{"id":38,"date":"2026-03-31T12:42:56","date_gmt":"2026-03-31T12:42:56","guid":{"rendered":"https:\/\/www.lexemer.com\/articles\/?p=38"},"modified":"2026-04-19T08:09:28","modified_gmt":"2026-04-19T08:09:28","slug":"overview-of-the-dpdp-act-2023-and-dpdp-rules-2025","status":"publish","type":"post","link":"https:\/\/www.lexemer.com\/articles\/overview-of-the-dpdp-act-2023-and-dpdp-rules-2025\/","title":{"rendered":"Overview of the DPDP Act 2023 and DPDP Rules 2025"},"content":{"rendered":"\r\n

The Digital Personal Data Protection (DPDP) Act was enacted on August 11, 2023.<\/p>\r\n

Subsequently, on November 14, 2025, the Government of India notified the DPDP Rules, 2025 to operationalise the said Act.<\/p>\r\n

Given below is a factual summary of the core definitions, the primary provisions of the 2023 Act and the specific procedures introduced by the 2025 Rules.<\/p>\r\n

Key Definitions<\/strong><\/p>\r\n

Data Principal: The individual to whom the personal data relates.<\/p>\r\n

In the case of children or persons with disabilities, the expression includes their lawful guardian.<\/p>\r\n

Data Fiduciary: The person or entity which determines the purpose and means of processing of personal data.<\/p>\r\n

Consent Manager: A registered entity providing an accessible platform for a Data Principal to give, manage, review and withdraw consent.<\/p>\r\n

Core Provisions of the DPDP Act (2023)<\/strong><\/p>\r\n

Consent and Notice: Personal data can be processed only for a lawful purpose and with the free, specific, informed and unambiguous consent of the Data Principal.<\/p>\r\n

Every request for consent shall be accompanied by a notice specifying the personal data to be processed and the purpose thereof.<\/p>\r\n

Rights of the Data Principal: The individuals have the right to access information about their data, to request correction or erasure of the same and to access grievance redressal mechanisms.<\/p>\r\n

They further have the right to nominate any other individual to exercise the said rights in the event of death or incapacity.<\/p>\r\n

Penalties: The Act prescribes specific financial penalties for non-compliance.<\/p>\r\n

Failure on the part of a Data Fiduciary to take reasonable security safeguards to prevent a data breach may attract penalty upto \u20b9 250 crore.<\/p>\r\n

Failure to intimate the Board and the affected individuals of a breach, or non-observance of obligations qua children, may attract penalty upto \u20b9 200 crore.<\/p>\r\n

Key Additions and Timelines in the DPDP Rules (2025)<\/strong><\/p>\r\n

The 2025 Rules lay down the specific procedures and timelines required for compliance with the 2023 Act.<\/p>\r\n

Compliance Timeline: The Rules provide a period of 18 months for phased compliance in respect of most of the provisions.<\/p>\r\n

Personal Data Breach Notifications: In the event of a personal data breach, the Data Fiduciary shall intimate every affected Data Principal without delay.<\/p>\r\n

The Data Fiduciary shall also intimate the Data Protection Board without delay.<\/p>\r\n

Detailed information regarding the breach shall be furnished within 72 hours.<\/p>\r\n

Grievance Redressal Deadlines: The Data Fiduciaries and the Consent Managers are required to establish a grievance redressal system.<\/p>\r\n

They shall respond to the grievances of the users within a maximum period of 90 days.<\/p>\r\n

Data Erasure and Inactivity: The data shall be erased after a prescribed period of inactivity.<\/p>\r\n

The said period may vary depending upon the nature of the platform and the purpose thereof.<\/p>\r\n

The Third Schedule prescribes a three-year inactivity threshold for erasure in respect of the following entities:<\/p>\r\n