New DPDP Rules Take Effect: Know how your personal data will now be collected, stored and used to protect privacy

The Centre has brought the Digital Personal Data Protection (DPDP) Rules 2025 into effect, completing the operational rollout of the DPDP Act 2023 and marking a major shift in how digital platforms, government departments and private companies handle personal information. The updated regime seeks to place citizens at the core of India’s privacy architecture, with new safeguards governing data collection, storage, processing and disclosure.

The Ministry of Electronics and Information Technology (MeitY) said the Act and Rules follow a SARAL design - Simple, Accessible, Rational and Actionable, ensuring that individuals understand how their data is used and organisations follow uniform, accountable standards across the country.

Government Notifies DPDP Rules: What exactly changes for users under the new system?

Add Zee Business as a Preferred Source

Every organisation handling personal information from social networks and e-commerce platforms to payment apps, online gateways and public bodies, must now provide standalone, plain-language notices explaining what data they collect and why. These notices must be easy to understand and free of confusing legal or technical language.

Individuals, recognised in law as Data Principals, gain the right to access their data, correct inaccuracies, update details or request erasure. Organisations must address these requests within 90 days. Users may also nominate another person to act on their behalf, ensuring continuity for those who need support.

The entire framework rests on seven principles: consent, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability.

How will your data be handled across platforms now?

The rules mandate stronger security practices to ensure personal data is protected throughout its lifecycle. Organisations must use methods such as encryption, masking, tokenisation, controlled access, continuous system monitoring and secure backups. They must also maintain activity logs for at least one year to trace any misuse or system breach.

Contracts with Data Processors, firms that process data on behalf of another entity must include compulsory security clauses. If a breach occurs, affected users must be informed without delay in clear terms, explaining what happened, possible risks and the steps taken to address the issue. The Data Protection Board must be notified within 72 hours.

What changes when personal data moves outside India?

Cross-border transfers will be allowed only under conditions notified by the Centre. General or special orders will determine which jurisdictions or entities may receive Indian users’ data. Officials said the arrangement balances economic requirements with strong privacy safeguards, ensuring that data shared abroad remains protected under clearly defined conditions.

Additional safeguards for children and persons with disabilities

Any personal data belonging to a person under 18 can only be processed after obtaining verifiable parental consent. Organisations must confirm the parent or guardian’s identity through reliable methods, including digitally verified tokens or Digital Locker–based checks.

Limited exemptions apply only when processing is essential for healthcare, education or real-time safety.

For individuals with disabilities who are unable to make legal decisions even with support, consent must come from a lawful guardian verified under applicable laws.

New DPDP Rules: Phased rollout planned for smooth compliance

Although the Rules are notified, implementation will take place over an 18-month transition period. This gives organisations time to reconfigure systems, update data-handling practices, strengthen internal procedures and make user-facing tools more accessible.

Significant Data Fiduciaries typically large or high-impact entities must undertake independent audits, conduct impact assessments and follow stronger due diligence requirements for the technologies they use. They must also comply with localisation directions issued by the Government when required.

How were the final Rules framed?

MeitY conducted consultations across Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai while drafting the DPDP Rules, ensuring wide participation from startups, MSMEs, civil society groups, industry bodies and government departments. Inputs from these discussions shaped the final framework.

Consent Managers, entities that help citizens manage their permissions, must be Indian companies to ensure accountability and adherence to domestic standards.

Digital-first grievance redressal through the Data Protection Board

The Data Protection Board will operate as a fully digital institution. Citizens will be able to file complaints online, track their cases through a dedicated portal and use a mobile app for updates. Appeals against its decisions will lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Officials said the digital-first design aims to make redressal faster, transparent and more accessible.

The Centre said the DPDP framework seeks to strengthen privacy and empower citizens while supporting India’s growing digital economy. Startups and smaller firms will have a facilitative compliance regime to prevent unnecessary operational burden while maintaining strong safeguards.