DIGITAL PERSONAL DATA PROTECTION (DPDP) RULES 2025

NEWS – The Union Ministry of Electronics & Information Technology (MeitY) has notified the Digital Personal Data Protection (DPDP) Rules 2025, operationalising key provisions of the DPDP Act, 2023. These rules aim to strengthen citizens’ control over personal data and ensure accountability among data-processing entities.

HIGHLIGHTS

Key Features of DPDP Rules 2025

1. Establishment of Data Protection Board

• A dedicated Data Protection Board (DPB) to adjudicate data breaches.
• Empowered to levy graded penalties depending on severity and nature of violation.

2. Phased Implementation (12–18 Months)

• Immediate enforcement of some rules.
• Gradual rollout of:
  • Registration and obligations of Consent Managers
  • Mandatory notices by Data Fiduciaries to individuals
  • Major compliance provisions for processing personal data

Citizen-Centric Provisions

3. Enhanced Control Over Personal Data

• Individuals can track misuse of their data across digital platforms.
• Aims to reduce spam calls, unauthorised access to personal information, video, and voice data.

4. Breach Notification Requirements

• Data fiduciaries must inform affected users:
  • Promptly and clearly
  • Through registered communication channels
• Notification must include:
  • Nature and timing of breach
  • Possible impact
  • Steps taken to prevent recurrence

Data Security Standards

• Mandatory reasonable safeguards, including:
  • Encryption
  • Firewalls
  • Additional security controls for data protection

Data Storage & Erasure

• Personal data not to be retained beyond one year, unless legally required.
• Users to be notified 48 hours before data erasure, except in cases of continued platform usage.

Penalties

• DPDP Act allows penalties up to ₹250 crore per breach.
• Graded penalty mechanism to safeguard small businesses.