India's DPDP rules explained: Here's how your personal data will be handled

The new DPDP rules will be introduced over the next 18 months to give organisations time to adapt to the guidelines.

The government last week released the Digital Personal Data Protection (DPDP) Rules, 2025, making it India’s first data protection law. This marks a major shift in how the country handles personal data, giving citizens more rights and putting clearer responsibilities on organisations that collect and use people’s information.

 

Here’s a breakdown of what the law means, why it matters, when it takes effect, and what happens next.

 

What is the DPDP Act?

 

The DPDP Act, 2023, which has been operationalised, is India’s first dedicated law for safeguarding digital personal data. Enacted by Parliament on 11 August 2023, it lays down:

Obligations for organisations that collect or process personal data

Rights and duties for individuals, referred to as Data Principals

Rules for processing, sharing, storing, and deleting personal data

 

Why do the DPDP rules matter?

 

When India announced its new data protection law, it wasn’t just another policy change. It was the beginning of a new chapter in how the country treats people’s personal information.

 

For years, people shared their data online without always knowing who had access to it or how it was being used. Companies collected names, numbers, locations, and browsing habits, often without clear consent. And when something went wrong, users rarely found out.

 

However, under the new DPDP rules, users will have more control over their data and privacy. Here’s how the new rules will help build trust:

 

Citizens will have more control

 

Under the new rules, people can agree to or deny sharing their data in a clear and simple way. They can ask businesses to show what information they’re holding, correct it, update it, or even erase it entirely. If something goes wrong, for example, a breach, they must be informed immediately. And if they’re unable to manage their data themselves, they can appoint someone to do it for them.

 

Businesses will get clarity

 

The government has released clear rules for businesses on how consent must be taken, how long data can be stored, and what steps must be followed if there’s a breach.

 

Privacy and transparency will be balanced

 

The law also adjusts how personal information is handled under the RTI Act. It respects the Supreme Court’s ruling that privacy is a fundamental right while ensuring that transparency in public institutions is not weakened.

 

When will the new DPDP rules come into effect?

 

The new DPDP rules will be introduced over the next 18 months to give organisations time to prepare and adapt to the guidelines.

 

Before finalising the law, the government held several public consultations across major cities, including Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru, and Chennai. Several groups, including startups, civil society organisations, government bodies, and citizens, were consulted before finalising the new guidelines.

 

How will the new rules work?

 

Here are a few things that are mandated under the new guidelines:

 

Companies must issue clear, separate consent notices, and all consent managers must be based in India.

 

If personal data is exposed, people must be told right away, in simple language, with clear steps on what to do next.

 

Big players must undergo independent audits, conduct data impact assessments, and follow stricter rules for sensitive technologies. They should also store some categories of data locally when required.

 

Requests to access, update, correct, or erase data must be resolved within 90 days.

 

Children’s data needs verifiable parental consent (except for essential services), and lawful guardians can give consent for those who cannot act independently.

 

What happens if firms don’t follow DPDP rules?

 

According to the new guidelines, if any company fails to adhere to the new rules, it will have to pay hefty fines. These are the financial penalties for non-compliance:

 

Up to ₹250 crore for failing to maintain proper security

 

Up to ₹200 crore for failing to report breaches or for mishandling children’s data

 

Up to ₹50 crore for other violations

 

What’s next

 

The law is likely to strengthen privacy, build trust, and set the foundation for a secure, innovation-friendly digital ecosystem. For everyday users, the DPDP Act will ensure clear consent, transparency, quick action, protection from misuse, and immediate alerts in case of breaches.

 

Source:

https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190014

https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655