The Most Important DPDP Rules Businesses Need to Know

The draft Digital Personal Data Protection Rules (DPDP Rules) were released by the Ministry of Electronics and Information Technology, India (MeitY) on 3 Jan 2025. These Rules are intended to operationalize India’s Digital Personal Data Protection Act, 2023 (DPDPA), in line with the country’s goal of creating a robust digital personal data protection framework. As of 1 April 2025, they are currently under review and are expected to come into force on the date of their publication in the Official Gazette.

The Rules provide clear compliance guidelines to help organizations transition smoothly to meet the DPDPA’s requirements. They enable companies to establish a strong data governance framework that ensures legal compliance and builds trust and transparency, creating a safer and more privacy-focused business environment.

In this article, we will cover the broad strokes and critical points detailed in the draft DPDP Rules, so that your organization can better comply with the DPDPA.

Overview and Applicability

The Rules are designed to empower citizens in India’s rapidly growing digital economy.

They seek to protect citizens’ rights in accordance with the DPDPA, while achieving the right balance between regulation and innovation. Furthermore, they address specific challenges such as unauthorized commercial use of data, digital harms, and personal data breaches.

The DPDPA applies to all organizations or individuals – whether domestic or foreign – that process digital personal data related to providing goods or services to Data Principals in India. Hence, the DPDP Rules are similarly applicable.

Data Fiduciary Obligations

• Provide Notice to the Data Principal

  Each request made to a Data Principal for consent must be accompanied or preceded by a notice, which should include: an itemized description of the personal data, the purpose of processing, an itemized description of goods or services provided, a link to access the Data Fiduciary’s app or website to make complaints to the Board, withdraw consent, or exercise rights as per the Act.

• Implement Reasonable Security Safeguards

  A Data Fiduciary is obliged to secure personal data through obfuscation, masking, encryption, or use of virtual tokens, control access to computer resources, and retain personal data and logs on access for one year unless required otherwise by law.

• Intimate in Case of Data Breach

  Upon becoming aware of a personal data breach, the Data Fiduciary must inform the Data Principal, without delay and in a clear and plain manner: a description of the breach, the consequences that are likely to arise from the breach that are relevant to her, and the business contact information of a person who can respond on behalf of the Data Fiduciary to the Data Principal’s queries.

  The Data Fiduciary must also inform the Board: a description of the breach, updated information regarding the description, reasons leading to the breach, measures proposed or implemented, if any, to mitigate risk, details about the person who caused the breach, and a report of the intimations provided to the affected Data Principals. The majority of this information must be supplied within 72 hours.

• Erase Personal Data Upon Completion of Time Period

  When personal data is no longer required for the specified purpose, the Data Fiduciary must securely delete that data if, within the specified time period, the Data Principal does not contact them for the performance of the purpose or exercise their rights regarding the processing. The exception is if the data must be kept to comply with existing laws.

• Publish Data Protection Officer Contact Information

  A Data Fiduciary must clearly display the contact information for the Data Protection Officer, or a person who can answer questions on the Data Fiduciary’s behalf, on their website or app.

  They must also include this contact information in every response when a Data Principal exercises their rights under the Act.

• Ensure Verifiable Consent

  A Data Fiduciary shall take the necessary steps to ensure they receive clear consent from a parent or lawful guardian before processing any personal data of a child. They must also verify that the person claiming to be the parent or lawful guardian is an adult, and can be identified if required.

  When obtaining consent from someone claiming to be the lawful guardian of a person with a disability, the Data Fiduciary shall verify that this guardian has been legally appointed by a court, a designated authority, or a local committee, under relevant guardianship laws.

Consent Manager Obligations

• Allow a Data Principal using its platform to give consent for the processing of their personal data by a Data Fiduciary registered on the platform. This consent may be provided either directly to the Data Fiduciary or through another Data Fiduciary on the platform who holds the personal data with the Data Principal’s consent.
• Ensure that the way personal data is made available or shared is such that its contents cannot be read by the consent manager.

• Keep a record on its platform of the following:

  • Consents given, withdrawn, or denied by the Data Principal
  • Notices related to consent requests
  • Sharing of personal data with a transferee Data Fiduciary
• Provide the Data Principal utilizing the platform access to this record.
• Maintain this record for at least 7 years, or for a longer period as might be required by any relevant law or the consent manager and Data Principal might agree upon.
• Create and maintain an app or website as the main way for a Data Principal to access services from the consent manager.
• Shall not subcontract or transfer responsibilities under the DPDPA and the Rules.
• Implement reasonable security measures to protect against personal data breaches.
• Act as a fiduciary for the Data Principal.

• Publish on its app or website, or both, in an easily accessible manner, information about:

  • Key managerial personnel, senior management, promoters, and directors of the company registered as the consent manager
  • Anyone holding more than 2% of the shares in the company registered as the consent manager
  • Any corporate body in which a promoter, director, senior management, or key managerial personnel of the consent manager holds more than 2% of shares

Cross-Border Data Transfers

The DPDP Rules propose that cross-border data transfers can only occur in jurisdictions that provide an adequate level of data protection, as determined by the Indian government.

