DPB Chairperson to earn Rs 4.5 lakh a month as MeitY notifies final Data Protection rules

The Ministry of Electronics and Information Technology (MeitY) has formally notified the Digital Personal Data Protection (DPDP) Rules, 2025 — and with it, disclosed that the Chairperson of the Data Protection Board (DPB) will draw a consolidated salary of Rs 4.50 lakh per month, without house or car facilities. Other Board Members will receive Rs 4 lakh per month.

The notification operationalises India’s data protection regime under the DPDP Act, 2023, following public consultation on the draft rules issued in January this year. Objections and suggestions have now been incorporated.

Phased Rollout

Rules 1, 2 and 17–21 take effect immediately. Rule 4 (covering registration of Consent Managers) activates one year from publication. Rules 3, 5–16, 22 and 23 come into force 18 months after publication.

Clear Privacy Notices (Rule 3)

Data Fiduciaries must issue independent, plainly worded notices that include:

itemised personal data collected

specific purposes of processing

direct links for withdrawing consent, exercising rights and filing complaints.

Consent Manager Registration (Rule 4)

Consent Managers must meet eligibility conditions in the First Schedule and will be registered by the DPB, which also has the power to suspend or cancel registrations for non-compliance.

Government Data Processing Standards (Rule 5)

Any processing done for government subsidies, benefits, services, licences or permits must comply with standards in the Second Schedule, covering activities carried out under law, policy or public-fund expenditure.

Security Safeguards (Rule 6)

Every Data Fiduciary must maintain minimum security measures, including:

encryption, masking, obfuscation and tokenisation

access controls and activity logs

compulsory one-year retention of logs and personal data for breach detection

backup and business continuity protocols.

Contracts with Data Processors must carry mandatory security clauses.

Mandatory Breach Notification (Rule 7)

Fiduciaries must promptly notify:

affected users, detailing the breach, consequences, mitigation and a contact person

the Board — with immediate intimation and a detailed report within 72 hours.

Data Retention Limits (Rule 8)

For categories listed in the Third Schedule, fiduciaries must erase data if the user does not engage within the prescribed period — unless retention is required by law. They must also warn users 48 hours before erasure. A minimum one-year retention of traffic logs and processing logs applies across the board.

Mandatory Contact Details (Rule 9)

All Data Fiduciaries must prominently publish contact information of their Data Protection Officer or authorised representative.

Consent for Children (Rule 10)

Before processing child data, fiduciaries must obtain verifiable parental consent, validated through:

existing age or identity data,

newly provided credentials, or

tokens issued by authorised entities or DigiLocker service providers.

Consent for Persons With Disabilities (Rule 11)

Fiduciaries must verify legal guardianship through authorities designated under the Rights of Persons with Disabilities Act, 2016 or the National Trust Act, 1999.

Exemptions for Child-Data Processing (Rule 12)

Certain fiduciaries and purposes listed in the Fourth Schedule receive limited exemptions from Section 9(1) and 9(3), subject to conditions.

Additional Obligations for Significant Data Fiduciaries (Rule 13)

SDFs must:

conduct annual Data Protection Impact Assessments and audits

ensure algorithmic/technical measures do not harm user rights

comply with notified data-localisation requirements

submit findings to the Board.

User Rights (Rule 14)

Fiduciaries and Consent Managers must clearly publish:

methods for exercising user rights

required identifiers

a grievance redressal system (90-day response window)

nomination mechanisms.

Cross-Border Transfers (Rule 15)

Permitted except for entities or jurisdictions restricted by the Central Government.

Research Exemptions (Rule 16)

Processing for research, archiving or statistical purposes is exempt if compliant with Second Schedule standards.

Governance and Appointments (Rules 17–21)

A Search-cum-Selection Committee chaired by the Cabinet Secretary will recommend candidates for the post of DPB Chairperson. A separate committee headed by the MeitY Secretary will shortlist Board Members.

Salaries and service conditions are detailed in the Fifth Schedule, while meeting procedures and authentication of Board orders will be handled by the Chairperson.