The government has released the long-awaited Digital Personal Data Protection Rules (DPDP) 2025 on Friday, November 14. It will be implemented in phases spread over 12-18 months.
The DPDP Rules are designed to give citizens greater control over their personal data and protect them from misuse. The framework is expected to curb spam calls, unauthorised access to personal information, and misuse of digital identity, voice or video data via any digital mean.
Penalties can go up to Rs 250 crore per breach
The rules clarify the structure and functioning of the Data Protection Board, which will investigate breaches and impose penalties. The DPDP Act allows penalties of up to Rs 250 crore per breach, with a graded system in place to ease the burden on small businesses.
With the DPDP Rules in place, citizens can take recourse if their phone numbers are leaked for unauthorised calls. The rules will help investigate and identify the entity that leaked the phone number of an individual without consent, and penal actions can be taken against those found guilty.
Citizens must follow key responsibilities under DPDP
The rules came into force eight years after the Supreme Court declared the Right to Privacy a Fundamental Right in 2017. However, the DPDP framework also places certain responsibilities on citizens, including providing accurate information for government IDs, avoiding frivolous complaints and submitting verifiable information while seeking corrections or deletions of personal data.
Some exemptions apply, including cases involving court orders, law enforcement, prevention or investigation of offences, cross-border contracts signed by individuals abroad, and verification of financial information of loan defaulters. The Centre may also exempt certain start-ups or government entities for implementing schemes, research or innovation.
Some DPDP provisions to kick in immediately
some provisions take effect immediately, key requirements — such as registration of consent managers, obligations on data fiduciaries to issue notices before processing personal data, and other major compliance norms — will be implemented gradually over a period of 12-18 months.