For organizations that engage in international data transfers, this could mean that they will need to assess the data protection laws in the countries they are transferring data to and possibly enter into data protection agreements or mechanisms (such as Standard Contractual Clauses or Binding Corporate Rules) to ensure compliance.

Furthermore, India’s government may impose restrictions or conditions on cross-border data transfers, which businesses will need to monitor.

Notably, Significant Data Fiduciaries must ensure that personal data, as specified by the central government, is processed with the restriction that the personal data and traffic data related to its flow are not transferred outside of India.

Data Protection Impact Assessments (DPIAs)

Significant Data Fiduciaries must:

• Conduct a Data Protection Impact Assessment (DPIA) and an audit once every 12 months, starting from the date it is notified as such or included in the class of Data Fiduciaries notified as such, to ensure compliance with the provisions of the DPDPA and its rules.
• Ensure that the person conducting the DPIA and audit submits a report to the Board containing key observations from the assessment and audit.

Parental and Guardian Consent

• A Data Fiduciary must implement appropriate technical and organizational measures to ensure that verifiable consent from the parent is obtained before processing any personal data of a child.

  It must also exercise due diligence to verify that the individual claiming to be the parent is an adult and can be identified if required by any applicable law in India, using one of the following:

  • Reliable identity and age details available with the Data Fiduciary, or
  • Voluntarily provided identity and age details, or a virtual token linked to these details. This can be issued by an entity authorized by law or the Central or State Government, or by a person designated by such an entity.
• A Data Fiduciary, when obtaining verifiable consent from an individual claiming to be the lawful guardian of a person with a disability, must exercise due diligence to confirm that the guardian has been appointed by a designated authority, a court of law, or a local-level committee, as per applicable guardianship laws.

Exemptions

There are certain notable exemptions as per the DPDP Rules:

• Processing of children’s personal data is restricted in certain capacities for some Data Fiduciaries, such as healthcare professionals, educational institutions, and individuals who are entrusted with the care of children or infants in a daycare center or creche.
• The DPDPA does not apply to the processing of personal data by any State entity notified by the central government, for reasons related to public order, foreign relations, national security, or preventing offenses linked to these issues, and also to the processing of personal data shared with the central government by such an entity.
• The provisions of the Act do not apply to processing personal data necessary for research, archiving, or statistical purposes, provided it is carried out in accordance with the standards outlined in the Second Schedule of the Rules (such as limiting processing to personal data that is necessary, and reasonable security safeguards to prevent a data breach).

Next Steps for Businesses

To ensure compliance with the DPDP Rules once they are enacted, businesses should take several proactive steps, including:

• Conducting a comprehensive data audit to identify the types of personal data collected, stored, processed, retained, and securely deleted.
• Reviewing data collection practices to ensure transparency and obtaining explicit consent.
• Putting in place robust data security measures and appointing a Data Protection Officer if required.
• Establishing procedures for handling data principal requests and conducting DPIAs where applicable.
• Monitoring developments in cross-border data transfer regulations and preparing for potential changes.

DPDP Rules Limitations

While the Draft Rules address many gaps, some issues remain unclear and are left to the discretion of the central government.

Uncertainty or doubt shrouds several points, such as:

• As per rule 10, Data Fiduciaries must obtain verifiable consent from the parent or guardian of a Data Principal under the age of 18 or a person with a disability. However, to obtain this consent, Data Fiduciaries will need to make technological and process changes. This creates challenges in verifying the age and identity of the person claiming to be the parent and integrating systems with external entities authorized by law or the central government (such as DigiLocker and UIDAI).
• As per rule 15, the provisions of the Act do not apply to processing personal data necessary for statistical purposes, archiving, or research. However, clear definitions of “statistical purposes”, “archiving” and “research” are not provided in the Rules. For example, it is unclear whether a clinical trial would count as “research”.
• The draft Rules do not specify a time limit for Consent Managers and Data Fiduciaries to resolve grievances. Without a clear timeframe for grievance redressal, the rights of Data Principals under the DPDPA could be undermined.

Note that the Minister for MeitY, Ashwini Vaishnaw, stated that this approach was deliberate, and designed to prevent overly strict measures given the fast-evolving nature of digital tech.

Conclusion

The draft DPDP Rules are a step toward ensuring greater data privacy and protection in India. For businesses, these rules bring both opportunities and challenges.

By proactively adapting to these regulations, organizations can not only avoid penalties and losses but also build trust with customers and investors, fortifying their reputation as stewards of personal data.

It is critical for businesses to begin preparing for the enactment of these Rules to ensure compliance and safeguard both their operations and the privacy rights of individuals. However, such preparation can be challenging given the numerous technical, legal, and operational requirements.

That’s what Silverse is here for. We are an end-to-end cybersecurity company backed by 20+ years of expertise through our parent organization, Silverskills. Our regulatory compliance experts will help you seamlessly comply with the DPDPA. Contact us now to get started.