- with Senior Company Executives, HR and Finance and Tax Executives
- in Ireland
- with readers working within the Retail & Leisure and Law Firm industries
1. INTRODUCTION
India's Digital Personal Data Protection Act, 2023 ("Act") enacted in August 2023, has now been operationalized through the Digital Personal Data Protection Rules, 2025 ("Rules"), as notified on November 13, 2025. The implementation follows a staggered timeline, wherein, the provisions relating to key definitions and functioning of the Data Protection Board shall come into effect, immediately, upon publication in the Official Gazette (Rule 1, 2 and 17 to 21) i.e., on November 13, 2025, meanwhile the provisions related to Consent Manager registration becomes operative after one year i.e., November 13, 2026 (Rule 4), and the core compliance and operational requirements for Data Fiduciaries and Data Processors, and those relating to the rights of the Data Principals (Rule 3, 5 to 16, and 22-23) shall come into force after eighteen months i.e., May 13, 2027.
This phased approach provides Data Fiduciaries adequate time to align their systems and processes with the substantive compliance obligations of the Indian Data Protection regime.
2. NOTICE BY DATA FIDUCIARY TO DATA PRINCIPAL [Section 5 of the Act; Rule 3 of the Rules]
Notices are to be presented in clear, precise, and unambiguous language at the time of collection of data or prior to data collection. The notice must be made available in English or any Eighth Schedule language.
Notices should enable the Data Principal to give specific and informed consent for the processing of their personal data, and a notice shall include: a) an itemised description of data to be collected; b) the specific purposes for which data is being collected; and c) specific description of goods and services to be provided or enabled by such data collection.
Contain a specific link by which Data Principal can withdraw consent, exercise rights under the Act and make complaints to the Data Protection Board.
The Data Fiduciary has an obligation to ensure that the consent notice is clear, unambiguous, and itemised for purpose specific consent, and provide clear and specific links to withdraw consent and exercise rights under the Act.
3. CONSENT MANAGER [Section 6 (7) – (9) and 40 (2) (c & d) of the Act; Rule 4 & First Schedule]
A Consent Manager should fulfil the eligibility conditions as specified under Part A of the First Schedule of the Rules, and apply for registration with the Data Protection Board. It must also fulfil the operational obligations as provided under Part B of the First Schedule of the Rules, while operating as a Consent Manager.
Only eligible Indian companies meeting these criteria can become Consent Managers. Entities desirous of operating as Consent Managers, must register with the Data Protection Board within one year of the notification of the Rules.
4. PROCESSING FOR ISSUE OF SUBSIDY, BENEFIT, SERVICE, CERTIFICATE, LICENSE OR PERMIT BY STATE [SECTION 7 (b) of the ACT; Rule 5]
Processing of the personal data of the Data Principals by the instrumentalities of the State for providing any subsidy, benefit, or service under law, policy, or by using public funds shall be in accordance with the requirements specified under the Second Schedule of the Rules.
Obligations under the Second Schedule must be followed by the Government or anyone acting on behalf of the Government if data is collected for providing Government services to the public.
5. REASONABLE SECURITY SAFEGUARDS [Section 8(5) of the Act; Rule 6]
Data Fiduciaries must protect and safeguard personal data of the Data Principals in their possession or under their control, for the processing of such data, either themselves or through Data processors, by implementing reasonable security measures. These include encrypting, masking, or tokenizing data; controlling who can access systems; using logs and monitoring to detect unauthorized access; maintaining backups to ensure business continuity; keeping logs and data for at least one year unless a longer period is required by law for the purposes of investigation; incorporating security requirements into all contracts with Data Processors; and adopting the technical and organisational measures necessary to ensure adequate security.
Data Fiduciaries need strong, end-to-end security practices. This means: a) using methods such as pseudonymisation and tokenisation; b) applying strict access controls like Active Directory or RBAC; c) keeping continuous monitoring, logs, and audit trails; d) having business continuity and disaster recovery plans; e) storing logs in a secure, unalterable form for the required period; f) ensuring all vendor contracts clearly define security duties; and g) maintaining frameworks like ISO 27001, an ISMS, and a Data Protection Policy to show consistent compliance.
6. INTIMATION OF PERSONAL DATA BREACH [Section 8(6) of the Act; Rule 7]
When a data breach occurs, Data Fiduciaries must:
- Notify affected users promptly in clear and precise language, including: a) description of the breach, including nature, timing, and extent of breach; b) impact on the data provided by the data principal in question; c) measures undertaken by the Data Fiduciary to mitigate the impact and to safeguard the interest of the Data Principal; and d) contact information of the person who can answer the Data Principal with respect to the breach.
