The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025 ushering in a new era of enforceable digital privacy. This marks the full operationalization of the Digital Personal Data Protection Act, 2023 (DPDP Act), passed by the parliament in August 2023. Together, the Act and the Rules form a clear and citizen-centred framework for the responsible use of digital personal data. They place equal weight on individual rights and lawful data processing.
With the notification of the Rules, India now has a practical and innovation-friendly system for data protection. It supports ease of understanding, encourages compliance and strengthens trust in the country’s growing digital ecosystem. It explains what organisations must do when they collect or use such data.
The Rules introduce an eighteen-month period for phased compliance. This gives organisations enough time to adjust their systems and adopt responsible data practices. With staged implementation, breach reporting timelines, and a dedicated regulatory board, the rules demand swift compliance. This means that enterprises and OEMs must now assess readiness and realign offerings to meet new obligations.
The text of the Rules uses plain language and clear illustrations so that people and businesses can understand the rules without difficulty.
It should be noted here that the rules were not notified and implemented overnight. The Ministry of Electronics and Information Technology invited public comments on the draft Rules before finalising them. Consultations were held in Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai. A wide range of participants took part in these discussions. Startups, MSMEs, industry bodies, civil society groups and government departments all offered detailed suggestions. Citizens also shared their views. In total, 6,915 inputs were received during the consultation process. These contributions played a key role in shaping the final Rules.
Key terms under the DPDP Act, 2023
· Data Fiduciary: An entity that decides why and how personal data is processed, either alone or with others.
· Data Principal: The individual to whom the personal data relates. In the case of a child, this includes a parent or lawful guardian. For a person with a disability who cannot act independently, this includes the lawful guardian acting on their behalf.
· Data Processor: Any entity that processes personal data on behalf of a Data Fiduciary.
· Consent Manager: An entity that provides a single, transparent and interoperable platform through which a Data Principal may give, manage, review or withdraw consent.
· Appellate Tribunal: The Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which hears appeals against decisions of the Data Protection Board.
REACTIONS FROM THE INDUSTRY
The DPDP rules represent one of the most consequential shifts in India’s data governance framework
Sanket Atal, SVP, Engineering and Country Head, OpenText India
“The DPDP Rules of 2025 represent one of the most consequential shifts in India’s data governance framework. Beyond the headline requirements, the rules formalize three critical obligations for enterprises: verifiable consent, demonstrable accountability, and real-time breach visibility. These expectations move organisations from passive data collection to active data stewardship. The impact will be felt most by organisations with large and complex data estates. Today, many Indian enterprises operate with legacy applications sitting alongside multi-cloud deployments, making it difficult to track how personal data is collected, shared, stored and deleted. The DPDP Rules now require organisations to maintain accurate data maps, establish consent-verification workflows, standardize retention schedules and ensure that any cross-border movement of personal data aligns with the ‘blacklist-based’ transfer regime.
This is where the real challenge begins. Compliance cannot be limited to a documentation exercise anymore. It has to become part of how work happens every day rather than something documented after the fact. IT teams will need to strengthen identity governance, automate audit trails and reduce data sprawl to meet 72-hour breach reporting and verifiable consent standards. For sectors such as BFSI, healthcare, e-commerce and citizen services, the new rules will require an overhaul of data flows to ensure full traceability and predictable governance.”
With the coming of the DPDP rules, the time to act is now
Dr. Sanjay Katkar, Joint Managing Director, Quick Heal Technologies Ltd.
“The implementation of the DPDP Rules places a renewed responsibility on enterprises to bring greater transparency, meaningful consent, timely breach notifications, and disciplined data retention and erasure into their operations. These requirements are not just regulatory checkboxes, in fact they reshape how organisations collect, manage, and safeguard personal data. Seqrite Data Privacy has been developed precisely for this moment. It’s your one-stop solution that enables enterprises to establish structured governance, discover, classify, and secure their data, and strengthen its handling with audit-ready controls at the core of their digital ecosystems. As the regulatory landscape evolves, the time to act is now."
India’s new AI governance framework signals a decisive shift with the new DPDP rules
Nitin Varma, SVP & MD, India & SAARC, Saviynt
“India’s new AI Governance Framework signals a decisive shift, identity and access governance is now a national-level priority for safe and responsible AI. As organisations embed AI into core decision-making and mission-critical workflows, the real challenge is not model sophistication but ensuring that only the right people, systems, and autonomous agents receive the right level of access for the right purpose at the right time, and can be held accountable for how that access is used.
