India has begun implementing a new set of data protection rules that reshape how organisations collect and manage personal information. The Ministry of Electronics and Information Technology (MeitY) has rolled out the Digital Personal Data Protection (DPDP) Rules 2025, putting the operational framework of the DPDP Act 2023 into motion. The rules aim to give citizens more control over their personal data and set clear obligations for entities that handle it.
The new framework applies to social media platforms, digital services, online gateways, and any organisation that handles personal data. Users will now receive clearer details about what information is collected and how it is used. The rules also outline responsibilities for data principals (users) and data fiduciaries (organisations that decide how data is processed).
Also read: Android phones could get an iPhone-like NameDrop feature soon: Report
How Organisations Must Handle Personal Data
The DPDP Rules 2025 specify how personal data must be collected, processed, secured, and retained. Both government departments and private companies are required to follow these standards.
Data Fiduciaries must implement strong security safeguards to prevent breaches. They must use methods such as encryption, masking, obfuscation, tokenisation, and strict access controls while handling data. Continuous monitoring, activity logging for at least one year, and secure backups also form part of the required security framework.
Contracts with Data Processors must include mandatory security clauses. In the event of a breach, Data Fiduciaries must inform affected users without delay. They must share what occurred, possible risks, steps taken, and contact details for further assistance. They must also report the breach to the Data Protection Board within 72 hours.
Also read: Red Dead Redemption coming to mobile phones, to Netflix and next-gen consoles on this date…
Rules for Children’s Data
The rules place additional responsibility on organisations processing children’s data. Any data of a person under 18 years of age can only be processed after obtaining verifiable parental consent.
Data Fiduciaries must confirm the identity and age of the parent or guardian using reliable methods, including verified virtual tokens or Digital Locker–based identity checks. Without verified consent, companies cannot collect or process a child’s personal data.
Transfer of Data Outside India
The DPDP Rules 2025 allow organisations to transfer personal data outside India, subject to conditions set by the central government. Transfers can take place only if they meet requirements specified through general or special orders, ensuring oversight when data is shared with foreign states or entities.
Also read: OnePlus 15R teased to launch soon in India: Here’s what’s coming next month
Implementation Timeline
While the rules are now notified, their implementation will take place in phases. Several sections of the Act have come into force immediately, while others will follow over the next 12 to 18 months. This staggered rollout gives organisations time to align their systems with the new requirements.
During this phase, companies must work towards issuing clear notices to users while maintaining security standards, reporting breaches promptly, managing data retention responsibly and making it easy for users to access, correct or delete their data. Entities classified as Significant Data Fiduciaries must also fulfil additional obligations.
