In an era defined by rapid technological advancement and data-driven decision-making, governments worldwide are revisiting their data protection frameworks to address emerging challenges. India, recognizing the importance of personal data protection, enacted the Digital Personal Data Protection Act (DPDP Act) in 2023. The subsequent release of the Draft DPDP Rules last week provide a roadmap for operationalizing the Act, setting the stage for transformative regulatory changes in 2025.
This article explores the nuances of the new Data Rules, focusing on their implications for businesses, individuals, and governance structures.
The Draft Rules outline a phased approach to implementation. Provisions related to the Data Protection Board (DPB) in accordance to Rules 16-20 will come into effect immediately upon notification, while key operational requirements under Rules 3-15, 21 and 22 will follow without a fixed timeline. This staggered approach allows organizations to adapt gradually, although clarity on specific deadlines remains crucial.
A cornerstone of the DPDP Act and Rules is its emphasis on consent and transparency. Businesses are required to issue clear, standalone notices detailing the types of personal data
collected, its purpose, and related processes as per Rule 3. These notices must provide:
• Information on how consent can be withdrawn.
• Links to grievance redressal mechanisms.
• Instructions for lodging complaints with the DPB.
Achieving the balance between transparency and operational efficiency will be key for businesses.
Consent Managers (CMs) are introduced to streamline consent management. Acting as intermediaries between Data Fiduciaries (DFs) given under Rule 4 and First Schedule and individuals, CMs ensure that consent is given, managed, and withdrawn in a secure and transparent manner. To operate, CMs must register with the DPB and adhere to stringent operational guidelines, ensuring independence and avoiding conflicts of interest.
The Rule 5 and Second Schedule also address how government bodies may process personal data. Such processing is limited to providing subsidies, services, or permits and must adhere to lawful and necessary principles. Here, individuals consent to receive such benefit becomes really important. Key safeguards to be followed by government include:
• Limited data retention.
• Robust security measures.
• Transparency regarding data usage.
Data security is a pivotal component of the Draft Rules. Organizations must implement advanced safeguards such as encryption, virtual token mapping, and access controls. These measures extend to contractual agreements with data processors, underscoring the importance of defining roles and responsibilities clearly.
Timely reporting of data breaches is mandated under Rule 7. DFs must notify both the affected individuals and the DPB upon discovering a breach, followed by a detailed report within 72 hours. The report should include:
• Date and time of the breach.
• Scope and potential impact.
• Containment measures.
The absence of a graded system for breach severity raises concerns about over-reporting and administrative burden.
Data Fiduciaries are required to erase personal data after three years, except for data needed for user accounts or token-based services. Businesses must notify individuals 48 hours before erasure and retain data only for legal compliance in accordance to Rule 8 and Third Schedule. This necessitates robust data management systems to ensure compliance with retention timelines.
To ensure parental consent, DFs must establish reliable systems to verify the identity of parents or guardians. They are granted flexibility in choosing their verification method, whether by leveraging existing information already in their possession or by utilizing government- authorized digital tokens. While this approach allows businesses to tailor verification processes to their needs, it raises concerns about the broader implications of age verification. Additionally, certain entities such as healthcare providers, educational institutions (broadly defined to potentially include edtech platforms), and essential service providers—are exempt from both the requirement to obtain parental consent and the restrictions on tracking and behavior monitoring of children. However, this exemption may not serve as a universal safeguard. Businesses operating in these sectors are advised to adopt a risk-based approach to age verification, tracking, and behavioral monitoring to minimize potential harm as outlined in Rules 10, 11, and the fourth Schedule.
Significant Data Fiduciaries (SDFs) face additional compliance requirements, including annual Data Protection Impact Assessments (DPIAs) and audits. SDFs must also verify that their algorithmic systems do not pose risks to individuals’ data rights. While these measures enhance accountability, they also pose implementation challenges.
The Draft Rules revisit the contentious issue of data localization. A government committee will determine which data must remain within India in accordance with Rule 12(4), while specific requirements will regulate cross-border data sharing as per Rule 14. This marks a shift from the DPDP Act’s broader allowance for international data transfers.
Individuals, termed Data Principals, can exercise rights to access, correct, or erase their personal data through clearly outlined mechanisms. The Rules obligate DFs and CMs to provide transparent, accessible processes, reinforcing user empowerment in accordance to Rule 13.
The DPB’s governance structure involves specialized search and selection committees to appoint members. Members are expected to possess expertise in data governance, law, or technology, ensuring informed decision-making given under Rule 16-20
Aggrieved parties may appeal DPB decisions through a digital tribunal. Guided by principles of natural justice, the tribunal offers flexibility in its procedures, including summoning individuals and waiving fees.
Certain data processing activities, such as those for research, archiving, or statistical purposes, are exempt under Rule 15. These exemptions require adherence to lawful and responsible data governance standards, ensuring ethical data usage.
The new Data Rules of 2025 signal a pivotal shift in India’s data protection landscape. By establishing robust frameworks for consent, security, and accountability, they aim to balance innovation with privacy. However, the path to implementation is fraught with challenges, from operationalizing consent mechanisms to navigating cross-border data transfer requirements. As businesses and stakeholders prepare for these changes, active engagement with regulatory consultations and investments in compliance infrastructure will be crucial. The DPDP Rules
provide an opportunity to set new benchmarks in data governance, fostering trust and resilience in the digital economy.