DPDP Rules: India has taken a major step toward enforcing its new digital privacy framework with the formal notification of the Digital Personal Data Protection (DPDP) Rules and the establishment of the Data Protection Board. Issued by the Ministry of Electronics and Information Technology (MeitY) on November 14, the rules translate the 2023 law into actionable obligations for companies and grievance-handling mechanisms for citizens.
With this, India’s long-awaited data protection regime finally moves from legislation to implementation.
ALSO READ: India To Get Data Protection Board: Here’s How DPDP Rules Shake Things Up
Top 5 Facts To Know About The Newly Notified DPDP Framework
1. Data Protection Board Has Been Formally Set Up
MeitY has officially constituted the Data Protection Board, the adjudicatory body responsible for enforcing the DPDP Act.
The Board will conduct inquiries into data breaches, issue directions to platforms and determine penalties for violations.
2. Board Will Operate From NCR And Include Four Members
The notification confirms the Board’s headquarters in the National Capital Region and states it will have four members. According to the government, “In exercise of the powers conferred by sub-sections (1) and (3) of section 18 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby establishes, the Data Protection Board of India, to exercise the powers conferred on, and to perform the functions assigned to it under the said Act, with effect from the date of publication of this notification in the Official Gazette. The head office of the Data Protection Board of India shall be in the National Capital Region of India.”
3. DPDP Rules, 2025, Define Structure And Governance
The rules detail the Board’s appointment process, service conditions and operational procedures.
They lay the groundwork for how the Board will function independently and carry out enforcement under the Act.
4. Final Rules Released After Extensive Consultations
Draft regulations were circulated in January 2025 for public comment.
After multiple rounds of feedback and inter-ministerial discussions, MeitY finalised the rules and notified them on November 14.
5. Platforms Face New Compliance Duties
Digital entities must now provide clear, itemised notices, secure verifiable consent, safeguard children’s data and follow strict data-retention limits.
Large platforms in sectors like e-commerce, gaming and social media are also required to erase user data within specified timelines.
