India’s Digital Personal Data Protection Rules, 2025: Key Highlights

The draft Digital Personal Data Protection Rules, 2025 (Rules), introduced by the Central government, aim to safeguard citizens' rights by protecting their personal data. These Rules have been formulated under the powers conferred by sub-sections (1) and (2) of Section 40 of the Digital Personal Data Protection Act, 2023 (DPDP Act). The DPDP Act, which received the assent of the Hon’ble President on August 11, 2023, is yet to come into effect. The Rules are designed with simplicity and clarity to empower citizens in a rapidly expanding digital economy. They seek to protect citizens' rights under the DPDP Act while maintaining a delicate balance between regulation and innovation. This ensures that the benefits of India’s vibrant innovation ecosystem are accessible to all citizens and support the growth of the digital economy. By providing detailed provisions and a comprehensive implementation framework, the Rules serve as a vital tool for operationalizing the DPDP Act.

1. Notice Requirement

The Rules mandate that Data Fiduciaries provide clear and comprehensive notices to Data Principals [Sec. 2(j), DPDP Act]. These notices must detail the types of personal data collected, the purposes of processing, and any associated goods or services. Additionally, they should include links to the Data Fiduciary’s [Sec. 2(i), DPDP Act] platform for further information, methods for withdrawing consent, and mechanisms for filing grievances. The emphasis on clarity and simplicity empowers individuals to make informed decisions about their personal data. This provision reinforces the principle of informed consent, a cornerstone of data protection.

2. Consent Management

Consent Managers [Sec. 2(g), DPDP Act] play a pivotal role in streamlining the consent process. Registered with the Data Protection Board, these entities are required to facilitate seamless consent management. They must ensure that Data Principals can easily provide, review, and withdraw consent at any time. Consent Managers are also obligated to maintain transparent records of all consent activities and implement robust security measures to safeguard this information. By simplifying consent management and enhancing reliability, the Rules empower individuals with greater control over their personal data. This focus on transparency and trust is crucial for building confidence in digital platforms.

3. Security Measures

To protect personal data, the Rules prescribe stringent security requirements for Data Fiduciaries. These include encryption, access controls, mechanisms to monitor unauthorized access, and regular data backups. The Rules also mandate breach detection systems and require the maintenance of detailed logs to track data usage and processing activities. Additionally, Data Fiduciaries must ensure that Data Processors [Sec. 2(k), DPDP Act] adhere to equivalent security standards through contractual obligations. Collectively, these measures aim to uphold the confidentiality, integrity, and availability of personal data, mitigating the risk of breaches and misuse.

4. Data Breach Notifications

The Rules establish a robust framework for addressing personal data breaches. In the event of a breach, Data Fiduciaries are required to notify affected Data Principals promptly, providing details about the nature, extent, and consequences of the breach, along with measures taken to mitigate risks. Simultaneously, they must inform the Data Protection Board of the breach and the remedial actions undertaken. This dual-layered approach ensures accountability and minimizes the impact of breaches on individuals, while encouraging organizations to adopt proactive measures to prevent future incidents.

5. Processing Children’s Data

The Rules introduce stringent safeguards for processing children’s personal data. Data Fiduciaries must verify the identity and age of parents or guardians before collecting a child’s data. Verification mechanisms, such as digital tokens issued under the IT Act, are recommended to ensure compliance. These provisions demonstrate a strong commitment to protecting children’s online privacy and safety. By imposing stricter obligations on Fiduciaries, the Rules aim to create a secure digital environment for minors.

6. Obligations for Significant Data Fiduciaries

Significant Data Fiduciaries (SDFs), identified based on factors such as processing volume and sensitivity, are subject to enhanced compliance requirements. They must conduct annual Data Protection Impact Assessments (DPIAs) and audits to evaluate risks and ensure adherence to data protection norms. Furthermore, SDFs are required to assess the impact of their algorithms on Data Principals’ rights and report their findings to the Data Protection Board. These obligations mitigate risks associated with large-scale data processing and reinforce the importance of prioritizing data protection in organizational strategies.

7. Cross-Border Data Transfers

The Rules impose stringent conditions on the transfer of personal data across borders. Data Fiduciaries must ensure that such transfers comply with standards approved by the Central government. This provision seeks to uphold India’s data sovereignty while facilitating international business operations. By regulating data flows, the Rules aim to strike a balance between global connectivity and robust privacy safeguards, addressing both national security and individual privacy concerns.

8. Exemptions for Research and Statistics

To foster innovation and academic inquiry, the Rules provide exemptions for processing personal data for research, archival, or statistical purposes. However, such processing must adhere to specific standards outlined in Schedule II to ensure that privacy and data security are not compromised. These exemptions acknowledge the importance of enabling research while maintaining strong safeguards to protect individual rights.

The DPDP Rules share several parallels with the GDPR, often considered the gold standard in data privacy. Both frameworks emphasize key principles such as transparency, consent, and the protection of individual rights. However, the DPDP Rules are crafted with simplicity and adaptability, reflecting India’s unique regulatory landscape. A notable difference lies in their scope of application. While the GDPR has extraterritorial applicability, extending to entities processing EU citizens’ data globally, the DPDP Rules primarily focus on domestic data processing within India. This localized approach considers the distinct challenges and opportunities of India’s digital economy, ensuring that the framework aligns with the country’s specific regulatory and developmental needs.

The Draft DPDP Rules, 2025, mark a watershed moment in India’s digital governance framework, redefining how personal data is managed in a rapidly evolving economy. By granting individuals enforceable rights and imposing stringent responsibilities on data handlers, the Rules lay a robust foundation for data privacy and protection. However, compliance challenges persist, particularly for small and medium enterprises (SMEs), as they navigate issues such as cross-border restrictions and cost-intensive technological upgrades.

For businesses, adopting these Rules will require strategic investments in technology and infrastructure. Tools like advanced encryption systems, breach detection mechanisms, and efficient consent management platforms are not merely compliance requirements but integral components of a resilient and forward-looking data ecosystem. This highlights the dual role of innovation as both a driver of economic growth and a safeguard for individual privacy.

Successful implementation of the Rules will depend on collaborative efforts across stakeholders. Policymakers must remain receptive to refining the guidelines, private organizations need to embed data protection into their core strategies, and civil society must actively raise awareness and advocate for accountability. Such collective action is essential to ensure the Rules achieve their dual objectives: safeguarding personal data while fostering India’s digital and economic progress.

For citizens, the Rules signify an important step toward greater control over their personal data, enhancing trust in digital platforms. For businesses, they underscore the need to align compliance efforts with technological advancements to maintain competitiveness. As India advances its digital transformation, these Rules not only set the stage for a secure and transparent digital future but also position the country as a global leader in balancing privacy and innovation.

About the authors: Chirag Dave is a Senior Associate, Poonam Shelot and Tanvi Bogawat are Associates at Rishabh Gandhi and Advocates.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.