Comprehensive answers to the most important questions about DPDPA compliance, data protection rights, and privacy best practices.
The Digital Personal Data Protection Rules, 2025 were officially notified on November 13, 2025, by the Ministry of Electronics and Information Technology. These rules operationalize the DPDPA 2023 by providing detailed guidelines on consent mechanisms, data security safeguards, breach notifications, and compliance procedures.
The DPDPA 2023 received presidential assent on August 11, 2023. The DPDP Rules 2025 were notified on November 13, 2025, with a phased implementation: Phase 1 (November 13, 2025) - Definitions, Data Protection Board setup, and procedural provisions; Phase 2 (November 13, 2026) - Consent manager registration and specific rights provisions; Phase 3 (May 13, 2027) - Core compliance obligations including consent, security, and breach notification.
DPDPA applies to the processing of digital personal data within India, activities involving offering goods or services to data principals in India, and profiling of data principals in India. The Act has extraterritorial reach, meaning it applies to data processing outside India if targeted at Indian users.
SARAL stands for Simple, Accessible, Rational, and Actionable. This framework ensures that the DPDP Rules 2025 are written in plain language with clear definitions, making them easy to understand and implement for both users and organizations.
The Data Protection Board of India was established under Sections 18-26 of the DPDPA 2023 and became operational from November 13, 2025. It is an independent regulatory body responsible for overseeing compliance, investigating complaints, imposing penalties, and ensuring enforcement of data protection laws.
The Board operates as a digital-first entity with app-based complaint filing and tracking systems. It handles grievances from data principals, conducts investigations, imposes penalties ranging from ₹10,000 to ₹250 crore depending on violation severity, and ensures organizations comply with DPDP requirements. Appeals against Board decisions go to the Telecom Disputes Settlement and Appellate Tribunal.
The Data Protection Board can conduct audits, investigate data breaches, issue compliance notices, impose financial penalties up to ₹250 crore for serious violations, and require organizations to implement corrective measures. The Board also maintains oversight of Significant Data Fiduciaries and consent managers.
Data principals have the right to access their personal data, right to correction and erasure, right to grievance redressal, right to nominate (for deceased persons' data), and right to withdraw consent. Organizations must respond to rights requests within 90 days and provide 48-hour notice before deleting data unless legally required to retain it.
Data principals can submit requests directly to data fiduciaries through designated channels established by organizations. The DPDP Rules 2025 require data fiduciaries to provide clear mechanisms for exercising rights, with a mandatory 90-day grievance redressal timeline. If unsatisfied, data principals can approach the Data Protection Board.
If a data fiduciary fails to respond within 90 days or denies your request without valid justification, you can file a complaint with the Data Protection Board of India through their digital complaint filing system. The Board will investigate and can impose penalties on non-compliant organizations.
Yes, the DPDP Rules 2025 mandate that withdrawing consent must be as easy as giving it. Data fiduciaries must provide simple mechanisms for consent withdrawal, and once withdrawn, they must stop processing your data for that specific purpose unless there is another lawful basis.
Valid consent must be free, specific, informed, unconditional, and given through clear affirmative action. The DPDP Rules 2025 require data fiduciaries to provide consent notices in plain language, listing categories of data collected, purpose of processing, and mechanisms for withdrawal. Consent must be verifiable and can be withdrawn at any time.
Consent notices must be provided in plain, simple language and include: categories of personal data being collected, purpose of data processing, how data principals can exercise their rights, process for consent withdrawal, details about data retention, and information about cross-border data transfers if applicable. The notice must be standalone and not buried in lengthy terms and conditions.
Consent Managers are independent, registered intermediaries who act as neutral platforms for managing user consents. They must register with the Data Protection Board (effective November 2026), maintain user dashboards for consent management, ensure data integrity, and facilitate consent withdrawal. They help data principals manage consents across multiple data fiduciaries from a single interface.
The DPDP Rules 2025 provide special protections for children under 18 years of age. Data fiduciaries must obtain verifiable parental consent before processing children's data. Behavioral tracking and targeted advertising to children are prohibited unless for essential purposes like education, health, or safety.
Verifiable parental consent means data fiduciaries must implement mechanisms to reasonably verify that the person providing consent is actually the parent or legal guardian of the child. This could include verification through existing parental accounts, government ID verification, or other reliable methods specified in the rules.
Yes, the rules allow processing of children's data without parental consent for essential purposes such as education, health and safety services, medical treatment, and legal compliance. However, even in these cases, tracking and profiling for advertising purposes remain prohibited.
