Draft DPDP Rules, 2025: Safeguarding Digital Personal Data in India

Introduction

• On August 11, 2023, Digital Personal Data Protection Act, 2023 (“DPDP Act”) was enacted to ensure the privacy and protection of digital personal data processed in India. The DPDP Act regulates the data protection while upholding the individual right to privacy.
• On January 03, 2025, Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Rules, 2025 (“Draft DPDP Rules”)(1) for public consultation. The stakeholder can submit their feedback/comments on the Draft DPDP Rules by February 18, 2025.
• The Draft DPDP Rules outline key aspects, including mechanism for obtaining and managing user consent, ensuring compliance with data protection obligations and operationalizing the data protection board.
• The Draft DPDP Rules aims to promote clarity and accountability, providing a foundation for India’s data protection framework.

Key Terms

• Board means Data Protection Board of India to be established by Central Government.
• Consent Managers means person registered with Board, that helps a Data Principal give, manage, review, and withdraw consent through a user-friendly, transparent, and interoperable platform.
• Data Fiduciary means person who determines the purpose and means of processing of personal data.
• Data Principal means the individual to whom the personal data relates.
• Data Processor means person who processes personal data on behalf of Data Fiduciary.
• Data Protection Officer means individual appointed by Significant Data Fiduciary.
• Significant Data Fiduciary means any Data Fiduciary or class of Data Fiduciary as notified by Central Government.

Notice By Data Fiduciary (Rule 3)

The DPDP Act stipulates every request for consent from a Data Principal must be accompanied by or preceded with a notice from the Data Fiduciary. The rule require the Data Fiduciary to issue a transparent notice to the Data Principle. As per Rule 3, the notice given by Data Fiduciary shall be:

• Understandable independently of any other information;
• Clear and plain language;
• Informed consent for processing the data, which shall include itemised description of such personal data and specified purpose;
• Communication link for accessing the website or app;

Registration As Consent Manager (Rule 4)

The DPDP Act requires every Consent Manager must be registered with the Board. Under this rule, a person who fulfils the condition given below, as set out in Part A of the First Schedule of the Draft DPDP Rules, may apply to Board for registration as Consent Manager:

• Company incorporated in India;
• Should posses sufficient technical, operational and financial capabilities;
• Sound financial condition and general character of management;
• Net worth of 2 crore rupees;
• Demonstrate strong business potential, a solid capital structure and prominsing earning prospects;
• Directors, KMPs and senior management should have a reputation for integrity and fairness,
• MoA and AoA should reflect that the company is eligible for compliance;
• Operation proposed to be undertaken are in interest of Data Principals;
• Independent certification confirming presence of interoperable consent management platform & effective tech and organisation measures.

Obligation Of Consent Manager (Rule 4 And Part B Of First Schedule )

• Enable Data Principals to provide consent for processing their personal data to onboarded Data Fiduciaries directly or indirectly.
• Ensure that the manner of making personal data available or its sharing is non-readable by it.
• Keep records of consents given, denied, or withdrawn, notices accompanying consent requests, data sharing with transferee Data Fiduciaries.
• Provide Data Principals access to their records, supply information in machine-readable form upon request, retain records for at least seven years or as agreed upon by Data Principal and Consent Manager.
• Maintain a website or app for Data Principals to access services provided by Consent Manager.
• Prohibit sub-contracting or assignment of obligations.
• Take reasonable safeguards against personal data breaches
• Act in the best interests of Data Principals.
• Prevent conflicts of interest with Data Fiduciaries.
• Ensure directors or key personnel have no conflicting financial or professional relationships with Data Fiduciaries.
• Publish details on its website/app, including: Promoters, directors, and key personnel of the company registered as Consent Managers, shareholders with over 2% ownership in company registered as Consent Managers, related corporate shareholdings.
• Obtain Board approval for control transfers like sales or mergers.

Reasonable Security Safeguard (Rule 6)

A Data Fiduciary must implement reasonable security safeguards to prevent personal data breaches, including:

• Encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data;
• Appropriate measures to control access to the computer resources;
• Appropriate logs, monitoring and review for enabling detection of unauthorised access;
• Reasonable measures for continued processing in the event of confidentiality;
• Keep logs and personal data for at least one year unless otherwise required by law;
• Include security requirements in contracts with Data Processors;
• Implement technical and organizational safeguards to ensure compliance.

Intimation Of Personal Data Breach (Rule 7)

In case of breach of personal data, the Data Fiduciary shall intimate the affected Data Principal which shall include:

• A description of breach;
• Consequences likely to arise from breach;
• Measured implemented by Data Fiduciary;
• Details of Person of Contact of Data Fiduciary.

The Data Fiduciary, in case of breach, shall intimate the Board:

• A description of breach and its impact;
• Submit a detailed information, within 72 hours, which shall include:
• Facts and circumstances of the breach,
• Mitigation measures taken or planned
• Identification of the person responsible (if known),
• Steps to prevent recurrence,
• Intimation sent to affected Data Principals.

Time Period for Specified Purpose (Rule 8)

A Data Fiduciary must erase personal data if the Data Principal does not engage for the specified purpose or exercise their rights within 3 years from the date on which the Data Principal last approached the Data Fiduciary, unless retention is required by law.

At least 48 hours before erasure, the Data Fiduciary must notify the Data Principal, allowing them to log in or contact the Data Fiduciary to continue the specified purpose or exercise their rights.

Contact Information Of Person (Rule 9)

Data Fiduciary shall publish the business contact information of the Data Protection Officer or a person who is able to answer on behalf of the Data Fiduciary on its website or app.

Processing Of Child’s Personal Data (Rule 10)

A Data Fiduciary must take technical and organizational measures to ensure verifiable consent of parent is obtained before processing a child’s personal data. This includes:

• Reliable identity and age details held by the Data Fiduciary, or
• Voluntarily provided details of identity and age or virtual tokens issued and verified by authorized entities (e.g., Digital Locker).

Data Fiduciary, while obtaining the verifiable consent from a lawful guardian of a person with disability, shall verify that such guardian is appointed by court of law, a designated authority or local level committee, under the law applicable to guardianship.