Traditional, periodic controls were not designed for the velocity, scale, and autonomy that AI environments demand. Indian enterprises will now require converged, intelligence-driven identity platforms that offer continuous assurance, real-time policy enforcement, and AI-led risk detection. This is a pivotal moment for organisations to modernize identity governance and build a secure, innovation-ready foundation for AI.”
The DPDP Rules are a strong start, but the proof lies in execution
Sumed Marwaha, Managing Director, AHEAD India
With the DPDP Rules, India joins the league of global data protection frameworks such as GDPR and CCPA - only sharper and more scalable for the country’s digital ambitions. The phased rollout gives organisations a clear runway to modernize systems, streamline data flows, and prepare for new obligations around consent, retention, access and breach response.
The DPDP Rules are a strong start, but the proof lies in execution. By combining technology acceleration with robust governance frameworks, we help enterprises turn regulatory requirements into long-term operational strength and trusted digital experiences. We remain committed to guiding our clients through each phase of adoption.”
The DPDP rules for the common man means a new digital reality
Santosh Singh, Senior Vice President, IT, DS Group
“The Digital Personal Data Protection Act notification of today marks the definitive pivot towards a Trust Economy where bulk personally identifiable information (PII) collection will be replaced by a mandate for precision and accountability at every digital exchange. Certainly, the industry must now invest in consent, making data protection a foundation for commerce and not a cost to it. To the common man, this means a new digital reality giving the citizen the right to erase, correct, and truly control his or her own digital identity.
This legal shift is a positive catalyst for FMCG, ending passive data capture and demanding precise consent linked to clear customer value (loyalty/engagement). By adopting data minimization and purpose limitation, we are compliant and are transforming our reliance on large, retail-driven data pools into high-quality, targeted datasets, driving superior efficiency and building deeper customer trust.”
The DPDP Rules reinforce the very principles of transparency, control and accountability
Karan Kirpalani, Chief Product Officer, Neysa.ai
"We welcome the notification of the DPDP Rules, which offer India’s digital ecosystem a clear structure for handling personal data. The framework sets defined expectations for consent, storage, processing and accountability, giving organisations a stable pathway for compliance. The phased rollout allows enterprises to review their data architecture, map information flows and strengthen internal controls in a systematic and uninterrupted manner.
As India moves deeper into AI-led transformation, clarity on data responsibilities becomes central to building secure and dependable digital systems. The DPDP Rules encourage organisations to align security, governance and lifecycle management with the realities of growing AI workloads, distributed compute environments and high-density digital interactions. Strong data practices are the foundation of every successful AI initiative, and the DPDP Rules reinforce the very principles including transparency, control and accountability that our platforms are built to enable.”
The DPDP rules sets the tone for a more disciplined and transparent data culture
Ankit Kedia, Founder & Lead Investor, Capital- A
"The DPDP Rules come at a time when India’s digital economy is scaling on real industrial use-cases. The framework brings clarity to how personal data is collected, stored and processed, and pushes organisations to build stronger internal systems. It sets the tone for a more disciplined and transparent data culture across sectors. For manufacturing, robotics and deep-tech companies, this is constructive. These businesses depend on precise data flows, secure environments and clearly defined consent pathways. As factories become more connected and worker data enters automated workflows, trust becomes a competitive differentiator.
For deep-tech founders working at the intersection of engineering, AI and hardware, a structured data regime improves reliability, model performance and the credibility of the IP they create. At Capital-A, we believe DPDP will help Indian deep-tech companies meet global standards and scale with confidence."
The new rules places data protection at the centre of business leadership
Ashish Tandon, Founder and CEO, Indusface
“The DPDP Act notification gives India’s digital ecosystem a clear and workable structure for responsible data handling. It sets defined expectations for how personal information should be collected, processed and safeguarded, and it introduces a disciplined approach to consent, breach communication and data retention. This brings much-needed clarity at a time when digital participation is expanding across every sector. The phased rollout allows organisations to prepare with intent by upgrading systems, training teams and strengthening internal governance. It places data protection at the centre of business leadership and encourages companies to build processes that are steady, transparent and aligned with long-term goals.
India operates digital networks at a scale few countries manage and a structured law creates a strong foundation for future growth. The roadmap ahead gives businesses the space to create secure and thoughtful systems that support sustainable progress in the digital economy.”
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
