DPDP Rules 2025: What India’s new data protection rules mean for you and organisations

As you browse the internet, does it ever bother you that your personal data might be at risk? Do you think twice before sharing your personal details on websites? For how long is your data saved by an organisation? If you haven’t given these a thought, it’s time you did.

Nearly 6,500 data breaches have been reported in the past 20 years, which have affected both private companies, government bodies and individuals.

But some relief might be in the offing. The Indian government notified the Data Personal Data Protection Rules on November 14, 2025. These are rules that every company, app or government body must adhere to when they collect, store or use your personal data.

With these rules, the Digital Personal Data Protection Act, 2023, takes full effect. The Act calls for responsible use of digital personal data and is the first law to protect the personal digital information of citizens in India.

The need for the law is very real. Who can forget the massive 2018 Aadhaar leak where personal details of over a billion citizens were compromised, the AIIMS ransomware attack or the 2021 Domino’s data leak where 180 million order records were leaked online?

What does the Act mean for organisations and individuals?

Experts believe that although it was much needed, it is bound to increase compliance and legal costs for companies. For individuals, the Act provides several much-awaited benefits. Their personal data is now their property. They have the right to seek appropriate grievance redressal if their data is misused. They now have greater control over their personal data.

Imagine this: You can now officially demand an e-commerce site to delete your data if you no longer wish to transact with them.

Key features of the Act

The Act recognises that your personal data is your property.

The Act recognises two key parties:

The User or the Data Principal: Your data is being collected and you are the owner.

The Company/App (The Data Fiduciary): This is the entity that decides why or how your personal data will be processed.

The Act protects users’ rights

According to the Act, the user has the right to give consent, which means the company must ask for your permission to use your personal data. Further, the company can only use your data for the exact purpose you agreed to. You, the user, can withdraw the consent, too. You also have the right to access and correct your personal data. You can demand that the organisation updates or corrects any personal information if the need arises. When the purpose for which the data was being used is over, you can demand to delete that data.

What the law requires from companies

The data fiduciary or the organisation has strict obligations under the law.

Mandatory security: They need to implement security safeguards to protect data from being stolen, misused or leaked.

Notification of data breach: If the user’s personal data is hacked or leaked the company must inform the Data Protection Board of India and the user immediately in a simple manner

Maintaining accuracy: The company must make efforts to ensure that the personal data they use is accurate and complete.

Deletion of data: They must delete the data after the purpose for which had been collected has been served.

The new rules cover various aspects of data protection including obligations of the consent manager, data retention, consent for processing a child’s data, obligations of the data fiduciary, etc.

The government plans to roll out the law in a phased manner spanning 18 months. This time span allows businesses time for the change while establishing enforcement mechanisms. Certain provisions such as establishment of the Data Protection Board of India became effective November 14, 2025. Data fiduciaries or organisations handling personal data have until November 2026 to comply with certain provisions, including disclosing the details of their Data Protection Officer.

Data breaches have been increasingly impacting businesses and individuals. Bad actors have been exploiting vulnerable digital platforms, stealing consumer data for their own gains. The average total organizational cost of data breach in India reached an all-time high of ₹220 million in 2025, a 13% increase over last year. It was the right time for the launch of a law consumers were waiting for.

Experts have highlighted both opportunities and challenges for companies and individuals. They acknowledge that companies are now bound to face more disclosures, tighter reporting timelines and higher fines.

The smaller companies stand to lose more than the bigger players as compliance, technology and legal costs go up. Enterprises will need to overhaul the system by which they collect, store, use and protect digital data. For individuals, it could serve as a boon as they own their own data and can hold organisations accountable for the misuse of it.