DATA PROTECTION
Overview of DPDP Rules, 2025
The DPDP Rules 2025 operationalise the Digital Personal Data Protection Act 2023, making India's first dedicated digital privacy law fully functional. The Rules comprise 23 rules and seven schedules covering consent notices, data breach protocols, and the powers of the Data Protection Board.
Core Principles: The framework is built on seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.
Phased Implementation: The government has adopted an 18-month phased rollout: the Data Protection Board of India became effective November 14, 2025; by November 2026, data fiduciaries must disclose their Data Protection Officer details; and major tech firms have up to 18 months for full compliance.
Key Provisions
Consent Requirements: Pre-ticked boxes, bundled permissions, or implied consent are prohibited. Data Fiduciaries must issue itemised, independently understandable notices detailing exactly what personal data is collected, for what purpose, and what services it enables.
Consent Managers: The Rules formalise Consent Managers as regulated intermediaries, not just facilitators, helping users manage their data permissions.
Data Breach Notification: Data Fiduciaries must notify the Data Protection Board and affected individuals within 72 hours of a breach.
Data Protection Board: The Board operates as an independent entity responsible for monitoring compliance, investigating violations, and enforcing corrective actions. Citizens can submit complaints online via a dedicated portal and mobile app, with appeals directed to TDSAT.
Penalties: The highest penalty of up to ₹250 crore applies to failures by Data Fiduciaries to maintain reasonable security.
General Data Protection
Q: What is data protection?
A: Data protection refers to the practices, safeguards, and binding rules designed to protect personal and sensitive information from unauthorised access, corruption, or loss. It encompasses legal, technical, and organisational measures that ensure privacy rights are respected and data is handled responsibly throughout its lifecycle.
Q: Why is data protection important?
A: Data protection is essential to preserve individual privacy, maintain trust, prevent identity theft and fraud, comply with legal obligations, and avoid reputational damage. Poor data protection can lead to financial losses, legal penalties, erosion of customer confidence, and harm to individuals whose data is compromised.
Q: What is the difference between data protection and data privacy?
A: Data privacy focuses on the rights of individuals to control their personal information and how it's used. Data protection refers to the tools, policies, and procedures used to secure data. Privacy is about governance and consent, while protection is about security implementation—though they work together to safeguard information.
Digital Personal Data Protection Act, 2023 (DPDPA)
Q: What is the Digital Personal Data Protection Act, 2023 (DPDPA)? A: The DPDPA is India's comprehensive data protection law enacted in August 2023. It regulates the processing of digital personal data within India and governs how organisations collect, store, use, and share personal data of Indian citizens. The Act aims to balance individuals' right to protect their personal data with the legitimate need of organisations to process data for lawful purposes.
Personal Data & Sensitive Information
Q: What constitutes personal data?
A: Personal data is any information relating to an identified or identifiable individual. This includes names, email addresses, phone numbers, IP addresses, location data, identification numbers, online identifiers, and even information that can indirectly identify someone when combined with other data.
Q: What is considered sensitive personal data?
A: Sensitive data (often called "special category data") includes information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health information, sexual orientation, and criminal records. This data requires enhanced protection due to greater privacy risks.
Data Security & Protection Measures
Q: What security measures should protect personal data?
A: Appropriate technical measures include encryption (at rest and in transit), access controls, authentication systems, firewalls, and regular security testing. Organisational measures include staff training, clear policies, incident response plans, vendor management, privacy by design, and regular audits. The level of security should match the risk.
Q: What is encryption, and why is it important for data protection? A: Encryption transforms readable data into a coded format that requires a key to decrypt. It protects data confidentiality during storage and transmission, ensuring that even if data is stolen or intercepted, it remains unreadable. Strong encryption is considered a critical safeguard and can mitigate breach notification requirements in some jurisdictions.
Data Breaches
Q: What is a data breach?
A: A data breach is a security incident where personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed by unauthorised parties. Breaches can result from cyberattacks, human error, system failures, physical theft, or insider threats. They pose significant risks to individuals' privacy and organisations' compliance.
Q: How can organisations prevent data breaches?
A: Prevention strategies include implementing strong cybersecurity measures, conducting regular security assessments and penetration testing, training employees on security awareness, using encryption and access controls, maintaining updated systems, developing incident response plans, limiting data collection, monitoring for suspicious activity, and vetting third-party vendors.
Data Breach Notification
Q: What constitutes a personal data breach?
A: A personal data breach means any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data. This includes both malicious attacks and accidental incidents caused by human error or system failures.
Q: What are the breach notification obligations?
A: Upon becoming aware of a personal data breach, Data Fiduciaries must notify the Data Protection Board and affected Data Principals in the manner prescribed by the Government. The notification should describe the nature of the breach, potential consequences, and measures being taken. Timely notification allows individuals to take protective action.
Q: Are there any exemptions from breach notification?
A: The specific circumstances under which breach notification may be exempted or modified will be prescribed in the rules. Generally, if the breach is unlikely to cause harm to Data Principals (for example, if the breached data was already encrypted), notification requirements might be reduced, but this will depend on the final rules.
