DPDP Rules enactment: What it means for companies and citizens

The DPDP Rules 2025 have been rolled out by the government, mandating stronger privacy safeguards, phased compliance, and penalties up to ₹250 crore per breach. But experts point out gaps and concerns

Last Updated: Nov 14, 2025, 18:06 IST5 min

The notifications come after Meity initiated a new fra...

The Digital Personal Data Protection Act (DPDP) was passed in Parliament in 2023. It was passed to “provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto,” as per the Ministry of Law and Justice.

As per Meity:

Companies have 12 months (until Nov 14, 2026) to appoint consent managers, who will be accountable for social media platforms seeking user consent to use personal data for business purposes.
They have 18 months to set up a system for obtaining explicit user permission before using data for purposes like targeted ads.
Data breaches must be reported to the data protection board within 72 hours and users must be informed without delay.
All social media platforms and data handlers must appoint a data protection officer within 18 months.
Companies must obtain verifiable parental consent before using data of users under 18 and cannot use certain data types that enable tracking minors for targeted ads, which has been an industry demand since the draft rules were issued.

The notifications come after Meity initiated a new framework built around the idea of ‘consent as a live signal’ to operationalise the Digital Personal Data Protection Act (DPDP) 2023 in August 2025. As part of the initiation, six companies were shortlisted in the first round of its ‘Code for Consent’ challenge to develop real-world Consent Management Systems (CMS). The selected teams were Jio, IDfy, Redacto, Zoop, Concur, and Aurelion, and were given three months to make working prototypes.

Also Read: AI in marketing: How customer-centric companies can benefit from data privacy regulations

Provisions

As per the notification, the provisions are extended to citizens and include that the data collected, its purpose, and usage must be clearly stated in plain language; reasonable safeguards, including encryption and firewalls, must protect personal data; in case of a breach, users must be notified promptly and clearly, detailing timing, impact, and future measures; data cannot be stored beyond one year unless legally required with the provision that users must be informed 48 hours before erasure, except when continuing account use.

In the instance of a breach, which will be assessed on its nature and severity, penalties will be levied on data fiduciaries for non-compliance, with fines reaching up to ₹250 crore per breach.

What do the rules mean for the data protection landscape?

According to Ankit Kedia, founder & lead investor at VC firm Capital- A, the DPDP Rules come at a time when India’s digital economy is scaling on real industrial use-cases. “The framework brings clarity to how personal data is collected, stored and processed, and pushes organisations to build stronger internal systems. It sets the tone for a more disciplined and transparent data culture across sectors.”

Ashok Hariharan, CEO and co-founder, IDfy, one of the companies selected to work on the systems, agrees. According to him, the rules coming into effect mark a pivotal shift in India’s data protection landscape. “It isn’t simply about meeting obligations—it’s about redefining how we honour the trust placed in us by every individual whose personal data we steward,” says Hariharan. He presses on the need for the industry to design systems where consent is not an afterthought, breach-readiness is built-in, and privacy by design becomes the default. “The real work begins now: Translating policy into architecture, ambition into culture, and intent into impact.”

Shashank Karincheti, co-founder and CPO of Redacto, another privacy company which was selected in Meity’s ‘Code for Consent: The DPDP Innovation Challenge’ explains that with the DPDP Rules now in force, enterprises are entering “a new phase of accountability”. Every organisation that collects or processes personal data will now be judged by the clarity of its systems and the discipline of its governance. With these rules, privacy has moved from being a legal topic to becoming an operational reality. “For most companies, compliance will not come from adding new paperwork but from rethinking how data flows within their systems. That means mapping every interaction, validating every access, and creating a single source of truth for personal information across teams and vendors. This requires precision and structure, not just policy,” says Karincheti.

Redacto is helping companies by giving them a live view of how data moves, who accesses it, and where the risks lie, so they can act before issues escalate.

Amit Kumar, Redacto’s CEO and co-founder, is of the view that the DPDP rollout changes how enterprises think about systems, not just data. “This is not an exercise in documentation. It is an exercise in design. Every organisation that handles personal data must now build the ability to see, trace, and justify its use in real time. That is the true test of digital accountability.”

Experts are of the view that DPDP Rules and their effective implementation will also shift power back to individuals in an ever-expanding digital economy and push companies toward higher standards of governance and accountability. “This moment signals the rise of a new infrastructure layer. Privacy-tech will stand alongside fintech and deeptech as a category that enables sustainable growth. The winners in this new phase will be the ones that treat regulation as a roadmap, not a restraint,” says Karthik Prabhakar, managing partner at PeerCapital.

Challenges and concerns

From a legal standpoint, however, the rules come with gaps and concerns. As per a statement by the Internet Freedom Foundation (IFF), the DPDP Rules, 2025 follow the same trajectory as the DPDP Act, 2023. While they mark an important institutional milestone, they do not address key structural concerns repeatedly raised by civil society. As a result, ordinary users still lack a right centred data protection framework, even as large data processing entities gain greater discretion and opacity. “The DPDP Act, 2023 and its implementing DPDP Rules, 2025, instead of buttressing citizens’ data rights, have created new barriers to transparency and individual freedom. The Act itself instituted onerous duties on individuals and carved out broad exceptions that weaken the fundamental right to privacy,” the IFF statement points out.

Lagna Panda, partner at law firm AP & Partners, also raises concerns. She explains that the rules specify that entities will be designated as significant data fiduciaries (SDFs) by a committee constituted by the Central Government. However, there is no clarity on the criteria and the process to be followed for designating an entity as an SDF. The rules also say that the committee will specify the categories of personal data that must be localised by SDFs in India. She says the absence of guidance on how data localisation determination will be made, creates regulatory uncertainty.

“The provisions ought to have specified details of how the committee will be constituted including its composition, the process to be followed for designating SDFs, procedure for making submissions in relation to localisation proposals, and timelines for implementing data localisation mandates,” she says.

First Published: Nov 14, 2025, 18:16

Subscribe Now

Samidha Jain

Samidha graduated with a bachelor's in mass media from Sophia College, Mumbai, right before joining Forbes India, where she writes about various startups across industries. She also works on News by N

Home

News

Dpdp-rules-enactment-what-it-means-for-companies-and-citizens

Podcasts

Videos

Thought Leadership

Lists