Introduction
The Ministry of Electronics and Information Technology (MeitY) has notified the Digital Personal Data Protection (DPDP) Rules, 2025 (DPDPA Rules), which put the Digital Personal Data Protection Act, 2023 (DPDPA), into practice. The DPDPA and Rules establish a comprehensive legal framework governing the processing of digital personal data in India. Together, they set out detailed requirements for consent, privacy notices, children’s data, data principle (data subject) rights, data fiduciary (data controller) obligations, security safeguards, breach notification, and accountability standards.
Provisions related to the establishment of the Data Protection Board (Board) are already in force, while rules governing consent manager registration and operations will apply 12 months after finalisation. All remaining regulatory requirements will follow 18 months after publication. As these phased obligations come into effect, organizations operating in or serving users in India must prepare for structured compliance. This article offers a practical overview of the DPDPA and its Rules, highlighting the key duties, timelines, and compliance steps necessary to align with the new regulatory regime.
Consent Manager
Under the DPDPA and its Rule 4, a consent manager must provide a digital platform that allows data principals to give, manage, review, and withdraw consent for the processing of their personal data.
Platform Responsibilities
The consent manager has the following platform responsibilities:
- Provide a digital platform for giving, managing, reviewing, and withdrawing consent.
- Ensure personal data is never readable by the consent manager.
- Maintain records of consents, notices, and data sharing with transferee data fiduciaries.
- Make records accessible to data principals, including machine-readable formats.
- Retain records for at least 7 years (or longer if required by law or agreement).
- Operate a website or app for all consent manager services.
Operational & Security Duties
The consent manager has the following operational & security duties:
- Do not subcontract or assign obligations under the DPDPA or Rules.
- Implement reasonable security safeguards to prevent data breaches.
- Act in a fiduciary capacity toward data principals at all times.
- Avoid conflicts of interest with data fiduciaries.
- Ensure directors and senior management do not hold conflicting interests.
- Publish promoter, director, key personnel, and shareholder information in an accessible format.
- Conduct regular audits to review controls, registration compliance, and obligations adherence.
- Seek Board approval for any transfer of control (sale, merger, restructuring).
Eligibility for Registration
A Company is eligible for registration as a consent manager if the following conditions are met:
- Must be a company incorporated in India with a net worth of ≥ ₹2 crore.
- Demonstrate technical, operational, and financial capacity.
- Maintain sound financial health and ethical management practices.
- Have sufficient business volumes, capital structure, and earnings potential.
- Ensure directors and key personnel have proven integrity.
- Include conflict-of-interest compliance provisions in the company’s governing documents.
- Ensure operations are in the interest of data principals.
- Obtain independent certification confirming compliance with Board standards and safeguards.
The Board may request additional information, conduct inquiries, direct corrective actions, or suspend/cancel registration if obligations are not met.
Verifiable Parental Consent For Processing Children's Data
Under DPDPA Rule 10, before processing the personal data of any child (under 18), organizations must obtain verifiable parental consent. The parent must be verified as an adult (18+) using reliable identity and age information, which can come from:
- Information already held by the organization, or
- Documents or virtual tokens voluntarily provided by the parent, issued by a government-authorized entity or an approved Digital Locker service provider.
Data fiduciaries must maintain records of consent and verification for compliance and audit purposes. If parental consent is unverified or incomplete, the child’s data must not be processed.
