The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025, on January 3, 2025, for public consultation. These Rules aim to facilitate the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act), which received presidential assent in 2023.
The draft Rules strengthen the legal framework for protecting digital personal data by providing necessary details and an actionable framework for implementation.
This draft is in line with the SARAL framework. The Rules employ principles such as simple language, avoiding unnecessary cross-referencing, contextual definitions, and illustrations to enhance understanding and accessibility. In this article, we will cover details about the DPDP Draft and what the rules mean in detail. Portal.
The DPDP Draft 2025 is Applicable to Whom?
The DPDP Rules cast a wide jurisdictional net, carefully defining which entities must comply with India’s new data protection framework. Unlike the previous IT Rules, which had limited scope, these Rules apply to four distinct categories of entities:
- All domestic organisations processing personal data within Indian territory fall under the Rules’ purview. This includes everything from large corporations and MSMEs to non-profits and government bodies operating on Indian soil.
- The Rules also cover foreign entities that offer goods or services to individuals in India. This means that global tech companies and international businesses serving Indian consumers cannot escape compliance obligations merely because their servers or headquarters lie outside India’s borders.
- The Rules distinguish between “Data Fiduciaries” and “Data Processors”. It is a crucial distinction that determines the nature and extent of obligations. Data Fiduciaries exercise decision-making authority over why and how personal data is processed, bearing primary responsibility for compliance. This includes businesses collecting customer information, employers holding employee data, and online platforms gathering user details.
- Data Processors are entities that handle data on behalf of Fiduciaries under contractual terms; they must also adhere to specific requirements. This captures outsourcing vendors, cloud service providers, and third-party analytics companies operating in the data processing chain.
The Rules currently do not specify thresholds for volume or nature of personal data that would exempt certain classes of Data Fiduciaries, including startups, from specific obligations related to notice, DPIA, retention timelines, and Data Principal rights as specified in the Act. This creates some regulatory uncertainty for emerging businesses.
Key Provisions of the DPDP Rules 2025
Now that you know on whom the rules apply, let us cover each rule one by one.
1. Notice and Transparency Requirements (Rule 3)
Rule 3 mandates that Data Fiduciaries provide clear and standalone notices to individuals whose data they collect. These notices must include:
- Specific categories of personal data being collected
- Purposes for data processing
- Information on consent withdrawal mechanisms
- Procedures for exercising rights under the DPDP Act
- Grievance redressal procedures
The notices must be presented in plain language, avoiding complex legal or technical terminology that could impede understanding.
2. Consent Management Framework (Rule 4)
The Rules introduce Consent Managers as intermediaries authorised to manage consent on behalf of individuals. These entities must:
- Register with the Data Protection Board
- Provide transparent and secure platforms for giving, managing, reviewing, and withdrawing consent
- Maintain records for a specified period
- Implement robust security measures
This framework aims to simplify consent management for individuals across multiple digital services and provide better control over personal data.
3. Government Processing Rights (Rule 5)
Rule 5 addresses the State’s right to process personal data of citizens for specific purposes:
- Providing subsidies and benefits
- Issuing certificates and licenses
- Delivering services
- Issuing permits
This provision balances government functions with data protection principles, establishing parameters for the legitimate processing of citizen data.
4. Security Safeguards (Rule 6)
Rule 6 outlines comprehensive security measures that Data Fiduciaries and Processors must implement:
- Encryption of sensitive data
- Data obfuscation techniques
- Masking of personal identifiers
- Use of virtual tokens
- Maintenance of security logs for investigation purposes
- Mandatory data backups
Contracts between Data Fiduciaries and Data Processors must ensure that adequate security measures are in place to prevent data breaches. These requirements reflect a risk-based approach to security, with measures proportionate to the sensitivity of the data processed.
5. Data Breach Notification Protocol (Rule 7)
Rule 7 establishes a mandatory breach notification system:
- Notification to affected Data Principals, explaining the nature, extent, and timing of the breach
- Notification to the Data Protection Board within 72 hours of breach discovery
- Disclosure of breach details, events leading to the breach, actions taken to mitigate risks, and the identity of the responsible individual (if known)
This protocol represents a significant advancement from previous regulations, which lacked specific notification requirements.
6. Data Retention Limitations (Rule 8)
Rule 8 addresses the persistent concern of indefinite data storage:
- Requirements to erase user data unless legally required to retain it
- Notification to users at least 48 hours before data erasure
- Specific retention periods based on the nature of services
Certain e-commerce entities, online gaming intermediaries, and social media platforms with a significant number of registered users in India must delete personal data within a specified period, generally up to three years from the date of a user’s last interaction, unless the user actively maintains their account.
7. Data Protection Officer Requirements (Rule 9)
Rule 9 requires Data Fiduciaries to publicly display the contact information of their Data Protection Officer (DPO). This ensures:
- Direct accessibility for users with data processing questions
- Clear accountability within organisations
- Streamlined communication channels for data-related concerns
This requirement may increase compliance costs for companies, but enhances transparency and accessibility for Data Principals.
8. Protection for Children’s Data (Rules 10 & 11)
Rules 10 and 11 establish enhanced protections for children’s personal data:
- Verifiable parental or guardian consent requirement
- Mechanisms for age verification
- Equivalent protections for persons with disabilities
- Specific exemptions where applicable, such as for healthcare providers or educational institutions
Data Fiduciaries shall ensure a system is in place to obtain verifiable consent of the parents or legal guardians while processing personal data of children or persons with disabilities. They also need to implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian and that the parent or guardian is identifiable.
9. Data Protection Impact Assessment (Rule 12)
Rule 12 mandates that Significant Data Fiduciaries conduct a Data Protection Impact Assessment and audit once every 12 months. This requirement:
- Ensures regular evaluation of data processing risks
- Facilitates identification of potential privacy concerns
- Promotes continuous improvement of data protection measures
These assessments aim to identify and mitigate risks associated with data processing activities.
10. Data Principal Rights (Rule 13)
Rule 13 elaborates on the rights of Data Principals:
- Right to access personal data
- Right to erasure of personal data
- Right to nominate individuals according to the Data Fiduciary’s terms of service
- Mechanisms for exercising these rights effectively
Data Fiduciaries and Consent Managers must clearly publish on their website or app the process for Data Principals to exercise these rights.
11. Research and Statistical Exemptions (Rule 15)
Rule 15 grants exemptions for processing personal data for specific purposes:
- Research activities
- Archiving purposes
- Statistical analysis
These exemptions recognise the value of data for knowledge advancement while maintaining appropriate safeguards.
13. Enforcement and Penalties
The Rules establish substantial penalties for non-compliance, creating strong incentives for organisations to implement robust data protection measures. Key penalties include:
- Failure to implement security safeguards: ₹250 crores
- Non-notification of data breaches: ₹200 crores
- Violations regarding children’s data: ₹200 crores
- Other violations: ₹50 crores
These significant financial implications underscore the regulatory emphasis on enforcement and the seriousness with which data protection violations will be treated.
Implementation Challenges for DPDP Rules
Several implementation challenges are anticipated as organisations work to comply with the Rules:
- Retrospective Consent: The Rules have not provided clarity on what consent obtained prior to commencement of the Act will be acceptable as valid consent, whether implied consent with a fresh notice would suffice, or if explicit valid consent for specific purposes along with a fresh notice would be required.
- Timeline for Data Principal Rights: The Rules have not prescribed any specific time period for Data Fiduciaries to address the rights of Data Principals. Additionally, the Rules have given Data Fiduciaries the option to specify the time period for their grievance redressal system.
- Consent Manager Uncertainty: The Rules do not clarify whether Data Fiduciaries are permitted to appoint an in-house Consent Manager and, if allowed, whether that would need to be registered with the Board, and whether such an appointment would constitute a conflict of interest.
- Cross-Border Data Transfer Complexity: The Rules have not specified any list of countries with restrictions on the transfer of personal data, along with instruments to be put in place for such cross-border data transfer. Any such requirements shall be specified by the Central Government by general or special order. Additionally, the Rules have not specified the categories of personal data and the definition of traffic data on which restriction on cross-border data transfer by Significant Data Fiduciaries shall apply.
- Compliance Costs: Implementing the technical and procedural requirements may impose significant costs, particularly on smaller entities.
- Data Protection Board Establishment: The effectiveness of the regulatory framework depends on the swift establishment and operation of the Data Protection Board.
What Are the Strategic Implications for Businesses?
The DPDP Rules represent more than a compliance requirement; they offer a strategic opportunity for organisations to enhance trust and transparency. Key strategic considerations include:
- C-Suite Collaboration: Effective implementation requires synergy across organisational functions, from marketing and procurement to technology and legal departments.
- Privacy-Centric Culture: Organisations should foster a “privacy-first” mindset led by executive commitment.
- Customer Trust: Ethical data stewardship can build loyalty, enhance reputation, and foster trust in an era where customer experience defines success.
- Competitive Differentiation: Strong data protection practices can serve as a market differentiator, particularly as consumer privacy awareness increases.
Conclusion
The Digital Personal Data Protection Rules, 2025, are a significant advancement in India’s data protection framework. They establish clear obligations for organisations, enhance individual rights, and create proper enforcement mechanisms. Businesses should view these Rules as a strategic lever to elevate trust, accountability, and innovation in today’s digital economy.
To learn how to implement these rules for your business, get in touch with GJM & Co. We offer a wide range of services, including Financing, Taxation, Bookkeeping and Accounting Services, Business Formation, Payroll Management, etc. To know more, call us or email us at info@gjmco.com.