The Vision Behind the DPDP Rules

The DPDP Rules implement the 2023 Act by detailing data fiduciary duties, consent handling, data breach reporting, and setting up the Data Protection Board (DPB). 

 

Purpose and Scope

The main aim of the Draft Rules 2025 is to protect users’ personal data and ensure their privacy in the digital world, while also guiding businesses on how to handle this data responsibly.

Some of the draft Rules are scheduled to come into effect upon publication and other provisions (Rules 3 to 15, 21, and 22) will be effective from a later date. Initially only the Rules relating to the establishment of the enforcement body i.e. Data Protection Board and appointment of chairperson and members, their salaries, allowances, meetings, terms & conditions of officers and employees of Board shall come into effect.

 

Key Features of Draft Rules

Notice by Data Fiduciary to Data Principal:

Under the Draft Rules, Data Fiduciaries (organizations handling personal data) must give a clear and easy-to-understand notice to Data Principals (individuals). This notice should:

  1. Clearly list the personal data being collected.
  2. Explain why the data is being processed and how it will be used.
  3. Describe the goods, services, or benefits provided through this processing.
  4. Include simple ways for individuals to withdraw consent, exercise their rights, or file complaints.
  5. Provide a link to the organization’s website or app for further communication.
  6. Ensure withdrawing consent is as easy as giving it.

This ensures transparency and empowers individuals to manage their personal data.

Registration and Obligations of a Consent Manager:

A Consent Manager, as defined under the DPDP Act, is a registered entity in India that helps individuals (Data Principals) give, manage, review, and withdraw consent through a transparent and user-friendly platform. It must:

  1. Be a company in India with at least ₹2 crore in net worth.
  2. Have a reputation for fairness and integrity.
  3. Provide a secure, interoperable platform for consent management.
  4. Avoid conflicts of interest and maintain high transparency and security standards.
  5. Get prior approval from the DP Board for any transfer of control.

These rules ensure Consent Managers operate securely, transparently, and in the best interest of individuals.

Processing for Provision or Issue of Services by the State:

The State and its instrumentalities can process personal data to provide subsidies, benefits, services, certificates, licenses, or permits. Such processing must comply with standards in Schedule II of the Draft Rules, ensuring lawful, transparent, and secure handling of personal data.

Reasonable Security Safeguards:

As per Draft Rules, Data Fiduciaries must implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorized access, and data backups etc. These safeguards ensure the confidentiality, integrity, and availability of data, and must include provisions for detecting and addressing breaches and maintenance of logs. Contracts with Data Processors must also ensure security measures are in place to prevent data breaches.

Intimation of Personal Data Breach:

If a personal data breach occurs, Data Fiduciaries must quickly inform affected individuals (Data Principals) with clear details about what happened, how serious it is, when it occurred, possible effects, and steps they can take to protect themselves.

They must also notify the Data Protection Board immediately, sharing details of the breach, including what happened, when and where it occurred, and its potential impact. A full report must be submitted within 72 hours, unless more time is approved.

Accountability and Compliance:

Data fiduciaries must handle personal data legally, use it only for necessary purposes, and keep it only as long as needed. They must also provide grievance redressal systems on their platforms for users.

Data Retention Policies:

E-commerce platforms with 20 million or more users, online gaming platforms with 5 million or more users, and social media platforms with 20 million or more users in India must delete user data after three years unless users actively maintain their accounts.

Impact Assessments:

Significant data fiduciaries are mandated to conduct yearly Data Protection Impact Assessments (DPIAs) to evaluate risks associated with their data processing activities. They must also ensure that any algorithms they use for managing data do not harm the rights of individuals (Data Principals).

Cross-Border Data Transfer:

Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities.  

Exemption from DPDP Act for research, archiving, or statistical purposes: 

The Draft Rules exempt personal data processing for research, archiving, or statistical purposes from the DPDP Act if it follows the standards in Schedule II. This allows important research and policy work while maintaining certain safeguards and standards to protect personal data.  

Enforcement Framework:

The enforcement mechanism includes the establishment of regulatory authority i.e. DP Board, the appointment of its chairperson, members, etc., appeal to appellate authority, etc.  

Implications for Businesses

Organizations especially small-scale companies will need to invest significantly in compliance measures to meet the new requirements outlined in the Draft Rules. This includes establishing robust consent management systems, enhancing security protocols, and ensuring transparent communication with users regarding their rights and data usage.

This means they need to follow clear rules about how to collect, store, and use personal information. The rules are designed to ensure that businesses respect the privacy of their customers by getting proper consent before using their data, keeping it secure from breaches, and being transparent about how it will be used.

These rules also help businesses build trust with their customers by showing that they are committed to protecting their personal information. By following the guidelines, businesses can avoid legal risks, improve their reputation, and create a safe and reliable environment for their customers to interact with them. In the long run, this makes the digital space more trustworthy for both individuals and businesses alike.

Click here to view Draft Digital Personal Data Protection Rules, 2025 and Click here to view Explanatory Note on Draft Digital Personal Data Protection Rules, 2025

 

Conclusion

The Draft Digital Personal Data Protection Rules, 2025 mark a big step forward in India’s efforts to strengthen data protection. These rules focus on promoting transparency, accountability, and empowering users, creating a strong base for a digital ecosystem that respects privacy.

However, turning this vision into reality will require cooperation and effort from all stakeholders. It is essential to address practical challenges in implementing the rules and ensure they are consistently enforced across the board.

The current public consultation is a crucial part of this process. It provides an opportunity for individuals, organizations, and other stakeholders to share their feedback and suggestions. This input will help improve the framework, making sure it is practical, effective, and able to meet the varied needs of everyone involved, while also protecting fundamental rights in the digital world.

Any suggestions, with regards to the rules can be submitted to the Government on the website of MyGov (https://mygov.in).

 

Important Links