Startup Originals Team
The Ministry of Electronics & Information Technology (MeitY) has formally issued the rules that operationalise the Digital Personal Data Protection (DPDP) Act, marking a major step in India’s data-protection journey. These rules lay down how organisations must collect, process, store, transfer and safeguard personal data of individuals in India.
What the Rules Cover
1. Obligations of Data-Handling Entities
Data fiduciaries, entities that determine how personal data is processed, are now required to adhere to a set of standard procedures under the rules. These include obtaining valid consent, clearly stating purposes, implementing security safeguards and providing data principals (individuals) rights such as access, correction and erasure.
2. Individual Rights & Entitlements
The rules empower individuals by giving them:
- The right to be informed about the data collected and how it is used.
- The right to withdraw consent.
- Rights around data deletion or anonymisation when they stop using a service.
3. Significant Data Fiduciaries (SDFs) & Enhanced Compliance
Special obligations apply to large entities handling vast or sensitive personal data. They may face stricter compliance around audits, impact assessments, cross-border data transfers and breach notifications.
4. Retention, Breach & Cross-Border Transfers
The rules set out norms for how long data may be retained, when it must be erased (for instance when an account has been inactive), notification obligations in case of data-breaches and conditions for sending personal data outside India.
Key Dates & Process
- The draft DPDP rules were released in January 2025 and public consultation followed.
- On 14 November 2025, the final rules under the DPDP Act were notified.
- With these rules in force, the DPDP Act moves from legislative intent to actionable compliance regime.
Why It Matters
- Clarity for Businesses: Startups, platforms, e-commerce, social-media services now have a clearer regulatory framework for personal data.
- Consumer Rights: Individuals have legal strength behind claims around how their data is used, stored and transferred.
- Innovation-Compliance Balance: While regulation increases, the rules attempt to strike a balance—especially near startups and MSMEs, between data-protection and business growth.
- Global Tech Stack Impact: For companies with cross-border operations, the rules on data export and SDF compliance will affect architectures, contracts and audits.
What to Watch
- How the Data Protection Board (yet to be fully constituted) handles oversight and enforcement.
- Sector-specific overlaps (e.g., fintech, health-tech) where existing regulation (like by RBI, IRDAI) may intersect with the DPDP regime.
- The timeline for startup and smaller firms to adjust operations, especially around consent logs, data-maps and deletion routines.
- Fair implementation: how the rules affect everyday services like social-media platforms, e-commerce portals, and apps used by millions.
Final Thought
With the notification of the DPDP Rules, India’s personal-data ecosystem enters a new stage, one where rights, responsibilities and remedies are no longer abstract but regulated. For businesses, the journey from draft compliance to live operations begins. For individuals, the protections they were promised now rest on enforceable legal ground.
