Digital Personal Data Protection Rules Come Into Force

Full Implementation Begins

Digital Personal Data Protection Rules Come Into Force: The government has officially enforced the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operational rollout of the DPDP Act, 2023. These rules are a major milestone in strengthening India’s digital privacy landscape.
They also align with the Supreme Court’s landmark 2017 K.S. Puttaswamy judgment, which upheld the right to privacy as a fundamental right.

Core Framework of the Act

The DPDP Act creates a structured framework governing the collection, storage and use of digital personal data.
It applies to data collected in digital form, including data initially collected offline and later digitized.
It also covers data processing outside India when such processing relates to offering goods or services in India.

Responsibilities of Data Fiduciaries

Entities that handle personal data, known as Data Fiduciaries, must provide clear notices explaining the purpose and method of data processing.
The rules mandate that individuals should be able to give, deny, or withdraw consent easily.
Data Fiduciaries must also maintain updated records, ensure lawful processing, and follow data minimisation principles.
They are responsible for safeguarding data through reasonable security controls and prompt breach detection mechanisms.

Rules for Children and Persons With Disabilities

Processing the personal data of children or persons with disabilities requires verifiable consent from a parent or lawful guardian.
The verification must be reliable, ensuring that only authorised guardians approve the data processing.
Fiduciaries must avoid activities that could harm a child’s wellbeing, including targeted advertising.

Enforcement Through the Data Protection Board

The Data Protection Board (DPB) functions as the adjudicatory authority for privacy violations.
It has powers similar to a civil court, enabling it to issue notices, seek records, conduct investigations and impose penalties.
The DPB also handles breach complaints and can direct corrective measures to ensure compliance.

Significant Data Fiduciaries

Some organisations may be classified as Significant Data Fiduciaries (SDFs) based on the volume or sensitivity of personal data they process.
These entities must appoint a Data Protection Officer based in India and conduct periodic Data Protection Impact Assessments.
They are also required to undergo independent audits, ensuring higher accountability and stronger data security.

Mandatory Breach Reporting

In the event of a personal data breach, Data Fiduciaries must notify both the DPB and affected individuals.
Reports must include details of the incident, potential risks, and steps taken to mitigate the breach.
This rule ensures transparency and enables timely protective action by individuals.

Broader Significance of the Rules

With the DPDP Rules now in effect, India strengthens its position as a major digital economy with strong privacy safeguards.
The framework enhances data sovereignty, improves user trust, and brings India closer to global standards of digital governance.

Static GK fact: The Supreme Court of India recognised privacy as a fundamental right in the 2017 K.S. Puttaswamy case.
Static GK fact: India’s first large-scale digital identity system, Aadhaar, began enrolment in 2009.

Static Usthadian Current Affairs Table

Digital Personal Data Protection Rules Come Into Force: