Understanding India’s Draft Digital Personal Data Protection Act (DPDPA) Rules: Key Insights

The Digital Personal Data Protection Act, 2023 (DPDPA) – India’s new, comprehensive privacy law – received the assent of the Hon’ble President on 11th August 2023. 

Over 12 months later, the Indian Ministry of Electronics and Information Technology (MeitY) has now released draft subordinate legislation in the form of Digital Personal Data Protection Rules, 2025 for consultation.  The rules will provide details and implementation framework of the Act and give a clearer view of how the DPDPA might be implemented.

Broadly the draft rules cover:

• Requirements for Data Fiduciaries (which are similar to controllers in other privacy regimes);
• Requirements for Consent Managers (which have a unique role under India’s DPDPA); and
• Provisions covering the establishment of the Data Protection Board, detailing the appointment and service conditions of the Chairperson and other members, as well as its functioning as a digital office.

This post will focus on the proposed rules as they apply to Data Fiduciaries and Consent Managers.

Key Actions for Data Fiduciaries

1. Clarity and Transparency in Notices

Data Fiduciaries are required to provide notices that are simple, clear, and accessible. Key elements include:

• An itemized list of personal data collected and its purpose.
• Details on how the processing enables goods or services.
• Links for withdrawing consent and exercising rights such as access, correction, or erasure.

2. Implementation of Robust Security Measures

Data Fiduciaries must implement security measures to safeguard personal data, including:

– Encryption and access controls.

– Systems for detecting and responding to breaches.

– Regular updates and audits to address potential vulnerabilities.

Additionally, agreements with Data Processors must reflect these security obligations whilst the responsibility for compliance remains with the Data Fiduciary.

3. Protocols for Data Breaches

In the event of a data breach, the following actions are mandatory:

• Prompt intimation to affected individuals and the Board, detailing the breach’s nature, impact, and recommended actions.
• Provision of a contact point for follow-up queries.
• Submission of a detailed report to the Board within 72 hours, including the cause, mitigation efforts, and notifications issued.

It is worth considering the use of the term intimation in relation to data breach being a more indirect communication, hint or suggestion made privately instead of notification which may include public announcements via media. Also, all breaches must be reported regardless of risk.

4. Data Retention and Deletion Requirements

Retention periods must comply with Schedule III. Currently the Rules are defined only for specific types of Data Fiduciaries being e-commerce, gaming, and social media platforms of a certain size. These Data Fiduciaries must delete user data after three years of inactivity, with a mandatory 48-hour notice prior to deletion to give them an opportunity to retain their data.  This requirement could well drive a significant amount of data ‘cleansing’ to minimise the impact of communicating with users about aged/legacy accounts.

5. Rights of Data Principals  

Procedures for Data Principals to exercise their rights (e.g., access, correction, and erasure) must be published and include identification requirements under terms of service e.g. username, customer number etc.

Processes and timelines for responding to grievances must be established. 

6. Special Provisions for Children and Vulnerable Groups

For children’s data, consent must be verified from a parent or legal guardian using reliable methods. Additional safeguards are required to address the needs of children and individuals with disabilities.

7. Localization and Cross-Border Data Transfers

Fiduciaries must adhere to localization requirements for specific data categories and ensure compliance with restrictions on cross-border transfers as defined by the Central Government.

8. Privacy contacts and stakeholder management

A point of contact (e.g., a Data Protection Officer) should be designated and contact details should be prominently on the website/app for Data Principal queries.  

Data Fiduciaries must co-operate with authorities by providing information requested by the Central Government under Section 36 and Schedule VII.  

Key Actions for Consent Managers

1. Registration and Compliance Requirements

Consent Managers must register with the Data Protection Board and demonstrate:

– Financial stability, with a minimum net worth of ₹2 crore.

– Operational readiness and platform interoperability to manage consents effectively.

2. Enabling Comprehensive Consent Management

Platforms operated by Consent Managers must enable users to:

– Easily give, manage, review, and withdraw consent.

– Access transparent records of consent and data-sharing activities.

3. Ensuring Independence and Transparency

Consent Managers are required to avoid conflicts of interest by adhering to strict independence rules. Subcontracting responsibilities or making unauthorized changes in control without Board approval is prohibited. Ownership and management details must also be transparent.

4. Security and Oversight

Consent managers will need to implement robust security measures to protect personal data.  The Rules also require both accountability and oversight of registered Consent managers by:

• Prohibiting subcontracting responsibilities or unauthorized changes in control without prior Board approval.  
• Requiring compliance with audits conducted by the Board.  
• Requiring corrective directions to be addressed promptly to safeguard Data Principals’ interests.  

Best Practices for Compliance

Organizations should adopt the following best practices to ensure compliance:

• Regularly review and update internal policies in line with evolving requirements.
• Train staff on their data protection obligations.
• Leverage automation tools for managing data retention, consent processes, and notifications.
• Establish a robust grievance redressal mechanism for users.

Areas for further clarification

Noteworthy areas requiring further clarification:

• Exemptions for Research and Archiving: The new rules provide standards that must be met when applying this exemption however there is limited clarity of what processing falls under this exemption with the explanatory note only referring to academic and policy research, not commercial or innovation purposes.
• Consent Managers:  The draft rules provide further details on the concept of a consent manager including emphasising transparency and preventing conflicts of interest to promotes user confidence in consent management systems with the aim of limiting ‘consent fatigue’ for Data Principles. Data Fiduciaries should consider now whether they wish to reduce their risk and possibly their compliance obligations by onboarding with a registered consent manager platform and integrating their data protection processes with such platform or manage consent themselves. 

Timing

While provisions relating to the establishment and operations of the Data Protection Board are effective immediately upon publication, the proposed rules related to Data Fiduciaries and Consent Managers will be enforced later.

Stakeholders are encouraged to review the draft rules and submit feedback by the February 18, 2025 deadline.

Conclusion

The draft rules offer essential clarity for implementing the DPDPA, bringing its full enactment one step closer. Privacy professionals now have an initial framework to better align their practices with regulatory expectations.

However, as changes are likely to follow further consultation. For Data Fiduciaries and Consent Managers, it is crucial to evaluate current practices and ensure alignment with these emerging standards. Taking proactive steps now will facilitate a smoother transition as the DPDPA nears full implementation.

Further links

• Draft Digital Personal Data Protection Rules, 2025
• Submission of feedback/comments on Draft Digital Personal Data Protection Rules, 2025
• Digital Personal Data Protection Act, 2023