New Delhi: The Union Ministry of Information and Technology on Friday notified Digital Personal Data Protection (DPDP) Rules 2025, which will pave the way for establishing a Data Protection Board that will levy penalties based on the nature of the data breach.

Some parts of the rules will be implemented immediately, while provisions like registration and obligations of consent managers, notice from data fiduciaries to individuals for processing their data and some other major norms related to processing of personal data etc, will be implemented over a period of 12-18 months.

The rules aimed at giving citizens control over their data, allow them to check for misuse, and protect their privacy in the online space. The rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means.

There are also provisions in the new rules including registration and obligations of consent managers, notice from data fiduciaries to individuals for processing their data and some other major norms related to processing of personal data.

Reasonable safeguards to be implemented to protect personal data in possession or under control of a data fiduciary, including security measures such as encryption, firewalls, and more.

In case of a data breach, affected parties must be intimated in a concise, clear and plain manner and without delay, through the user account or any mode of communication registered by them. Nature and timing of the breach, impact and future safeguards to be outlined.

With the DPDP Rules in place, citizens can take recourse if their phone numbers are leaked for unauthorised calls. The rules will help investigate and identify the entity that leaked the phone number of an individual without consent, and penal actions can be taken against those found guilty.

Data is not to be stored beyond a one-year period unless required for compliance under law. Users must be intimated 48 hours before erasure of personal data barring continued use of the account / platform.

The DPDP Act 2023 has provisions to impose penalties of up to Rs 250 crore per breach on data fiduciaries. However, it has kept a graded penalty system to protect small businesses.

The rules came into force eight years after the Supreme Court, on August 24, 2017, held that the Right to Privacy is a Fundamental Right with restrictions specified and relatable to fundamental rights as embedded in the Constitution.