Lawyer Login Request a consultation ? FAQ
Need Help?91 80171 73320
The Draft Digital Personal Data Protection Rules 2025

What is the Digital Personal Data Protection Act 2025

A Bird’s Eye View of the DPDP Rules 2025

DPDP 2025 Visualisation
Introduction

The Digital Personal Data Protection Rules, 2025 ("Draft Rules")1 aim to implement the Digital Personal Data Protection Act, 2023 (DPDP Act). Released for public feedback on January 3, 2025, the Draft Rules serve as the framework for enforcing the Act, ensuring data privacy compliance in India. Stakeholders can submit their input until February 18, 2025.

Key Features of the Draft Rules
  • Balanced Regulation: Startups and MSMEs have lower compliance burdens, while Significant Data Fiduciaries (SDFs) face stricter obligations.
  • Sector-Specific Data Protection: Compliance measures tailored to different industries, ensuring a fair regulatory environment.
  • Inclusive Framework: The rules are based on global best practices and stakeholder input.
Enforcement Mechanism
The enforcement will be in phases, with the establishment of the Data Protection Board (DPB) as the first step.
Data Fiduciary Obligations
1. Consent Notices

Data Fiduciaries must provide clear, standalone notices explaining:

  • Categories of personal data collected
  • Purpose of data processing
  • Options for consent revocation
2. Personal Data Breach Notification

A Data Fiduciary must notify the Data Protection Board within 72 hours of a data breach and inform affected Data Principals immediately.

3. Data Retention Limits

Online gaming platforms with over 50 lakh users and social media or e-commerce intermediaries with over 2 crore users must delete personal data within three years of the last account login.

4. Security Safeguards
  • Encryption & Obfuscation: Secure storage of personal data.
  • Access Controls: Restricted access to prevent unauthorized data processing.
  • Audit Logs: Maintaining logs for at least one year.
5. Data Protection Impact Assessments (DPIA)

Significant Data Fiduciaries must conduct Data Protection Impact Assessments to mitigate risks and ensure compliance.

6. Processing of Child & Disabled Persons' Data

Verifiable parental consent is required for processing a child’s personal data. Similar consent rules apply to disabled individuals.

7. Data Localization & Cross-Border Transfers

The rules emphasize data localization, ensuring data sovereignty and controlled cross-border data transfers.

8. Consent Managers

The Act provides for Consent Managers to facilitate data principals in managing and revoking consent. Eligibility criteria for Consent Managers include financial stability, governance compliance, and maintaining records for seven years.

Conclusion

The Draft Rules lay a strong foundation for data privacy in India. To participate in the public consultation, visit:

Submit Your Feedback Here

Need legal guidance on data privacy and compliance? Lawspicious offers expert legal consultation on cybersecurity laws, data privacy, and compliance frameworks. Contact Lawspicious today!

Ref - 1https://www.meity.gov.in/

March 3, 2025

Frequently Asked Questions (FAQs) – DPDP 2025

What is the DPDP 2025 Act?

The Digital Personal Data Protection Act, 2025 governs personal data processing in India, ensuring privacy, consent-based data collection, and compliance for businesses.

What is the DPDP Act summary?

The DPDP Act, 2025 enforces user consent, data security, breach notifications, and cross-border data regulations, protecting digital privacy and defining compliance obligations.

What is the latest update of DPDP Act?

On January 3, 2025, the government released the Draft DPDP Rules for public consultation, with feedback open until February 18, 2025. Phased enforcement is expected soon.

What are the highlights of DPDP Rules?
  • Phased enforcement starting with the Data Protection Board.
  • Strict consent and data security requirements.
  • 72-hour breach notification mandate.
  • Cross-border data transfer regulations.
  • Local data storage for improved data sovereignty.
What is the status of DPDP in India?

The DPDP Act, 2025 has been enacted but is not fully enforced yet. Organizations must prepare for compliance with data security, consent management, and breach response measures.

Advanced Questions for DPDP 2025

What is the implementation of DPDP Act?

The DPDP Act, 2025 is being implemented in phases, starting with the establishment of the Data Protection Board. Organizations must comply with consent-based data processing, security standards, and breach notification requirements.

Who appoints the consent manager?

The Data Fiduciary appoints a Consent Manager to handle user consent requests, ensuring transparency and compliance with the Digital Personal Data Protection Act, 2025.

What are the 7 data principles?
  • Lawfulness: Data processing must be legal and ethical.
  • Purpose Limitation: Data should only be used for specified purposes.
  • Data Minimization: Collect only necessary data.
  • Accuracy: Maintain correct and updated data.
  • Storage Limitation: Retain data only as needed.
  • Integrity & Confidentiality: Secure data from breaches.
  • Accountability: Organizations must ensure compliance.
What are the 5 rules of working with data?
  • Transparency: Clearly inform users about data usage.
  • Security: Implement robust cybersecurity measures.
  • Access Control: Limit data access to authorized personnel.
  • Compliance: Adhere to DPDP Act, 2025 requirements.
  • Responsibility: Organizations must handle data ethically.
What are the 5 rules of data quality?
  • Accuracy: Data should be precise and error-free.
  • Consistency: Data must be uniform across systems.
  • Completeness: Ensure no critical data is missing.
  • Timeliness: Keep data up to date and relevant.
  • Reliability: Data should be trustworthy and verifiable.

Consult our Team right away!