Q: Where can organisations get official guidance on DPDPA?
A: Official guidance will come from the Data Protection Board of India once established, and through rules notified by the Ministry of Electronics and Information Technology (MeitY). Organisations should monitor official government websites, the Data Protection Board portal (once operational), and consult legal experts specialising in Indian data protection law for compliance advice.
DATA PROTECTION FAQs
Penalties & Enforcement
Q: What penalties can be imposed under DPDPA?
A: The Data Protection Board can impose financial penalties up to ₹250 crores (approximately $30 million USD) depending on the nature and severity of the breach. Penalties may be imposed for violations like processing without valid consent, failing to implement security safeguards, not honouring Data Principal rights, or non-compliance with Board directions.
Q: What factors determine penalty amounts?
A: Penalty determination considers the nature, gravity, and duration of the breach, the type and nature of personal data affected, the repetitive nature of non-compliance, whether the breach occurred despite compliance measures, action taken by the Fiduciary to mitigate harm, and the Fiduciary's financial position. The approach is proportionate and risk-based.
Q: Are there criminal provisions in DPDPA?
A: No, DPDPA does not contain criminal provisions. The enforcement mechanism relies entirely on civil monetary penalties imposed by the Data Protection Board. This approach focuses on regulatory compliance and remediation rather than criminal prosecution, though other laws like the IT Act may still apply to related cybercrimes.
Q: Who does the DPDPA apply to?
A: The DPDPA applies to processing of digital personal data within India, processing in connection with any activity related to offering goods or services to Data Principals within India, and systematic profiling of Data Principals within India. It covers both automated and non-automated processing of digitised personal data, applying to government entities and private organisations alike.
Q: What are the key definitions under DPDPA?
A: Key terms include "Data Principal" (the individual whose personal data is being processed), "Data Fiduciary" (the entity determining the purpose and means of processing), "Data Processor" (entity processing data on behalf of a fiduciary), "Personal Data" (data about an identifiable individual), and "Consent Manager" (an intermediary registered with the Data Protection Board that helps manage consent).
Personal Data & Scope
Q: What is considered personal data under DPDPA?
A: Personal data means any data about an individual who is identifiable by or in relation to such data. This includes names, contact information, identification numbers, online identifiers, location data, financial information, and any other data that can identify a person directly or indirectly when combined with other information.
Q: What is a Data Fiduciary?
A: A Data Fiduciary is any person (including companies, governments, or individuals) who alone or jointly with others determines the purpose and means of processing personal data. Data Fiduciaries have primary responsibility for compliance, including obtaining valid consent, ensuring data security, appointing Data Protection Officers when required, and respecting Data Principal rights.
Q: What is a Data Processor?
A: A Data Processor is any person who processes personal data on behalf of a Data Fiduciary. Processors must follow the Fiduciary's instructions, implement appropriate security measures, and assist Fiduciaries in meeting their obligations. However, if a Processor determines the purpose and means of processing, they become a Fiduciary for that processing.
Q: What are Significant Data Fiduciaries?
A: Significant Data Fiduciaries (SDF) are entities notified by the Central Government based on criteria like volume and sensitivity of data processed, risk to Data Principals' rights, potential impact on India's sovereignty and security, and business scale. SDFs have additional obligations, including appointing Data Protection Officers, conducting data audits, and implementing enhanced security measures.
Q: Who must appoint a Data Protection Officer?
A: Significant Data Fiduciaries must appoint a Data Protection Officer (DPO) who is based in India. The DPO serves as the point of contact for Data Principals and the Data Protection Board, represents the Fiduciary in matters related to data protection, and ensures compliance with the Act. The Government will notify specific requirements and qualifications for DPOs.
Q: Can Data Fiduciaries process data without consent?
A: Yes, in certain specified circumstances called "legitimate uses." These include processing by the State for specified purposes (welfare schemes, licenses, benefits), processing for legal compliance, medical emergencies, employment purposes, safeguarding life or health during emergencies, and reasonable purposes to be specified by the Government. These exemptions still require adherence to other provisions of the Act.
Children's Data Protection
Q: How does DPDPA protect children's data?
A: DPDPA prohibits processing of children's personal data in a manner that could cause harm. Data Fiduciaries must obtain verifiable parental consent before processing children's data and cannot undertake tracking, behavioural monitoring, or targeted advertising directed at children. The Act defines a child as someone below 18 years of age.
Q: What is verifiable parental consent?
A: Verifiable parental consent means consent obtained from the child's parent or lawful guardian after making reasonable efforts to verify that the person providing consent is actually the parent or guardian. The specific mechanism for verification will be detailed in the rules to be notified, balancing security with practical implementation.
Q: Are there any exemptions for processing children's data?
A: The Central Government may notify circumstances where parental consent is not required, considering the best interests of the child. This may include situations like educational purposes, health and safety, or where obtaining parental consent is not practicable. However, all processing must still ensure the child's welfare and protection from harm.