The rules clarify how the Digital Personal Data Protection Act will work in practice. They set out duties for organisations and give clearer rights to individuals.

Under the DPDP Rules, 2025, personal data is defined as any data about an individual who is identifiable by or in relation to such data. This includes any information that can be used, directly or indirectly, to identify a person, such as their name, address, contact information, or other unique identifiers.

Yes. Consent must be free, specific, informed, unambiguous, and given by a clear affirmative action after a plain-language notice. For children and certain vulnerable persons the Rules require verifiable consent and technical/organisational measures to verify guardians. Withdrawal must be as easy as giving consent.

Yes. The Rules require plain language notices and an itemised description of the personal data and the specific purpose(s), plus communication links for exercising rights.

Yes. The Rules require verifiable parental consent for anyone under 18, with limited exemptions for essential services (healthcare, education, safety). Also list the processes for verifying a parent like reliable ID, virtual token, Digital Locker, etc.

Rules require reasonable security safeguards like encryption, masking, access controls, logs, backups, accuracy, and deletion when no longer needed.

Significant Data Fiduciaries must appoint a Data Protection Officer, conduct periodic Data Protection Impact Assessments and audits, implement enhanced safeguards for high-risk or algorithmic processing, and comply with any government-notified restrictions requiring certain categories of personal data to remain within India.

Individuals can now request access to their data, ask for corrections, request deletion, and seek grievance redressal.

Yes. Organisations must have a grievance redressal system and respond within a period not exceeding 90 days under that system.

Yes. Certain classes in the Third Schedule have fixed periods e.g., three years for some large platforms. Logs and processing records must be retained for at least one year; and Data Principals must be notified 48 hours before scheduled erasure under the time-limit rules

Yes. Data can be transferred abroad except to countries restricted by the government. The rules focus more on allowed transfers than strict blocks.

Yes. Data Fiduciaries must implement reasonable security safeguards, including encryption, access controls, logging, backups and one-year log retention, and must also intimate personal data breaches to affected individuals and the Board without delay and submit detailed breach information within the prescribed 72-hour timeframe.

Yes. The rules are linked with high monetary penalties under the Act. Penalties depend on the seriousness of the breach.

Data Processors must process personal data only on documented instructions from the Data Fiduciary, implement the required technical and organisational security safeguards, and comply with contractual provisions mandating protection of the data they handle.

Individuals gain clearer rights to access, correction, erasure and grievance redressal, benefit from stricter security obligations on organisations, and receive stronger transparency and accountability in how their personal data is processed.