India has officially implemented the Digital Personal Data Protection (DPDP) Rules, 2025, completing the framework of the DPDP Act, 2023. This marks a major milestone in strengthening citizens’ digital privacy rights and ensuring responsible use of personal data in India’s rapidly expanding digital ecosystem.

The DPDP Act is built on seven core principles-consent, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability. These principles guide how organisations collect, use and protect personal information. The framework follows the SARAL design (Simple, Accessible, Rational, Actionable and Language-based), ensuring the law is easy to understand and follow.

To make compliance smoother, the government has given companies an 18-month phased timeline. Organisations must now issue clear consent notices and collect only necessary data. Consent Managers helping users manage permissions must be Indian entities.

The rules introduce mandatory breach notifications, requiring companies to immediately inform individuals about any data leak along with its consequences and corrective actions.

Additional safeguards protect children and persons with disabilities, ensuring lawful processing only with proper consent.
A fully digital Data Protection Board of India (DPBI) will handle complaints through an online portal and app, further boosting transparency and accountability.