Introduction
On 3 January 2025, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2025 (“draft Rules”), marking a significant step in operationalising the Digital Personal Data Protection Act, 2023 (DPDPA).
These rules aim to establish a clear, structured, and enforceable framework for responsible personal data management in India, bringing the regime closer to global data privacy norms while addressing unique domestic concerns.
The draft Rules are incremental in nature—companies already aligned with data protection standards (e.g., GDPR) will only need targeted adjustments, while others must start building robust compliance programs from the ground up.
⸻
- Key Provisions of the Draft Rules
A. Personal Data Breach Notification
• Mandatory notification to affected Data Principals via preferred communication channels.
• Two-step process:
1. Immediate notification to comply with CERT-In Directions.
2. Within 72 hours, provide detailed breach information to the Data Protection Board of India (DPBI).
• Emphasis on prompt investigation and maintaining trust.
B. Notice & Consent
• Notices to be multi-lingual (22 Indian languages) and, where possible, audio-visual for inclusivity.
• Must be clear, precise, and purpose-specific.
• Direct links for withdrawing consent—as simple as granting it (e.g., one-click withdrawal).
• Automated acknowledgment of consent withdrawal.
• Easy-to-access channels for exercising rights under DPDPA.
C. Consent for Children & Persons with Disabilities
• Privacy-by-Design (PbD) principles mandatory for products/services for children.
• Prohibited practices: location tracking, behavioural monitoring, targeted advertising.
• Parental/guardian consent to be verified through legal documents under:
• Guardians and Wards Act, 1890
• Religion-based guardianship laws (Hindu, Muslim, Christian)
• Rights of Persons with Disabilities Act, 2016
• Encouragement of electronic token verification from trusted authorities.
• Continuous monitoring of user profiles for status changes.
D. Reasonable Security Safeguards
• Alignment with global privacy laws (GDPR, CCPA, PIPEDA, PDPA).
• Baseline security requirements with flexibility for implementation.
• Recommended measures:
• Encryption & pseudonymisation
• Multi-Factor Authentication (MFA)
• Role-Based Access Control (RBAC)
• Endpoint security for remote/cloud work
• Mandatory inclusion of security safeguard clauses in contracts.
E. Consent Managers & Digital Locker Services
• Consent Managers act like UPI platforms for personal data sharing.
• Must register with DPBI and demonstrate technical, operational, and financial capacity.
• Maintain comprehensive consent transaction records.
• Closest current example: Ayushman Bharat Digital Mission (ABDM) app.
F. Data Retention
• Strict adherence to data minimisation.
• Justification required for retention beyond defined periods.
• Applicability to sectors like social media, e-commerce, gaming, OTT, travel, fintech, telecom, and quick commerce.
• Need for secure disposal methods (e.g., encryption, physical destruction).
⸻
- Department-Wise Implications
Human Resources (HR)
• Obtain verifiable parental consent for children’s data (e.g., insurance nominees).
• Adhere to purpose limitation and retention rules.
• Collaborate with IT & Legal for secure handling of sensitive employee data.
Sales & Marketing
• Only explicit, informed, and revocable consent allowed for data collection.
• Must be transparent about usage and customer rights.
• Prepare for consent withdrawal and data erasure requests.
Information Technology (IT)
• Implement controls: encryption, tokenisation, access controls, breach detection.
• Establish systems for erasing personal data and verifying parental consent.
• Integrate consent management and digital locker tools.
• Continuous training and cross-departmental collaboration.
Legal Department
• Update contracts with third parties for compliance.
• Ensure robust consent management formats.
• Lead organisational training and awareness on DPDPA compliance.
• Mitigate penalties through proactive risk management.
⸻
- Compliance Roadmap for Businesses
For Organisations Beginning the Journey
1. Map personal data locations across systems.
2. Understand DPDPA applicability and sector-specific rules.
3. Conduct a privacy assessment.
4. Develop a compliance strategy & timeline.
5. Train stakeholders on responsibilities.
For Organisations Already on the Path
1. Incorporate DPDPA-specific elements (e.g., Consent Managers, breach notification).
2. Update technical measures (e.g., virtual tokens for verification).
3. Reassess existing policies for alignment with the draft Rules.
4. Strengthen cross-functional collaboration.
⸻
- Way Forward
The draft DPDP Rules, 2025, are designed to bridge global best practices with Indian realities. While many principles mirror GDPR, India introduces unique compliance obligations—especially regarding children’s data, multi-lingual consent, and integrated breach notification timelines.
Organisations must:
• Treat data protection as a core business value.
• Invest in technology, training, and legal compliance.
• Build systems for continuous monitoring and improvement.
By doing so, they will not only meet regulatory expectations but also build consumer trust, a key differentiator in the digital economy.