- Notify Data Protection Board: Immediately report the breach and within 72 hours, submit a detailed report including: breach description, timeline, impact, mitigation steps, who was responsible, and proof of user notifications.
Data Fiduciaries must: a) Set up systems to detect breaches immediately to comply with the Act and the Rules within the prescribed timelines; b) Keep user contact information up to date; c) Have ready-to-use breach notification templates; d) Be able to quickly gather all breach details (what, when, where, how, impact, mitigation); e) Create incident response teams with clear communication workflows; and f) Generate comprehensive reports for both users and the Board within tight deadlines (72 hours). This requires advance planning, trained teams, and systems that can respond quickly when a breach happens.
7. LIMITATION IN RETENTION PERIOD FOR DATA FIDUCIARIES [Section 8 (7 & 8) of the Act; Rule 8 read with the Third Schedule]
As per the Act, Data Fiduciary shall erase the personal data of Data Principals when the Data Principal withdraws consent, or the purpose for which data was collected is no longer being served, unless retention period is specified under any law. However, under the Rules, the Data Fiduciaries specified in the Third Schedule shall retain data for three years. For the purposes mentioned in the Seventh Schedule, Data Fiduciaries are required to retain personal data, associated traffic data, and other logs used for processing for a minimum period of one year. As per Rule 6(1)(e) Data Fiduciaries must retain such logs and personal data for one year for any investigation, etc. Further, Data Fiduciary shall intimate the Data Principal of the erasure of personal data 48 hours prior to the end of the prescribed time for erasure of such data.
Data Fiduciaries mentioned under Third Schedule, must set up clear data retention and deletion systems: a) Implement automatic deletion after three years in cases of entities mentioned in the Third Schedule; b) Create automated reminders to notify users 48 hours before deletion; and c) Set up workflows to handle mass data purges.
All Other Data Fiduciaries shall, for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence, and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise.
Without proper deletion systems and documentation, Data Fiduciaries risk non-compliance.
8. CONTACT INFORMATION OF PERSON TO ANSWER QUESTIONS ABOUT PROCESSING [Section 8(9) of the Act; Rule 9]
Every Data Fiduciary must clearly display contact details of their Data Protection Officer (if they have one), or a designated person who handles personal data questions.
Data Fiduciaries must make it easy for users to find whom to contact for information about their personal data by ensuring that the contact details of the concerned person are updated and prominently displayed on the website/app. The said persons should respond promptly to the questions, rights requests, and complaints of the Data Principal.
9. PERSONAL DATA OF CHILDREN AND PERSONS WITH DISABILITY [Section 9 of the Act; Rule 10 and 11]
Before processing a child's personal data, Data Fiduciaries must obtain verifiable consent from the child's parent or guardian and further ensure that such parent or guardian providing consent on behalf of the child is identifiable as the parent and an adult if required. Such identification can be done by drawing reference to: - a) Identity and age information already held by the Data Fiduciary; and b) Details voluntarily provided by the parent or guardian, or through a verified virtual token from an authorized entity (including Digital Locker provider).
Data Fiduciary handling children's data, in addition to seeking verifiable consent from the parent or guardian, must also set up systems to verify parental identity and age before collecting any child's data. They shall be able to validate identity information they already have, authenticate documents provided by parents, or accept token-based verification from authorized sources, and ensure these verification mechanisms work reliably.
10. EXEMPTION FROM CERTAIN OBLIGATIONS OF PROCESSING OF PERSONAL DATA OF CHILDREN [Section 9(4) of the Act and Rule 12 read with Fourth Schedule]
Some Data Fiduciaries listed in the Fourth Schedule are exempt from complying with Section 9(1) of the Act, which deals with obtaining verifiable consent from the parent of the child or lawful guardian, before the processing of children's personal data, and Section 9(3), which relates to the prohibition on tracking, behavioural monitoring, and targeted advertising to children.
Data Fiduciaries other than those exempt must obtain verifiable parental consent before processing children's data and cannot track, monitor behaviour, or show targeted ads to children. The exemptions under the Rules are narrow and purpose-specific, mostly relating to health and education.
