New Delhi, Nov 14 (NationPress) In an effort to establish a straightforward, citizen-oriented, and innovation-conducive structure for the ethical management of digital personal data, the government has issued the Digital Personal Data Protection (DPDP) Rules, 2025. This marks the complete implementation of the DPDP Act, 2023.

The DPDP Act, which was approved by Parliament on August 11, 2023, lays out a thorough framework designed to safeguard digital personal data, detailing the responsibilities of entities managing such data (referred to as Data Fiduciaries) and outlining the rights and duties of individuals (recognized as Data Principals).

It is constructed around the SARAL design — Simple, Accessible, Rational, and Actionable — employing straightforward language and visual aids to facilitate comprehension and compliance.

The Ministry of Electronics and IT states that the Act is driven by seven fundamental principles: consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability.

The DPDP Rules introduce an 18-month phased compliance schedule, granting organizations adequate time for a seamless transition.

Furthermore, Data Fiduciaries are mandated to provide clear, standalone consent notices that transparently articulate the precise reasons for collecting and utilizing personal data.

According to the regulations, Consent Managers—entities that aid individuals in managing their permissions—must be registered Indian companies.

“In the event of a personal data breach, Data Fiduciaries are obligated to inform affected individuals swiftly in plain language, detailing the nature and potential implications of the breach, the measures taken to address it, and providing contact information for assistance,” the rules specify.

To ensure enhanced protection, Data Fiduciaries are required to secure verifiable consent prior to processing the personal data of minors, with limited exceptions for critical purposes like healthcare, education, and immediate safety.

For individuals with disabilities unable to make legal decisions even with assistance, consent must be provided by a legally recognized guardian as per applicable laws.

Additionally, Data Fiduciaries must display clear contact details—such as that of a designated officer or Data Protection Officer—to facilitate individuals in raising inquiries regarding personal data processing.

Noteworthy Data Fiduciaries have heightened obligations, including independent audits, impact assessments, and rigorous due diligence for technologies in use. They are also required to adhere to government-specified restrictions on certain data categories, including localization where mandated.

The DPDP framework strengthens individuals' rights to access, modify, update, or delete their personal data, as well as to assign another individual to exercise these rights on their behalf. Data Fiduciaries must respond to all such requests within a maximum of 90 days.

Importantly, the Data Protection Board will operate as a fully digital institution, enabling citizens to submit and track complaints online via a dedicated platform and mobile application, thereby fostering transparency, efficiency, and ease of living. Appeals against its decisions will be directed to the Appellate Tribunal, TDSAT.

The IT Ministry further emphasized that the rules aim to achieve a balanced approach between protecting citizens’ privacy and fostering innovation and growth.

"India’s data governance model promotes economic progress while ensuring citizen welfare, and offers a supportive compliance framework for startups and smaller businesses, allowing innovation to flourish alongside robust data protection standards," it concluded.