Exemptions
Data fiduciaries may process children’s personal data without parental consent in the following circumstances:
| Purpose |
Who can Process |
Allowed Processing |
Condition |
| Healthcare |
Clinical, mental health, and allied healthcare professionals |
Implement treatment plans; provide health services |
Only as necessary for the protection of the child’s health |
| Education |
Educational institutions |
Tracking or behavioural monitoring |
Limited to educational activities or child safety |
| Child care |
Individuals/institutions caring for children |
Tracking or behavioural monitoring |
Only to ensure the safety of children entrusted in care |
| Transport |
Transport providers engaged by schools/childcare centers |
Track the real-time location of children |
Limited to ensuring safe travel to/from the institution |
| Legal / Government Functions |
Any data fiduciary executing legal powers |
Exercise powers, perform functions, and discharge duties |
Restricted to what is necessary for the child’s interest under the law |
| Subsidies / Benefits / Services |
Any data fiduciary issuing benefits |
Provide subsidies, certificates, permits, or services |
Restricted to what is necessary to deliver such benefits |
| Email Communication |
Any data fiduciary |
Create user accounts for email |
Limited solely to communication via email |
| Location Tracking |
Any data fiduciary |
Determine the real-time location of a child |
Only for child safety, protection, or security |
| Blocking Harmful Content |
Any data fiduciary |
Restrict access to harmful content, services, or ads |
Limited to ensuring child safety and well-being |
| Age Verification / Compliance |
Any data fiduciary |
Verify that the data principal is not a child |
Restricted to what is necessary to comply with DPDPA Rule 10 |
Verifiable Guardian Consent For People With Disabilities
Before processing the personal data of a person with a disability who has a lawful guardian, organizations must obtain verifiable consent from the guardian.
The data fiduciary must verify that the guardian is legally appointed, either by:
- A court of law,
- A designated authority under the Rights of Persons with Disabilities Act, 2016, or
- A local-level committee under the National Trust Act, 1999.
Privacy Notices
- The notice must be standalone and independently understandable.
- It must be presented in clear, plain language.
- It should be accessible via website, app, or other appropriate channels.
Contents: A privacy notice must include:
- An itemized list of the data being collected.
- Specific purpose(s) for which the data is being processed.
- Explanation of what the data enables (e.g., services provided).
- How a data principal can:
- Give or withdraw consent (with ease comparable to giving it).
- Exercise rights under the DPDPA.
- File complaints with the Board.
- Direct link to the website or app, plus other means to access the above functions.
Rights of Data Principals
Data principals may submit requests to the data fiduciary to whom they previously gave consent, using the published means and required identifiers. Data principals may nominate others to exercise their rights on their behalf, following the data fiduciary’s terms of service.
Data fiduciaries and consent managers must prominently publish on their website or app:
- How a data principal can make requests to exercise their rights.
- Any identifiers (e.g., username, email, mobile number) needed to recognize the data principal.
Every data fiduciary and consent manager must have a grievance redressal system to respond to data principal requests within 90 days, supported by appropriate technical and organizational measures.
The DPDPA Rules require that every organization must publish the business contact details of their Data Protection Officer (DPO) or an authorized representative on their website or app.
Moreover, contact information should also be included in responses to communications related to the exercise of data principal rights under the DPDPA.
Reasonable Security Safeguards
The DPDPA Rules require organizations to implement reasonable security measures to protect personal data under their control, even if processed by a data processor. These safeguards include:
- Data protection: Secure personal data using encryption, obfuscation, masking, or virtual tokens.
- Access control: Implement measures to regulate who can access computer resources handling personal data.
- Monitoring and logging: Maintain logs and monitor access to detect unauthorized activity, investigate incidents, and prevent recurrence.
- Data continuity: Ensure continued processing in case of data loss or compromise through backups and recovery measures.
- Retention of records: Retain logs and personal data for at least one year, unless otherwise required by law.
- Contractual safeguards: Include security obligations in agreements with data processors.
- Organizational measures: Apply technical and organizational controls to ensure ongoing compliance with security standards.
Obligations of Significant Data Fiduciaries
Organizations that are classified as Significant Data Fiduciaries (SDF) due to the type or volume of data they process have additional responsibilities under the DPDPA Rules, including:
- Conduct a Data Protection Impact Assessment (DPIA) and an audit every 12 months to ensure compliance with the DPDPA and its Rules.
- Submit a report of significant observations from the DPIA and audit to the Board.
