DPDP Rules 2025: A Deep Dive into India's Data Framework for UPSC

Context

On 14 November 2025, the Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025. These rules mark the full operationalisation of the Digital Personal Data Protection Act, 2023, providing a comprehensive framework for the protection and responsible use of digital personal data in India.

Key Features of DPDP Rules 2025

The Rules provide the practical roadmap for implementing the SARAL (Simple, Accessible, Rational, and Actionable) approach of the 2023 Act.

Core Provisions:

• Phased Implementation: An 18-month period has been introduced for phased compliance, allowing organisations time to adjust systems.
• Data Protection Board of India (DPBI): A digital-first independent body consisting of four members. It will oversee compliance, inquire into breaches, and provide online grievance redressal via a dedicated portal and mobile app.
• Consent Managers: These entities, which help individuals manage their permissions, must be companies based in India.
• Mandatory Response Time: Data Fiduciaries must address requests for access, correction, or erasure within a maximum of 90 days.
• Breach Notification: In case of a personal data breach, Fiduciaries must inform affected individuals and the Board without delay using plain language.

Key Terms & Stakeholders

• Data Fiduciary: The entity deciding the 'why' and 'how' of personal data processing.
• Data Principal: The individual whom the data relates to (includes parents/guardians for children or persons with disabilities).
• Data Processor: An entity processing data on behalf of a Data Fiduciary.
• Significant Data Fiduciaries (SDFs): Entities with higher responsibilities, including conducting independent audits and impact assessments.

Rights of the Data Principal

The framework empowers citizens with several key rights:

• Right to Consent: To give, refuse, or withdraw consent at any time.
• Right to Know: To seek information on what data is collected and how it is used.
• Right to Access & Correction: To obtain a copy of their data and request updates or corrections.
• Right to Erasure: To request the removal of data in certain situations.
• Right to Nominate: To appoint another person to exercise these rights in case of illness or death.

Penalties for Non-Compliance

The DPDP framework imposes substantial financial penalties to ensure accountability:

• Failure to maintain security safeguards: Up to ₹250 crore.
• Failure to notify breach or child-related violations: Up to ₹200 crore.
• Other violations: Up to ₹50 crore.

Alignment with RTI Act

The DPDP Act revises Section 8(1)(j) of the RTI Act to align with the Supreme Court's Puttaswamy judgment, which affirmed privacy as a fundamental right.

• The revision ensures personal information is shared only after considering privacy interests.
• Section 8(2) of the RTI Act remains operative, allowing disclosure if the public interest outweighs possible harm.