/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/media_files/2025/11/14/digital-personal-data-protection2-2025-11-14-16-04-39.jpg)
On Friday, 14 November 2025, the Union government announced the implementation of substantial parts of the Digital Personal Data Protection Act (DPDP), 2023. This marks an important step towards meeting the Supreme Court’s 2017 ruling in K.S. Puttaswamy vs Union of India, which affirmed the right to privacy and called for a dedicated data protection law. The government also released the DPDP Rules, 2025, following a draft circulated in January for public discussion.
The official notification stated: “The Central Government hereby makes the following rules in exercise of the powers granted by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023). These rules may be called the Digital Personal Data Protection Rules, 2025.”
Phased introduction of the DPDP framework
The framework will be implemented in phases over 12 to 18 months, with some provisions taking effect immediately and others being introduced gradually.
Passed by Parliament in August 2023, the Act requires businesses to protect the digital personal data of Indian citizens, excluding the “State and its instrumentalities”. Non-compliance may result in financial penalties. Transparency advocates have argued that the Act weakens the Right to Information Act, 2005 by removing the obligation of government bodies to disclose “personal information” even where public interest may outweigh privacy concerns.
The regulations are expected to help citizens avoid spam calls and prevent unauthorised access to personal voice, video, and other digital information. Under the DPDP Rules, individuals may investigate and identify the entity responsible for leaked phone numbers or unsolicited calls, and the unauthorised sharing of phone numbers could attract legal consequences.
Compliance timelines for data fiduciaries
Some requirements for data fiduciaries, organisations responsible for collecting and processing personal data, will take longer to come into force. For example, the obligation to publish the details of their designated Data Protection Officer (DPO) will apply from 14 November 2025, but full compliance with related responsibilities is required only by November 2026. The consent manager framework, which allows authorised entities to act on behalf of users in exercising their rights to data erasure or correction, will also come into effect next year. Large technology companies will not be fully subject to the Act until May 2027.
Shashank Karincheti, Co-Founder & Chief Product Officer (CPO), Redacto noted,“With the DPDP Rules now in force, enterprises are entering a new phase of accountability. This is where intent must turn into action. Every organisation that collects or processes personal data will now be judged by the clarity of its systems and the discipline of its governance. Privacy has moved from being a legal topic to becoming an operational reality that defines trust and credibility.
He further added, "at Redacto, we are helping enterprises meet this moment with precision and confidence. Our platform gives companies a real-time view of how data moves, who accesses it, and where the risks lie. This is not about compliance for compliance’s sake. It is about building organisations that can innovate responsibly, operate transparently, and stand behind every piece of data they hold.”
Key rights and protections for citizens
The Act grants citizens several protections, including clear communication of what data is collected, the purpose for its collection, and the reasons for processing, all presented in plain language. A registered consent manager will oversee implementation of the DPDP Rules 2025. Data fiduciaries must implement appropriate security measures, such as encryption and firewalls, to protect personal data. In the event of a data breach, affected individuals must be notified promptly through their user account or another registered communication channel, with concise information about the nature and timing of the breach, its impact, and planned remedial steps.
Personal data may not be retained for more than one year unless legally required, and users must be notified 48 hours before data deletion unless continued use of the service necessitates its retention. Data fiduciaries must also publish contact details for the person responsible for responding to data-processing queries. Verifiable consent is required from a parent or guardian before processing the personal data of children under 18, and similar consent is needed from a lawful guardian for processing the data of persons with disabilities.
The DPDP Act, 2023 has undergone three major revisions since 2017. The initial 2018 draft included provisions such as mandatory data localisation, which faced strong opposition from technology companies. Many of those provisions were removed in the 2023 version, which has been more broadly accepted by Indian and international firms likely to be designated as “significant data fiduciaries”.
Commenting on the announcement, Akshay Garkel, Partner and Leader for Cyber at Grant Thornton Bharat, said, “With the notification of the Digital Personal Data Protection Act, 2023 and the accompanying rules, India’s data-protection regime has moved decisively from promise to practice. The government has launched a phased rollout: some foundational obligations are effective immediately, key compliance duties begin after 12 months, and the full framework is phased in over 18 months. The establishment of the Data Protection Board of India and the defined timeline for industry readiness indicate regulatory intent. Data protection is no longer a future requirement; it is a present-day operational necessity.”