INDUSTRY
With rules in place, Digital Personal Data Protection Act goes live
- IBJ Bureau
- Nov 15, 2025
The government has formally issued rules under the Digital Personal Data Protection (DPDP) Act. This marks the operational rollout of the country’s fidedicated law governing digital privacy.
The notification brings clarity to how companies, government departments and digital service providers must collect, store and handle personal data. The rules outline detailed obligations for data fiduciaries – entities that process personal information – and establish clear rights for individuals, including the ability to give, withdraw or review consent for how their data is used.
A phased implementation schedule has been set. Core obligations related to consent, purpose-limited data use and grievance handling take effect immediately, while more complex compliance requirements will become mandatory over the next 12 to 18 months. The government has also defined the framework for identifying significant data fiduciaries, who will face enhanced responsibilities such as independent audits and impact assessments.
The rules include mandatory reporting timelines for data breaches, requiring entities to notify both affected users and the Data Protection Board of India. Additional safeguards have been specified for processing children’s data and for handling personal information of persons with disabilities, emphasising stricter parental or guardian authorisation.
The DPDP framework also clarifies how cross-border data transfers will be managed. Overseas transfers will be allowed, unless specifically restricted by the government, moving towards a more flexible approach compared with earlier data-localisation proposals.
With the rules now in force, companies operating in India’s digital economy – from tech platforms and fintech firms to e-commerce players and government digital services – will have to begin aligning their internal systems and data governance practices with the new regulatory structure.
Report By
View Reporter News