On 13th November 2025, the Ministry of Electronics and Information Technology (MeitY), Government of India (GoI), notified the Digital Personal Data Protection (DPDP RULES 2025) operationalizing the Digital Personal Data Protection Act, 2023(DPDP Act, 2023).
Phased Implementation:
- Rules 1, 2, 17–21:Effective from 13th November 2025 (covering the Data Protection Board’s constitution and procedures).
- Rule 4:Effective from 13th November 2026 (Registration and obligations of Consent Managers).
- Rules 3, 5–16, 22–23:Effective from 13th May 2027 (18 months later) (covering core obligations like consent, notices, and data breach reporting).
Key Provisions :
Scope:Establish procedures, obligations, and safeguards for collection, processing, storage, and erasure of personal data.
Consent & Notices:Data Fiduciaries must provideclear,itemisednoticesdetailing personal data collected, purpose, and withdrawal mechanisms (Rule 3).
Consent Managers:Must register with theData Protection Board (DPB)(Rule 4).
Breach Notification:Notify affected users and DPB within72 hourswith details and mitigation steps.
Data Retention & Erasure:Personal data must be erased once purpose is served; data principals notified48hoursprior(Rule 9). Logs and essential records retained for a minimumone year.
DPDP Board Composition:Chairperson and 3 Members, appointed through search-cum-selection committees chaired by the Cabinet Secretary (for Chairperson) and Secretary, MeitY (for Members).
IAS-2026 - OPTIONAL / GEOGRAPHY / PUBLIC ADMINISTRATION / SOCIOLOGY / ANTHROPOLOGY / ORIENTATION ON 03 & 04-10-2025 
