Digital Personal Data Protection Rules, 2025

The Digital Personal Data Protection Rules, 2025 (commonly known as DPDP Rules, 2025) is a subordinate legislation notified by the Government of India under the Digital Personal Data Protection Act, 2023 (DPDP Act, 2023). The rules provide detailed operational requirements for implementation of the Act, specifying obligations of data fiduciaries and procedures for data principals, breach reporting, cross-border transfers and the functioning of the Data Protection Board of India.^[1][2][3]

Digital Personal Data Protection Rules, 2025
Government of India
Territorial extent	India
Administered by	Ministry of Electronics and Information Technology
Status: In force

Summary

The rules set out practical steps for consent collection, notice requirements, breach notification, record-keeping, and special protections (for children and persons with disabilities). They also define timelines for phased compliance and provide details on the constitution and powers of the Data Protection Board of India envisaged under the DPDP Act, 2023. The notification of the Rules followed public and stakeholder consultations and was presented as the final step to operationalize India’s data-protection framework.

Background

The Digital Personal Data Protection Act, 2023 established the legal framework for personal data protection in India but delegated many technical and procedural requirements to subordinate rules. After stakeholder consultations and draft releases, the Ministry of Electronics and Information Technology (MeitY) finalized the Rules and notified them on 14 November 2025.^[4]

Key provisions

The key elements of the Rules include:

• Consent and notice — Data fiduciaries must provide clear and concise privacy notices that specify purpose(s) of processing, categories of data processed, retention periods, and mechanisms to withdraw consent. Consent requirements emphasise informed, unambiguous and freely given consent for processing personal data.^[5]

• Data breach notification — Fiduciaries are required to notify the Data Protection Board and affected data principals of personal data breaches within specified timelines, and to provide details about the nature of the breach and mitigation steps taken.^[6]

• Special categories and vulnerable groups — The Rules provide enhanced protections for children's data (verifiable guardian consent for certain processing) and for persons with disabilities, including guidelines for obtaining lawful guardian oversight where appropriate.^[7]

• Cross-border data transfer — The Rules set out conditions and safeguards for transfer of personal data outside India; the Central Government retains power to specify countries or mechanisms for permitted transfers.^[8]

• Data Protection Board of India — The Rules detail the composition, appointment process and functioning (including digital-first proceedings) of the Data Protection Board of India envisaged under the DPDP Act, 2023.^[9]

• Phased compliance — Certain operational provisions are subject to phased implementation to allow businesses (including startups and small enterprises) to adapt to new compliance requirements.^[10]

Implementation timeline

Date	Event
14 November 2025	Digital Personal Data Protection Rules, 2025 notified by MeitY.[4]
14 November 2025	Immediate effect for certain procedural provisions; phased compliance dates for others specified in the Rules.[11][12]

See also

• Digital Personal Data Protection Act, 2023
• General Data Protection Regulation