Digital Personal Data Protection Rules, 2025


The Digital Personal Data Protection Rules, 2025 is a subordinate legislation notified by the Government of India under the Digital Personal [Data Protection Act, 2023]. The rules provide detailed operational requirements for implementation of the Act, specifying obligations of data fiduciaries and procedures for data principals, breach reporting, cross-border transfers and the functioning of the Data Protection Board of India.

Summary

The rules set out practical steps for consent collection, notice requirements, breach notification, record-keeping, and special protections. They also define timelines for phased compliance and provide details on the constitution and powers of the Data Protection Board of India envisaged under the DPDP Act, 2023. The notification of the Rules followed public and stakeholder consultations and was presented as the final step to operationalize India’s data-protection framework.

Background

The Digital Personal Data Protection Act, 2023 established the legal framework for personal data protection in India but delegated many technical and procedural requirements to subordinate rules. After stakeholder consultations and draft releases, the Ministry of Electronics and Information Technology finalized the Rules and notified them on 14 November 2025.

Key provisions

The key elements of the Rules include:
  • Consent and notice — Data fiduciaries must provide clear and concise privacy notices that specify purpose of processing, categories of data processed, retention periods, and mechanisms to withdraw consent. Consent requirements emphasise informed, unambiguous and freely given consent for processing personal data.
  • Data breach notification — Fiduciaries are required to notify the Data Protection Board and affected data principals of personal data breaches within specified timelines, and to provide details about the nature of the breach and mitigation steps taken.
  • Special categories and vulnerable groupsThe Rules provide enhanced protections for children's data and for persons with disabilities, including guidelines for obtaining lawful guardian oversight where appropriate.
  • Cross-border data transfer — The Rules set out conditions and safeguards for transfer of personal data outside India; the Central Government retains power to specify countries or mechanisms for permitted transfers.
  • Data Protection Board of India — The Rules detail the composition, appointment process and functioning of the Data Protection Board of India envisaged under the DPDP Act, 2023.
  • Phased compliance — Certain operational provisions are subject to phased implementation to allow businesses to adapt to new compliance requirements.