(MENAFN- KNN India) New Delhi, Nov 14 (KNN) The Government of India has notified the Digital Personal Data Protection (DPDP) Rules, 2025, bringing the DPDP Act, 2023 into full effect and establishing a complete regulatory framework for digital personal data protection.

According to the Ministry of Electronics and IT (MeitY), the Act and Rules form a citizen-centric and innovation-friendly system for data protection, guided by the SARAL design (Simple, Accessible, Rational and Actionable) and supported by plain language and illustrations for ease of compliance.

The DPDP Act outlines obligations for data-handling entities and rights of individuals, built on seven principles including consent, transparency, data minimisation and accountability.

The DPDP Rules provide an 18-month phased timeline for organisations to meet compliance requirements. Data Fiduciaries must issue simple, standalone consent notices clearly stating the purpose of data collection, while Consent Managers handling user permissions must be India-based.

In case of a data breach, entities must promptly inform affected individuals in clear language, outlining the nature of the breach, possible risks and steps taken.

Processing personal data of children requires verifiable parental consent, with limited exemptions for essential services such as healthcare, education and real-time safety.

For individuals with disabilities who are unable to make decisions even with support, consent must come from a lawful guardian verified under applicable laws.

Significant Data Fiduciaries will be subject to stricter requirements, including independent audits, impact assessments and enhanced due diligence. They must also comply with government restrictions on sensitive data, including localisation where notified.

All Data Fiduciaries must display clear contact details, such as a designated officer, to help individuals seek information or exercise their rights.

Individuals will have the right to access, correct, update or erase their personal data and may nominate someone to exercise these rights on their behalf. Entities must respond to such requests within 90 days.

The Data Protection Board will function as a fully digital adjudicatory body, enabling users to file and track complaints online through a dedicated platform and mobile application. Appeals will lie with TDSAT.

MeitY said the framework balances citizen privacy with innovation and economic growth, offering facilitative compliance for startups and smaller enterprises.

The government added that the DPDP Act and Rules will strengthen data governance, enhance trust and support India's ambition of building a secure and globally competitive digital economy.

(KNN Bureau)

MENAFN15112025000155011030ID1110347955