11. ADDITIONAL OBLIGATIONS FOR SIGNIFICANT DATA FIDUCIARIES [Section 10 of the Act; Rule 13]
Significant Data Fiduciaries must conduct a Data Protection Impact Assessment and independent audit, every 12 months from being notified as a Significant Data Fiduciary, to ensure effective compliance with the Act, and submit the findings to the Data Protection Board. They must ensure that any algorithms used for processing personal data do not harm the rights of the Data Principals. Additionally, they must not transfer certain personal data, as specified by the committee appointed by the Central Government, outside India. Significant Data Fiduciaries must appoint a Data Protection Officer as soon as they are classified as Significant Data Fiduciaries.
Significant Data Fiduciaries face higher compliance standards than a regular Data Fiduciary. They need to conduct annual assessment and audit processes with external auditors, and appoint a Data Protection Officer to oversee compliance and communication with the Board and Data Principals. They must ensure compliance with any data transfer directives of the Government. This requires more resources, dedicated personnel, and robust data management systems for continuous monitoring and governance compared to ordinary Data Fiduciaries.
12. RIGHTS OF DATA PRINCIPALS [Section 11- 14 of the Act; Rule 14]
Data Fiduciaries and Consent Managers (where applicable), must clearly publish on their website or app how Data Principals can exercise their rights, including access, correction, erasure, grievance redressal, and nomination, along with any identifiers required for verification. They must also disclose their grievance-redressal mechanism and timelines to redress the grievances of Data Principals within a reasonable period, not exceeding ninety days. Data Principals may nominate another person to exercise their rights in accordance with the terms of service and applicable law.
Data Fiduciaries and Consent Managers must ensure their websites and apps clearly explain how Data Principals can exercise their rights and what identifiers are needed for verification. They must publish their grievance response timelines and put systems in place to respond within ninety days. They also need processes to recognise and validate authorised nominees acting on behalf of Data Principals in accordance with the terms of service and applicable law. This requires updating digital platforms with clear guidance, implementing technical and organisational measures for timely responses, and creating verification mechanisms for both Data Principals and their nominated representatives.
13. CROSS-BORDER DATA TRANSFER [Section 16 of the Act; Rule 15]
Data Fiduciaries may transfer personal data outside India, unless the Central Government restricts or imposes any conditions on the transfer of data to any jurisdiction outside India or to any person outside India.
Data Fiduciary may freely transfer personal data outside India unless specifically restricted by the Government, but they must comply with stricter sectoral regulations (if any) and follow prescribed safeguards for secure handling of data and transparency.
14. DATA PROTECTION BOARD OF INDIA [ Section 18-30 of the Act; Rule 17-22]
The Rules establish the Data Protection Board of India as a fully digital office conducting techno-legal proceedings without physical presence. They prescribe the appointment, tenure, and service conditions of the Chairperson and Members, meeting procedures, quorum requirements, authentication of orders, and the framework for officers and staff. Appeals against Board orders must be filed digitally before the Telecom Disputes Settlement and Appellate Tribunal.
Data Protection Board will administer the privacy and data protection regime in India, including adjudication of any disputes under the Act. The provisions relating to the formation of the Data Protection Board have been enforced. The digital-first approach of the Board enables faster proceedings with less room for delays, requiring continuous compliance readiness.
15. EXEMPTIONS [Section 17 (2) (b) of the Act; Rule 16 read with Second Schedule]
Processing personal data for research, archiving, or statistical purposes is exempted from the provisions of the Act, for any Data Fiduciary, provided it complies with the Second Schedule standards and does not involve making decisions specific to a Data Principal.
Data Fiduciary conducting research, archiving, or statistical analysis benefit from significantly reduced compliance obligations when processing does not involve individual-specific decisions and follows prescribed standards. This exemption supports innovation and data-driven insights, while requiring responsible data handling.
16. GOVERNMENT ACCESS REQUESTS [Section 36 of the Act Rule 23]
The Central Government may, through authorised persons mentioned in the Seventh Schedule, require Data Fiduciaries or intermediaries to furnish specified information within prescribed timelines for State use, statutory functions, or Significant Data Fiduciary assessments. Where such disclosure could prejudice India's sovereignty, integrity, or security, or where the Government so directs, the Data Fiduciary or intermediary must not inform the affected Data Principal or any other person without prior written permission from the authorised person.
Data Fiduciaries must maintain accurate, accessible records to respond within prescribed timelines when the Government requests information for security, statutory functions, or Significant Data Fiduciary assessments. Data Fiduciaries should be prepared to keep disclosures confidential if directed, particularly for national security or sovereign interests.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
