DPDP rules marks significant milestone in India’s ongoing data protection journey

New Delhi, Nov 14 Nasscom-Data Security Council of India (DSCI) on Friday said the government’s notification of the Digital Personal Data Protection (DPDP) Rules 2025 marks a significant milestone in India’s ongoing journey to strengthen its personal data protection architecture.

With the rules now in force, the industry has a clearer and more actionable roadmap, it added.

“We commend the Ministry of Electronics and Information Technology for adopting a constructive, consultative approach throughout the drafting process. The final Rules largely preserve the structure and policy choices of the draft framework, while introducing a transparent and predictable phased commencement schedule,” said Nasscom-DSCI.

Key enhancements include greater clarity on verifiable consent with a definition embedded in the Rules, alongside well-structured, distinct provisions for children and persons with disabilities.

The sections addressing processing by the State remain broadly consistent with the draft, with refined drafting that improves readability without altering the underlying intent.

“At the same time, it is important to recognise that certain matters raised by industry during consultation arise from the architecture of the Act itself and could not realistically be addressed through subordinate legislation,” said Nasscom-DSCI.

These include the overarching structure of parental consent, the statutory age threshold for children and the requirement that all personal data breaches be notified. Our focus now moves to supporting implementation in a manner that is practical, proportionate and aligned with the objectives of the law.

On international data transfers, Nasscom-DSCI said it recognises the importance of developing mechanisms that support interoperability and facilitate co-operation with India’s key trading partners.

The government on Friday notified the rules for the Digital Personal Data Protection (DPDP) Act, formally operationalising India’s first digital privacy law and setting the compliance clock ticking for companies handling user data.

Social media sites, online gateways, and any other organisations handling personal data are required by the new framework to give users a detailed explanation of the information being gathered and to make it apparent how it will be used.

Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor