On January 3, 2025, India’s Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Rules, 2025, providing much-needed clarity on the implementation of the Digital Personal Data Protection Act, 2023. These rules aim to streamline and further regulate the provisions of the Act in a more concise and actionable manner, helping organizations navigate the complex landscape of personal data protection in India.
This article offers an overview of the most critical aspects of the draft rules, from consent management and data retention to cross-border transfers and security measures. Whether you’re a data fiduciary or a business handling personal data, this guide will give you a clear understanding of what the rules entail and what steps are necessary to ensure compliance.
Privacy Notices
Data fiduciaries are required to provide clear and accessible notices to data principals (individuals whose data is being processed). In most cases, these are the best old privacy policies. You can serve these privacy notices through a cookie banner.
The notices serve as a key transparency mechanism to ensure individuals understand how their personal data is collected, used, and managed; hence they are required to contain at least the following:
- A description of the categories of personal data being collected and processed.
- Specific purposes for which the data is being processed, including any associated goods or services.
- Information about the data fiduciary, such as contact information or a dedicated webpage.
- Rights and consent withdrawal
- Channels for raising complaints against misuse or mishandling of data, such as an email or contact form.
In addition, they have to be written with clear and easy-to-understand language, be easily accessible on the website, and any changes must be communicated promptly with the principals.
Data Principal Rights Mechanisms
Businesses must establish and document specific mechanisms enabling data principals to exercise their fundamental rights of access, correction, and erasure. While these rights mirror those found in the GDPR, they come with distinct Indian characteristics and implementation requirements.
Rather than imposing strict statutory deadlines, they allow data fiduciaries to set their own response timelines. This flexibility comes with two key obligations:
- Organizations must clearly communicate their self-determined response deadlines to data principals.
- We must consistently meet and maintain these communicated timeframes.
This approach creates an intriguing dynamic in the privacy landscape. Organizations can differentiate themselves through more efficient response times, potentially gaining a competitive edge by demonstrating superior privacy practices compared to market standards.
One of the most innovative aspects of India's data protection framework is its forward-looking approach to rights continuity. The rules introduce a unique "right to nominate"—allowing data principals to designate representatives who can exercise data protection rights on their behalf in case of death or incapacity. For multinational organizations, this presents both a challenge and an opportunity:
- Existing rights management systems will need strategic modifications
- Organizations must accommodate this additional right alongside their current GDPR-aligned processes
- Technical infrastructure may require updates to handle nomination and representative authentication
Consent Managers Requirements
The DPDPL introduced consent managers as specialized intermediaries designed to mediate consent given between people and businesses. Operating through interoperable platforms, these entities serve as a single point of contact where data principals can give, manage, review, and withdraw their consent for data processing.
Under the DPDPL, consent is the main reason why data can be processed. These middle-men can make it easier for data to move between different data custodians, which could open up new opportunities for India's digital economy while still protecting user rights.
And the Indian government doesn’t want to let just anyone do this work. The draft rules establish specific requirements for consent managers:
- Must be incorporated as companies in India
- Required to maintain a minimum net worth of INR 20,000,000 (approximately $240,000)
- Must operate with complete data blindness and maintain comprehensive audit trails
- Need to register with the regulatory board
- Must maintain independence from data fiduciaries, avoiding any material financial relationships
As you can see, the government wants companies to have resources and be accessible for investigations.
Parental Consent
The rules require data fiduciaries to obtain verifiable consent from a parent or guardian before processing a child's personal data. Verification of the parent or guardian's identity is required, and fiduciaries must use appropriate technical and organizational measures. It is up to you to decide what is appropriate.
Methods may include reliable identification documents or digital identity verification systems like Digital Locker services to confirm the identity and age of the consenting individual.
Fiduciaries must ensure that the individual providing consent is indeed a legitimate parent or guardian. They must also confirm that the consent is valid, explicit, and informed, with no room for ambiguity or misrepresentation.
It also must be purpose-specific, covering only the processing activity it was provided for. We cannot assume it extends to unrelated purposes, ensuring transparency and limiting the scope of data use.
Parents or guardians should be able to easily withdraw their consent through simple and accessible mechanisms. This maintains their control over the data and its processing.
