Navigating the India’s Digital Personal Data Protection Act (DPDPA) Rules: A Compliance Guide

Introduction

India’s Digital Personal Data Protection Act (DPDPA), passed in 2023, is a landmark step toward strengthening data privacy and protection in the country. The DPDPA will be adjudicated by the Data Protection Board of India (Board). On  January 3, 2025, the Ministry of Electronics and Information released the Digital Personal Data Protection Draft Rules, 2025 (DPDPA Draft Rules), which outline the regulatory framework for compliance under the DPDPA.

These rules cover a wide range of provisions, including data processing, consent management, and breach notifications. Currently, the DPDPA Draft Rules are open to public consultation until February 18, 2025, allowing stakeholders to provide feedback before they are officially enacted. This creates an opportunity for businesses to stay informed and ensure alignment with the forthcoming regulatory requirements.

In this blog, we will explore the key compliance steps organizations must take to align with the DPDPA's provisions in the context of the recently released DPDPA Draft Rules.

1. Privacy Notices

Organizations processing personal data (‘Data Fiduciaries’) must provide clear, standalone notices to individuals whose data is processed (‘Data Principals’). Under the DPDPA Draft Rules, these notices should include:

• details necessary for the Data Principal to give specific and informed consent. This should include a description of what personal data is being processed along with the purpose for processing, including associated goods or services; and
• a link to the Data Fiduciary's website or app, along with clear instructions on how the Data Principal can withdraw consent, exercise their rights under the DPDPA, and file complaints.

2. DPO Information

The DPDPA Draft Rules require that every organization must publish the business contact details of their Data Protection Officer (DPO) or an authorized representative on their website or app.

Moreover, contact information should also be included in responses to communications related to the exercise of Data Principal rights under the DPDPA.

3. Consent Manager

Under DPDPA, the Consent Manager must create a platform to enable the Data Principals to give and manage consent for the processing of their personal data. Further obligations of a Consent Manager under the DPDPA Draft Rules  include:

• ensuring that the contents of personal data are not readable by the Consent Manager itself;
• maintaining records of consents, accompanying notices, and data sharing with transferee organizations on their platform;
• providing Data Principals access to records in machine-readable form and retaining them for at least seven years or as legally required;
• developing and maintaining a website or app for Data Principals to access their services;
• taking reasonable security measures to prevent personal data breaches;
• acting in a fiduciary capacity with respect to Data Principals;
• avoiding conflicts of interest with Data Fiduciaries;
• ensuring that the directors, key personnel, and senior management also have no conflict of interests or financial relationships with Data Fiduciaries;
• publishing transparent information about the organization's management, shareholders, and other details as required by the Board; and
• implementing effective audit mechanisms to review and report on the compliance of technical and organizational controls, and obligations.

Entities can apply to the Board and register as Consent Manager if they are:

• India-incorporated companies with a net worth of at least ₹2 crore, while having sound financial management, and ethical leadership;
• demonstrate technical, operational, and financial capacity to meet the data protection standards set by the Board; and
• ensure their operations align with the interests of Data Principals and implement measures to prevent conflicts of interest and maintain transparency.

4. Verifiable Consent for Children and Persons with Disabilities

As per the DPDPA Rules, organizations must obtain verifiable parental consent before processing the personal data of children (those under 18 years of age). Verification can include reliable identity details, voluntary identity information, or virtual tokens from authorized entities like Digital Locker service providers. In the case of disabled persons, consent must also be taken from their legal guardians, through verified methods.

Certain classes of organizations, including healthcare professionals, educational institutions, and childcare centers, may process data without verifiable consent and for behavioral monitoring of children or targeted advertising directed at children for purposes that include:

• exercising legal duties in the interests of a child;
• providing services, subsidies, or benefits as per applicable law;
• creating user accounts for communication purposes;
• preventing access to harmful information; and
• verifying the age of the Data Principal to ensure compliance with regulations.

5. Reasonable Security Safeguards

The DPDPA Draft Rules require organizations to implement reasonable security measures to protect personal data under their control, even if processed by a Data Processor. These safeguards include:

• data security measures such as the use of encryption, obfuscation, masking, or virtual tokens to secure personal data;
• measures to regulate access to computer resources handling personal data;
• maintaining logs, monitoring, and reviewing access to detect unauthorized activity, investigate incidents, and prevent recurrence;
• ensuring continued data processing through backups in case of data loss or compromise;
• retaining logs and personal data for at least one year to detect, investigate, and remediate unauthorized access unless otherwise required by law;
• including provisions in contracts with Data Processors to ensure compliance with security requirements; and
• implementing appropriate technical and organizational safeguards to enforce effective data protection measures.

