Digital Personal Data Protection Rules, 2025: What They Mean and When They Apply
The Digital Personal Data Protection Rules, 2025, notified on November 14, outline how personal data must be collected, stored, processed, and protected in India. These Rules operationalise the Digital Personal Data Protection Act, providing detailed procedures for consent, data breaches, grievance redressal, and responsibilities of data fiduciaries (entities handling personal data).
The Rules mandate clear and informed consent, allow individuals to access, correct, or erase their data, and require organisations to adopt strong security practices. They also define timelines for notifying data breaches and lay out penalties for non-compliance.
Importantly, the Rules balance privacy with transparency by clarifying how the law interacts with the Right to Information (RTI). They reaffirm that non-personal and public-interest information under RTI remains accessible.
These Rules apply to all digital personal data, whether collected online or digitised later, and to entities operating in India or offering services to individuals in India.
Digital Personal Data Protection Rules, 2025: What They Mean and When They Apply