- Ensure that any technical measures, including algorithmic software used for processing personal data, do not pose risks to the rights of data principals.
- Implement measures to ensure that personal data specified by the central government, along with related traffic data, is not transferred outside India.
- Comply with recommendations from a government committee, including officials from MeitY and possibly other ministries, regarding data processing restrictions and safeguards.
Personal Data Breach
When a personal data breach occurs, organizations must inform both the affected data principals and the Board without delay.
Notification to data principals:
- Must be clear, concise, and in plain language.
- Must be sent via the user account or any registered communication channel.
- Must include:
- Description of the breach (nature, extent, timing, and location).
- Likely consequences relevant to the data principal.
- Measures implemented or being implemented to mitigate risk.
- Recommended safety measures the data principal can take.
- Business contact details of a person who can respond to queries.
Notification to the Board:
- Immediate notification: description of the breach, its impact, and timing/location details.
- Within 72 hours (or longer if permitted by the Board):
- Updated and detailed breach information.
- Facts, circumstances, and reasons for the breach.
- Measures implemented or proposed to mitigate risks.
- Findings on the person(s) responsible for the breach (if known).
- Remedial actions to prevent recurrence.
- Report on notifications sent to affected data principals.
Time Period for Data Retention and Erasure
Data fiduciaries must retain personal data only as long as necessary for the specified purpose. The rules for retention and erasure are as follows:
General Rule
- Data must be erased if the specified purpose is no longer being served.
- Retention is allowed only if required by law or if the data principal engages within the retention period to continue the purpose or exercise their rights.
Notice: Data principals must be informed at least 48 hours before erasure.
Minimum Retention for Processing Logs
- All personal data, associated traffic data, and processing logs must be retained for at least one year for investigation, remediation, and continuity purposes, even if the main purpose is completed.
Specific Retention Periods: The following data fiduciaries have specific retention obligations:
| Data Fiduciary |
Retention Period |
Exemptions |
| E-commerce entity (≥2 crore users) |
3 years from the last data principal interaction or DPDP Rules commencement |
Access to a user account or virtual tokens for money, goods, or services |
| Online gaming intermediary (≥50 lakh users) |
3 years |
Access to a user account or virtual tokens for in-game purposes |
| Social media intermediary (≥2 crore users) |
3 years |
Access to a user account or virtual tokens for money, goods, or services |
Processing of Personal Data Outside India
As per the DPDPA Rules, organizations must ensure that personal data processed within or outside India, in connection with offering goods or services to data principals in India, is not transferred to foreign countries without meeting specific requirements set by the central government.
Moreover, SDFs must ensure that personal and traffic data, as specified by the central government, is processed only within India and not transferred outside the country.
Exemption for Research, Archiving, or Statistical Purposes
Scope
- The DPDPA provisions do not apply to personal data processing carried out solely for research, archiving, or statistical purposes, provided the processing follows the standards provided in the Rules.
Standards for Exempted Processing
- Lawful: Process personal data according to applicable laws.
- Purpose-Limited: Only for research, archiving, or statistical purposes.
- Minimal Data: Use only the personal data necessary.
- Accurate & Consistent: Ensure data is complete, accurate, and consistent.
- Retention: Keep data only as long as required or by law.
- Secure: Implement technical and organisational safeguards, including for data processors.
- Transparent: Notify data principals (if under section 7(b)) about:
- Contact for inquiries
- Links or methods to access rights via website/app
- Compliance with government standards
- Accountable: Responsible persons must ensure full compliance with these standards.
Conclusion
Thus, the DPDPA and its Rules usher in a new era of data protection in India. By adopting proactive measures and leveraging solutions like Securiti, businesses can ensure compliance, safeguard data, and build trust while staying ahead of regulatory changes.
Securiti Data Command Center leverages contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform, enabling organizations to comply with India's DPDPA.
Securiti can assist you in complying with India's DPDPA and other privacy and security standards worldwide.
Request a demo to witness Securiti in action.