6. Personal Data Breach

When a personal data breach occurs, organizations must become aware of the breach and inform both the affected Data Principals and the Board.

They should provide an initial notification to the Board without delay, including a description of the breach, its impact, and occurrence details. In any case, within 72 hours (or a longer period if granted by the Board), they should submit:

• updated breach details;
• facts about events and reasons for the breach;
• mitigation measures implemented or proposed;
• findings on the cause of the breach;
• remedial actions to prevent recurrence; and
• report on notifications sent to affected Data Principals.

Organizations also need to provide notification to the Data Principles, without delay, through the user account or other registered communication channels. It should include:

• description of the breach (nature, extent, timing, and location);
• likely consequences relevant to the Data Principal;
• measures taken or being implemented to mitigate risks;
• recommended safety measures the Data Principal can take; and
• contact details of a representative to address queries.

7. Obligations of Significant Data Fiduciaries

Organizations that classify as Significant Data Fiduciaries (SDF) due to the type or volume of data they process have additional responsibilities under the DPDPA Draft Rules, including:

• conducting a DPIA and an audit every 12 months and submitting the findings of the DPIA and audit to the Board; and
• verifying that any algorithmic software used for processing personal data does not pose risks to the rights of Data Principals.

8. Processing of Personal Data Outside India

As per the DPDPA Rules, organizations must ensure that personal data processed within or outside India, in connection with offering goods or services to Data Principals in India, is not transferred to foreign countries without meeting specific requirements set by the Central Government.

Moreover, SDFs must ensure that personal and traffic data, as specified by the Central Government, is processed only within India and not transferred outside the country.

9. Rights of Data Principals

Organizations must issue unique identifiers for Data Principals (e.g., customer ID, application reference number) to facilitate identification. In addition, either organizations and, where applicable, the Consent Manager should publish on their website or app, or both:

1. the details of the means using which a Data Principal may make a request for the exercise of their rights; and
2. the particulars, if any, such as the username or other identifier of such the Data Principal, which may be required to identify them under its terms of service.

They need to ensure the DSR response mechanisms operate effectively using appropriate technical and organizational measures and a grievance redressal system must be implemented with a specified response period. Data Principals should be allowed to nominate individuals to exercise their rights on their behalf.

10. Time Period for Data Retention and Erasure

The DPDPA Draft Rules impose certain obligations with regard to retention and erasure on organizations that are:

• e-commerce entities (with at least two crore registered users in India);
• online gaming intermediaries (with at least fifty lakh registered users in India); and
• social media intermediaries (with at least two crore registered users in India).

The retention period is three years from the last interaction of the Data Principal with the Data Fiduciary or from the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later.

At least 48 hours before the end of the retention period, organizations must notify the Data Principal about the impending erasure, unless the Data Principal specifies otherwise to continue the purpose or exercise rights. Furthermore, if the Data Principal does not engage within the retention period, personal data must be erased unless required by law for retention.

Exemptions from the data retention requirement include enabling the Data Principal to access:

1. their user account; and
2. any virtual token issued by or on behalf of the organization, stored on its platform and usable for money, goods, or services.

11. Data Processing for State-Issued Benefits or Research Purposes

Organizations processing personal data processing for state-issued benefits or research purposes must adhere to specific requirements and implement appropriate technical and organizational measures. These requirements include:

• ensuring lawfulness and purpose limitation;
• minimizing data processing only to that which is necessary;
• making reasonable efforts to ensure data accuracy;
• retaining data only as long as necessary for the specified purpose or as required by law;
• implementing adequate measures to prevent data breaches and protect personal data, including during processing by data processors;
• informing Data Principals transparently about the processing, with access to the organization’s contact person, communication links, and methods to exercise their rights;
• processing data consistent with applicable legal and policy standards; and
• holding individuals or entities determining the purpose and means of processing accountable for ensuring compliance with these standards.

12. Appointment and Functioning of the Board and Appellate Tribunal

As per the DPDPA Draft Rules, the Central Government will appoint the Board's Chairperson and members through a Search-cum-Selection Committee. The Board will function digitally, with meetings chaired by the Chairperson and decisions made by majority votes. Moreover, appeals to the Appellate Tribunal will also be filed digitally, following natural justice principles and digital procedures.

Conclusion

Thus, the DPDPA and its Draft Rules usher in a new era of data protection in India. By adopting proactive measures and leveraging solutions like Securiti, businesses can ensure compliance, safeguard data, and build trust while staying ahead of regulatory changes.

Securiti Data Command Center leverages contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform, enabling organizations to comply with India's DPDPA.

Securiti can assist you in complying with India's DPDPA and other privacy and security standards worldwide.

Request a demo to witness Securiti in action.