Data fiduciaries must: obtain valid consent with clear notices in plain language; implement security safeguards including encryption, access controls, and activity logging; notify breaches within 72 hours; limit data retention and erase data when no longer needed; respond to data principal rights within 90 days; maintain activity logs for at least one year; and ensure transparency in all data processing activities.
The DPDP Rules 2025 mandate minimum security measures including encryption of personal data at rest and in transit, access controls to prevent unauthorized access, regular security assessments, activity logging with logs retained for at least one year, and data backup procedures. Organizations must implement appropriate technical and organizational measures to prevent data breaches.
In the event of a data breach, data fiduciaries must notify both the Data Protection Board of India and affected data principals within 72 hours. The notification must include the nature of the breach, categories of data affected, number of individuals impacted, potential consequences, and mitigation steps taken. Failure to report breaches within this timeframe can result in significant penalties.
Data fiduciaries must erase personal data when it is no longer necessary for the purpose it was collected. The DPDP Rules 2025 specify that data principals must receive 48-hour notice before data deletion unless legal obligations require retention. Significant Data Fiduciaries must delete inactive user data after three years. Activity logs must be retained for at least one year.
Significant Data Fiduciaries are entities that process large volumes of personal data, such as major social media platforms, large e-commerce companies, and technology firms. They are designated by the government based on factors like volume of data processed, potential impact on sovereignty and integrity of India, and risk to electoral democracy.
SDFs face enhanced obligations including: appointing Data Protection Officers; conducting annual Data Protection Impact Assessments (DPIAs); undergoing independent third-party audits; implementing algorithmic accountability measures; maintaining higher security standards; deleting inactive user data after three years; and providing greater transparency in their data processing activities.
A DPIA is a mandatory annual assessment for Significant Data Fiduciaries to identify and mitigate privacy risks in their data processing activities. It evaluates the necessity and proportionality of processing, assesses risks to data principals' rights, and documents safeguards to minimize those risks. DPIAs must be conducted before beginning high-risk processing operations.
Yes, cross-border data transfers are permitted under Rule 15, but only with government approval and adequate safeguards. Transfers can occur to countries or territories that the Central Government has notified as having adequate data protection standards. The rules emphasize data sovereignty and require organizations to ensure protection levels are maintained.
Organizations must obtain government approval, ensure the receiving country has adequate data protection laws, implement contractual safeguards, maintain transparency with data principals about transfers, and ensure the transferred data receives equivalent protection. The government maintains authority to restrict transfers to specific countries if deemed necessary for sovereignty or security.
Yes, the Central Government can maintain a list of countries where data transfer is restricted or prohibited due to concerns over data protection standards, national security, or sovereignty. Additionally, transfers involving children's data or sensitive processing require higher scrutiny and additional safeguards.
Organizations should: conduct comprehensive data mapping and inventory; review and update consent mechanisms to meet plain language requirements; implement security safeguards including encryption and access controls; establish 72-hour breach notification procedures; create data principal rights request processes with 90-day response timelines; train staff on DPDP requirements; appoint Data Protection Officers if they are SDFs; and prepare for audits and DPIAs.
The Data Protection Board can impose financial penalties ranging from ₹10,000 to ₹250 crore depending on the nature and severity of the violation. Serious violations include failure to implement security safeguards, non-compliance with breach notification requirements, processing children's data without verifiable parental consent, and failure to honor data principal rights. Penalties are proportionate to the breach severity.
Core compliance obligations including consent notices, security safeguards, breach notifications, data retention, and rights fulfillment become mandatory from May 13, 2027 (18 months from the November 13, 2025 notification). However, the Data Protection Board is operational from November 13, 2025, and organizations should begin preparations immediately to ensure readiness.
Organizations must immediately contain the breach, assess the impact, and notify both the Data Protection Board and affected data principals within 72 hours. The notification must detail the breach nature, data categories affected, number of individuals impacted, potential harm, and mitigation measures. Failure to notify within 72 hours or inadequate breach response can result in penalties up to ₹250 crore.
The DPDP Rules 2025 mandate that data fiduciaries must obtain consent from the legal guardian of a person with disability for processing their personal data. This ensures vulnerable individuals receive additional protection and their data is not exploited without proper authorization from their designated guardians.
Yes, the rules include exemptions for government agencies processing data for purposes such as national security, public services, subsidies and benefits, legal compliance, and research. However, these exemptions have raised concerns about potential surveillance and reduced transparency, as government processing may not always require user consent or notification.
The DPDP Rules 2025 amended the Right to Information Act, 2005, by modifying provisions related to disclosure of personal information. The 'larger public interest' test for disclosing personal information about public officials was removed, which has raised concerns about transparency and accountability in government operations.