New Delhi: India’s much-awaited Digital Personal Data Protection (DPDP) Rules, 2025, are finally here. The Ministry of Electronics and Information Technology (MeitY) notified the full operational framework on Tuesday, setting the wheels in motion for the country’s first full-fledged data protection regime. The rules bring in tighter safeguards, fresh compliance requirements, and a phased rollout that gives the industry up to 18 months to fall in line.

The framework, notified under the DPDP Act, 2023, includes obligations on how companies collect, store, and process personal data. The rules follow public consultations on the draft version released in January. The final version reflects several changes based on stakeholder inputs. From breach reporting deadlines to child-data rules, there’s a lot packed into this new legal structure.

The rollout is broken into stages. Rules 1, 2, and 17 to 21 are in effect immediately. Rule 4, which deals with Consent Manager registration, kicks in after one year. The rest, including major rules related to notices, breach handling, retention limits, and child-data processing, will apply 18 months from the notification date.

This approach gives companies breathing room, especially smaller ones still understanding how the DPDP Act works. But some........

© News9Live