India Unveils DPDP Rules 2025: A New Era of Data Governance

Recently, the Ministry of Electronics and Information Technology (“MeitY” or “Ministry”) notified the Digital Personal Data Protection DPDP Rules 2025, giving full operational effect to the Digital Personal Data Protection Act, 2023. The Act and the Rules form a clear and citizen-centered framework for the accountable use of digital personal data.

Overview of the Digital Personal Data Protection Act 2023

On 11th August 2023, the Parliament enacted the DPDP Act, aimed to protect the digital personal data in India. It explains what organizations must do when they collect or use such data.

To ensure that personal data is used only for lawful and specific purposes, the law rests on seven core principles specified as below:

• Transparency
• Purpose limitation,
• Data minimization
• Accuracy
• Storage limitation
• Security safeguards and
• Accountability

The DPDP Act imposes substantial financial penalties for non-compliance by Data fiduciaries. The highest penalty, up to ₹250 crore, applies to the failure of a Data fiduciary to maintain reasonable security safeguards. Not notifying the Board or affected individuals of a personal data breach as well as violations of obligations relating to children can each attract penalties of up to ₹200 crore. Any other violation of the Act or Rules by a Data Fiduciary may attract penalties up to ₹50 crore. This Act clearly imposes responsibilities on Data fiduciaries to keep personal data safe and to stay accountable for its use. It also gives Data principals the right to know how their data is managed and the right to request corrections or removal when necessary. It plays an important role in enforcing the rights provided by the Act and in building trust in the system.

​The DPDP Act allocates definite obligations to the Data fiduciaries to ensure that the personal data is stored securely, is accurate, and that they remain accountable for its use. In addition, it confers upon Data principals the entitlement to be informed as to the handling of their data and, whenever necessary, to request rectification or deletion of their ‍​‌‍​‍‌​‍​‌‍​‍‌data.

Pre-Amendment Framework

The fundamental framework for personal data governance in India was established by the original Digital Personal Data Protection Act, 2023. It took a principle-based approach, emphasizing broad rights for Data Principals, consent, and necessary notice requirements. While operational requirements like data retention, governance procedures, and record-keeping were left open-ended, Data Fiduciaries were obliged to provide basic notices outlining purpose, rights, and grievance mechanisms. Unless the government-imposed restrictions, cross-border transfers were allowed, and breach notifications adhered to the general “as soon as possible” policy. Although the roles of processors, consent managers, and Significant Data Fiduciaries were outlined, there were no specific procedural requirements. Depending on how serious the non-compliance is, penalties could reach ₹250 crore. Overall, the pre-amendment regime offered high-level legal principles with considerable interpretational room for organisations.

Post-Amendment Framework (Revised DPDP Rules 2025)

A​‍​‌‍​‍‌​‍​‌‍​‍‌ prescriptive, compliance-focused model replaces broad principles with the 2025 amendments. Notices are also required to provide detailed disclosures such as recipient categories, processing logic summaries, data retention schedules, and cross-border transfer information. Grievance redressal has to conform to resolution periods that are very accurately defined, and consent and withdrawal procedures are time-bound. Data fiduciaries are required to have a formal Data Protection Management System (DPMS), access logs, consent trails, a breach register, and they should preserve the important documents for three to seven years. The data of children is subject to stricter age verification requirements, and processors have been given additional responsibilities such as annual audits and breach reporting within 12 hours. There are now adequacy assessments and Standard Contractual Clauses for cross-border transfers. The penalties have been restructured and can be as high as ₹500 crore for severe violations. Breach notifications are time-bound (48–72 hours).There are also other changes like privacy-by-design certification, risk-based classification of Data Fiduciaries, sector-specific compliance norms, and compulsory deletion protocols. The amendments make the DPDP regime more in line with worldwide standards like the GDPR, thus facilitating the concepts of accountability, transparency, and robust data ‍​‌‍​‍‌​‍​‌‍​‍‌governance.

Cross-Border Data Transfer Regime

The​‍​‌‍​‍‌​‍​‌‍​‍‌ revised DPDP framework establishes a more transparent and regulated system for international data transfers. As per the changed rules, the government has to carry out an adequacy assessment of the data protection regulations in the country where the data is being sent before allowing the transfer of personal data outside India. Standard Contractual Clauses (SCCs) are mandated now for all cross-border transfers to ensure that there are clear contractual safeguards between the sending and receiving entities. In order to identify privacy risks, local surveillance laws, and the level of protection in the destination jurisdiction, organizations are required to carry out a Transfer Impact Assessment (TIA) in case of high-risk or large-volume transfers. Data fiduciaries should also maintain a detailed outbound transfer log that records each international transfer along with the recipient, purpose, and legal ‍​‌‍​‍‌​‍​‌‍​‍‌basis.

Source: https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf