India has rolled out the DPDP Rules 2025, setting a phased timetable for enforcing stronger privacy safeguards
The rules empower citizens to act against misuse of their personal information
Experts say the move will boost transparency but also demand significant upgrades in processes, technology and compliance systems
The Ministry of Electronics and Information Technology (MeitY) has released the long-awaited Digital Personal Data Protection Rules 2025, which will be implemented in phases spread over 12-18 months. The rules aim to give citizens control over their data, allow them to check for misuse, and protect their privacy in the online space.
The government stated that some parts of the rules will be implemented immediately, while provisions like registration and obligations of consent managers, notice from data fiduciaries to individuals for processing their data and some other major norms related to processing of personal data etc, will be implemented over a period of 12-18 months.
"Now, therefore, in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby makes the following rules, ... These rules may be called the Digital Personal Data Protection Rules, 2025," the notification read.
The new rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means. The rules set out a mechanism for establishing a Data Protection Board, which will levy penalties based on the nature of the breach as listed in the DPDP Act 2023.
Citizens can now take recourse if their phone numbers are leaked for unauthorised calls. The rules will help investigate and identify the entity that leaked the phone number of an individual without consent, and penal actions can be taken against those found guilty.
The rules came into force eight years after the Supreme Court, on August 24, 2017, held that the Right to Privacy is a fundamental right with restrictions specified and relatable to fundamental rights as embedded in the Constitution.
31 October 2025
Get the latest issue of Outlook Business
The notification has prompted an immediate response from industry stakeholders, who say the move marks a decisive shift in how companies handle personal data. "Indian enterprises have a clear roadmap on how they collect, process, secure, and govern personal data," said Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India.
Since the rules set fixed obligations, Rao stated that enterprises must immediately prioritise data discovery, classification and data-mapping exercises, implement consent and retention workflows, strengthen breach-response mechanisms, and deploy technology-led governance tools that provide real-time visibility across the data lifecycle.
The successful implementation of DPDP rules, according to Mayuran Palanisamy, Partner, Deloitte India, will require ongoing collaboration among regulators, businesses, and consumers. He believes that organisations will need to invest in updated processes, technologies, and training to create a more transparent ecosystem and meet these requirements effectively”.
"It will give organisations time to prepare and also help is better compliance, besides giving the Regulator also the opportunity to put in place appropriate enforcement mechanisms," said Salman Waris, partner at TechLegis Advocates & Solicitors.
However, in the long term, Waris said that companies will see an increase in compliance costs and overall a positive step bringing to conclusion an extraordinarily long drawn process for implementing such an important legislation.
Shahana Chatterji, partner, Shardul Amarchand Mangaldas & Co also echoed similar sentiments, saying the industry will now need to focus on the work to be done to align their data practices with the requirements of the DPDP Act and MeitY will need to focus on providing regulatory and interpretational clarity that will be inevitably be needed.
The rules set out a mechanism for establishing a Data Protection Board, which will levy penalties based on the nature of the breach as listed in the DPDP Act 2023.