Data Security Measures
The draft rules establish baseline security requirements that data fiduciaries must implement. This is particularly significant for global businesses operating global capability centers or captive units in India or working with outsourced service providers.
The DPDPA does not impose the full range of privacy obligations but instead mandates the adoption of reasonable security measures to safeguard personal data.
The measures include:
- Encryption
- Anonymization/Pseudonymization
- Access Controls
- Monitoring and Logging
- Incident Response Plan
- Compliance Audits
- Algorithmic Accountability
- Third-Party Oversight
- Contractual Safeguards
- Audit Trails
- Periodic Updates
- Technology Adoption, and others.
Data Breach Notifications
When a personal data breach occurs, data fiduciaries must promptly file an initial report with the Data Protection Board of India. Interpreting this requirement as "without delay" suggests immediate or expedited action.
The Rules also require notifying affected data principals of a breach "without delay," which may also mean immediately or as soon as possible. There are no specific timelines for notifying data principals, but the detailed report to the board must include information on these notifications. The lack of a materiality threshold for breach reporting could lead businesses to overreport, even for minor breaches that present minimal or no risk to data principals.
International Data Transfers
The draft rules give the government the power to set conditions for international data transfers, particularly regarding the disclosure of information to foreign government agencies. While the specifics of these conditions are not yet defined, they look like the adequacy requirements under the GDPR and the EU-US relationship regarding data transfers.
The hardest part pertains to certain data fiduciaries classified as "significant." They could face requirements to store personal data and traffic data exclusively within India under specific conditions.
Data Deletion and Retention
The rules prescribe that data fiduciaries must retain personal data only for as long as it is necessary to fulfill the purpose for which it was collected or to comply with legal obligations.To avoid unnecessary retention and potential misuse, data fiduciaries must delete it once it has served its purpose or is no longer required.
The law already mandates this, but here's a new requirement: data principals must receive notification prior to the permanent deletion of their data. This ensures transparency and allows them the opportunity to access or act on the data if needed prior to its erasure.
Compliance with the Indian DPDPL
To ensure adherence to the Digital Personal Data Protection Rules, 2025, businesses must take a proactive approach to compliance. The draft rules emphasize accountability and ongoing assessments of data handling practices, ensuring businesses meet both legal and operational expectations.
Key steps to achieve compliance include:
- Data Protection Policies and Governance:
Organizations must establish comprehensive policies that align with the DPDPL framework. These should outline internal procedures, employee training, and data protection strategies. Regular updates are critical to address emerging risks or regulatory changes.
2. Data Protection Impact Assessments (DPIAs):
For high-risk processing activities, businesses should conduct DPIAs to evaluate the impact on data principals and identify mitigation strategies. DPIAs can serve as evidence of due diligence in case of scrutiny from regulators.
3. Appointment of Data Protection Officers (DPOs):
Significant data fiduciaries are required to appoint a DPO who will act as the primary point of contact for data protection-related concerns. This officer must oversee compliance, respond to data breaches, and engage with regulatory bodies as needed.
4. Periodic Audits and Reporting:
Organizations must implement regular privacy audits to assess the effectiveness of their data protection practices. Audit reports should identify gaps and propose actionable recommendations to strengthen compliance efforts.
5. Cross-Border Data Management Frameworks:
For organizations transferring data internationally, ensuring compliance with potential adequacy conditions and implementing legally binding agreements, such as Standard Contractual Clauses (SCCs), will be critical. Keeping abreast of the government’s decisions on permissible jurisdictions for data transfer is also vital.
6. Incident Response Protocols:
A well-defined breach management plan is essential. This includes identifying breaches promptly, filing reports with the Data Protection Board of India, and communicating with affected data principals. Businesses must strike a balance between overreporting and underreporting to align with the draft rules.
7. Engaging Consent Managers:
Leveraging consent managers to simplify the consent lifecycle can streamline compliance. Partnering with registered consent managers who meet regulatory requirements will ensure smoother operations while protecting user rights.
8. Employee Training and Awareness:
A critical aspect of compliance is building a culture of privacy within the organization. Regular training sessions for employees handling personal data will ensure they understand their responsibilities under the new rules.
