the operational framework required for businesses to follow the law for safeguarding data.
Instead of just saying protect data, the DPDP Rules tell businesses:
If the DPDP Act 2023 is the constitution of data protection in India, then the DPDP Rules 2025 are the detailed instructions on how to comply with everyday digital operations.
A common confusion is whether the Act and the Rules are the same. They are related but serve very different functions.
The Digital Personal Data Protection Act 2023 is the primary legislation passed by Parliament. It establishes the legal rights of individuals (Data Principals), defines who is responsible for data (Data Fiduciaries), and sets maximum penalties for violations.
The DPDP Rules 2025, on the other hand, are subordinate legislation. They do not replace the Act but operationalize it. Without the Rules, businesses would struggle to interpret how to implement consent collection, data deletion, or breach reporting.
For example:
This distinction is critical for compliance. Many organizations mistakenly believe that complying with the Act alone is sufficient. In reality, non-compliance with the Rules is also a violation of the law, and penalties apply equally.
| Aspect | DPDP Act 2023 | DPDP Rules 2025 |
|---|---|---|
| Vision | What needs to happen? | How does it need to happen? |
| Legal Level | Primary law passed by Parliament. | Secondary legislation notified under the Act. |
| Purpose | Defines rights, duties, and broad obligations. | Provides practical and step-by-step compliance requirements. |
| Scope | High-level principles like consent, transparency, and accountability. | Details on consent capture, breach reporting timelines, and retention periods, etc. |
| Enforcement Mechanism | Establishes Data Protection Board and penalty limits. | Specifies how to report breaches, how/when to notify users, and operational duties. |
One of the most searched questions is: Do DPDP Rules 2025 apply to small businesses and startups? Yes, business size does not exempt you from compliance.
The DPDP Rules 2025 apply to any entity that processes digital personal data of individuals in India, regardless of revenue, employee count, or industry. This includes:
The only distinction the law makes is for Significant Data Fiduciaries (SDFs), who may face additional compliance requirements due to scale, sensitivity, or risk profile. This creates a major issue for smaller organizations. Many believe data protection laws and data privacy tools are only for big tech. The DPDP Rules 2025 clearly remove that misconception.
Let’s break down the core compliance requirements and answer “What exactly must businesses do to comply with DPDP Rules 2025?”
First, businesses must ensure lawful and transparent data processing. This means personal data can only be collected for a clearly defined purpose, and users must be informed in advance. Businesses must ask for consent in a clear, unambiguous, and standalone way. No burying it in long terms and conditions. Consent must be verified and recorded as evidence.
Users must be informed:
Collecting excessive data is no longer allowed under the Data Protection Act. Only collect and use data for a specific and clear purpose. Not for future use. Data collection must be minimal and tied directly to that purpose.
Organizations must implement reasonable security safeguards. These include technical measures like encryption and access controls, as well as organizational measures such as internal policies, employee training, and audit mechanisms. Failure to secure data is treated as a serious violation under the DPDP Rules framework.
Businesses must maintain data accuracy and lifecycle controls. Data cannot be kept indefinitely. Personal data must be updated when required and deleted once the purpose is fulfilled or the retention period expires. Indefinite storage is no longer acceptable as principles.
Basic retention periods are defined (e.g., three years for certain platforms), and you must notify users 48 hours before deletion if their data will be erased.
Organizations must establish grievance redressal and user rights mechanisms. This means having a clear way for users to request access, correction, or deletion of their data, and responding within defined timelines.
If personal data is compromised, organizations must notify the Data Protection Board immediately. Report detailed info within 72 hours and inform affected users in clear, simple language. Failures here can attract steep penalties.
The DPDP Rules 2025 greatly expand individual control over personal data. According to the law, Data Principals are the individuals whose data is processed. To resolve their issues, fiduciaries must respond within fixed timelines (usually within 90 days).
Key user rights include:
For sensitive cases like children (under 18) or persons with disabilities, verifiable parental or guardian consent is mandatory.
Under the DPDP Rules 2025, consent must be free, informed, specific, and unambiguous. Now, businesses can no longer rely on vague acceptance mechanisms or hide consent within lengthy terms and conditions.
Consent requests must be presented through clear and specific notices written in simple language and explicitly linked to the purpose of data usage. Users should clearly understand what personal data is being collected, why it is being collected, how it will be used, and how they can withdraw their consent at any time.
Another critical requirement is consent withdrawal, which must be as easy as giving consent.
Challenge for Legal Service Providers: This poses a significant operational challenge for many organizations, especially those using legacy systems that were not designed to support dynamic consent management.
Challenge for EdTech, Gaming, and Digital Marketing Companies: The Rules also introduce verifiable parental consent for processing children’s data, adding further complexity for edtech platforms, gaming apps, and social media services.
Many organizations struggle with manual consent tracking, which is error-prone, difficult to audit, and risky from a compliance perspective.
As a result, adopting Consent Management Platforms (CMPs) becomes almost essential to maintain verifiable records, manage withdrawals efficiently, and reduce exposure to penalties. Additionally, businesses are required to maintain detailed logs and records of consent.
It should include when it was given, how it was obtained, and any subsequent updates. These records serve as critical compliance evidence under the Digital Personal Data Protection Act framework.
The Rules make data breach reporting mandatory and time-bound. If a personal data breach occurs, businesses must immediately notify the Data Protection Board of India and submit detailed information within 72 hours. They must also inform affected users clearly, explaining what happened, what data was affected, what steps are being taken, and what actions users should take to protect themselves.
This requirement creates pressure on organizations to have incident response plans and monitoring tools in place. Without automated alerts and logging, meeting the 72-hour deadline becomes extremely difficult. From a risk standpoint, failure to report a breach can attract penalties that are often higher than the breach itself.
You can check for:
So, if you are thinking What happens if a company does not comply with DPDP Rules 2025?
Then, the DPDP framework introduces financial penalties that can go up to ₹250 crore, depending on the nature of the violation. These penalties are not symbolic. They are designed to enforce accountability.
Serious violations include:
Even smaller violations, such as providing false information during grievance handling, can result in fines. For startups and SMEs, this is a major pain point. One compliance failure can significantly impact business continuity, investor confidence, and brand reputation.
Non-compliance isn’t a slap on the wrist. The DPDP Act and accompanying Rules attach significant penalties based on the type of violation. Here’s a practical breakdown:
| Violation | Possible Penalty |
|---|---|
| Failure to maintain reasonable security safeguards | Up to ₹250 crore |
| Not notifying the Board or users of a breach | Up to ₹200 crore |
| Children’s data obligations violation | Up to ₹200 crore |
| Other violations of the Act/Rules | Up to ₹50 crore |
Preparation should begin with data discovery tools and audit exercises. Businesses must know what personal data they collect, where it is stored, and who has access to it. Next, organizations should implement privacy-by-design principles. This means embedding data protection tools into systems, apps, and workflows from the start, not as an afterthought.
Using the right tools can significantly reduce compliance complexity, help overcome operational challenges, and reduce manual errors. Solutions such as:
Finally, regular training, audits, and policy updates ensure long-term compliance as interpretations evolve.
The Digital Personal Data Protection Rules 2025 put India on a clear path toward strong digital privacy governance. If executed well, they help protect individuals’ rights while letting businesses innovate responsibly.
For business leaders, this is not just a regulatory exercise. It’s a strategic shift. Data protection is now part of brand trust, risk management, and competitive positioning. Compliance is not optional, and complying early means less risk, fewer surprises, and a stronger digital reputation.
The Digital Personal Data Protection Rules 2025 are not just a legal requirement. These Rules are a business reality. Companies that treat compliance as a trust-building opportunity will gain a competitive edge, while those that ignore it risk penalties, reputational damage, and loss of user confidence.
Choose smarter business solutions for your long-term growth and strategies!
The DPDP Rules 2025 are detailed regulations issued under the Digital Personal Data Protection Act 2023 that explain how businesses must collect, process, store, protect, and delete personal data of individuals in India.
The Digital Personal Data Protection Act 2023 defines the legal framework and principles of data protection, while the DPDP Rules 2025 provide step-by-step operational guidelines, timelines, and compliance requirements for businesses.
Any organization that processes digital personal data of individuals in India must comply, including startups, SMEs, enterprises, SaaS companies, mobile apps, e-commerce platforms, and foreign companies offering services to Indian users.
Yes, DPDP Rules 2025 apply to small businesses and startups if they collect or process personal data such as names, emails, phone numbers, or user behavior, regardless of company size or revenue.
A Data Fiduciary is any person or organization that determines the purpose and means of processing personal data, such as websites, apps, SaaS platforms, and businesses handling customer or employee data.
Businesses must obtain valid user consent, limit data collection to specific purposes, implement reasonable security safeguards, respond to user rights requests, report data breaches, and delete personal data once retention periods expire.
Users (Data Principals) have the right to access, correct, update, and erase their personal data, withdraw consent, file grievances, and receive notifications in case of a data breach.
Consent must be free, informed, specific, and unambiguous. Businesses must clearly explain why data is collected and allow users to withdraw consent easily at any time.
Yes, verifiable parental or guardian consent is mandatory for processing personal data of children below 18 years of age.
Digital threats are growing fast across India today, especially targeting small businesses. Yet, many owners… Read More
A lot of small business owners are convinced that cybercrime or cybercriminals threaten big enterprises… Read More
Planning your New Year photos but short on creative ideas? This guide brings you the… Read More
Digital signage has quietly become core communication tool for modern businesses. Screens are no… Read More
Success in the jewellery industry was never low-hanging fruit! Every transaction demands absolute precision… Read More
It was just recently that computer virus was thought to be just a trivial… Read More
