Centre Notifies Digital Personal Data Protection (DPDP) Act Rules
Officials also released a roadmap for staggered implementation up to 18 months
The rules came into force eight years after the Supreme Court, on August 24, 2017, held that the ‘right to privacy’ is a 'fundamental right' with restrictions specified and relatable to fundamental rights as embedded in the Constitution. While the rules published under the DPDP Act 2023 grant the right to citizens to protect their data, expecting them not to suppress any information about themselves for any government-issued IDs or documents, refrain from filing false or frivolous complaints, etc.
As specified by the government in its notification, the rules mandate that large data fiduciaries store certain categories of personal data within India. At the same time, the rules also permit the transfer of personal data outside India, subject to additional requirements that may be prescribed by the Centre. “The rules will help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means,” the government said.
The government further said that though the Act will be implemented in phased manner over a period of 12-18 months across the country, some parts of the rules will be implemented immediately, while provisions like registration and obligations of consent managers, notice from data fiduciaries to individuals for processing their data and some other major norms related to processing of personal data etc, will be implemented in the specified timeframe.
“Now, therefore, in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby makes the following rules, ... These rules may be called the Digital Personal Data Protection Rules, 2025,” the notification said.
The rules set out a mechanism for establishing a data protection board, which will levy penalties based on the nature of the breach as listed in the DPDP Act 2023. The DPDP Act 2023 has provisions to impose penalties of up to Rs 250 per breach on data fiduciaries. However, it has kept a graded penalty system to protect small businesses.
Reacting to the notification, experts said that the rules specified in the DPDP Act lay out a clear roadmap for enterprises on collecting, processing, securing personal data, while the transition period and phased roll-out will give companies time to recalibrate data architectures and implement consent mechanisms and other necessary frameworks. “The final rules had left many of the operational burdens intact, even after discussions. They flagged the ‘uncertainty’ and lack of clarity around criteria and process for designating an entity as a significant data fiduciaries,” they said.
As per Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, the rules set fixed obligations, which lead to an increase in the cost of compliance, apart from an increase in the legal and operational costs. “With the DPDP rules now notified, Indian enterprises have a clear roadmap on how they collect, process, secure and govern personal data. The phased roll-out is crucial though, it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly,” Rao said.
“Enterprises must immediately prioritise data discovery, classification and data-mapping exercises, implement consent and retention workflows, strengthen breach-response mechanisms, and deploy technology-led governance tools that provide real-time visibility across the data lifecycle,” Rao added.
Another expert, Vinay Butani, Partner, Economic Laws Practice, said that the one-year deadline for consent managers effectively pre-positions the consent infrastructure for DPDP compliance. “By the 18-month enforcement date, a network of certified, neutral consent-service providers will be ready to handle opt-in/out mechanics, easing the shift to the new regime,” Butani added.