MeitY activates India’s first data protection law with release of final DPDP rules
Under the rules, organisations handling personal data must explain what information is collected and why, while offering direct options for withdrawing consent or raising complaints
by
Published: Nov 14, 2025 11:46 AM | 2 min read
The Ministry of Electronics and Information Technology has issued the final rules for the Digital Personal Data Protection Act, formally setting India’s data protection law into motion. This notification closes the loop on the draft released for public feedback in January 2025, with the government now publishing the framework that will guide how personal data is collected, processed and stored.
Implementation will not happen all at once. Foundational rules, including those related to governance and Board appointments, are in force immediately. The registration process for Consent Managers begins a year from the notification date, while the broader operational requirements will apply after an 18-month transition window. This staged rollout gives companies time to restructure policies, update systems and prepare for audits.
Is DPDP the key to data protection? Read on to know more
Under the rules, organisations that handle personal data must issue standalone notices that clearly explain what information is collected and why, while offering direct options for withdrawing consent or raising complaints. The norms also place firm limits on how long data can be retained, with certain categories requiring mandatory deletion after inactivity and advance warning to users.
Security has been given equal weight, with platforms required to maintain measures such as encryption, controlled access and mandatory log retention. Breaches must be promptly communicated to both affected individuals and the Data Protection Board, which must receive a detailed report within strict timelines. Processing of children’s data requires verifiable parental approval, supported through approved identity-validation methods.
Read e4m report on what DPDP spells for FMCG
Entities classified as Significant Data Fiduciaries will face deeper scrutiny, including annual audits, impact assessments and compliance with additional localisation and algorithmic safeguards.
With these rules now notified, India enters a new phase of regulated data governance, setting clearer responsibilities for organisations and stronger protections for users.
Read more news about Digital Media, Internet Advertising, Marketing News, Television Media, Radio Media
For more updates, be socially connected with us onInstagram, LinkedIn, Twitter, Facebook, YouTube & Google News
