Transforming Data Privacy: DPDP Rules, 2025

India's DPDP Rules, 2025, aim to enhance privacy and data protection, but ambiguities like consent and third-party risks need addressing.

In brief

• Data principles gain the ability to access, correct, and erase their data, along with mechanisms to withdraw consent and handle complaints effectively.
• Data fiduciaries ensure privacy and security through defined retention timelines, compliance audits, and transparent processes, establishing a responsible framework for data management.
• The Rules mandate encryption, breach reporting within 72 hours, and robust identity verification to safeguard sensitive personal details, especially for children and persons with disabilities.

The Digital Personal Data Protection Rules, 2025, introduced under the Digital Personal Data Protection Act (DPDPA), 2023, mark a critical step in India's journey towards establishing a robust framework for data privacy in India. With comprehensive measures to ensure transparency, accountability and data security, the rules aim to balance individual rights with organizational compliance obligations.

Empowering individuals

The rules bring clarity to the rights of data principals, empowering individuals to maintain control over their personal data. From withdrawing consent to requesting corrections or erasure, the regulations provide actionable avenues to ensure data accuracy and address grievances. Additionally, fiduciaries are required to notify data breaches promptly and provide detailed reports within 72 hours to the Data Protection Board, fostering trust in the system.

Data protection as a cornerstone

Privacy and data protection forms the bedrock of the DPDPA Rules, 2025. Mandated measures include the use of encryption, virtual tokens, and robust access controls to protect personal data. Special provisions for safeguarding children's data, such as obtaining verifiable parental consent, underscore the emphasis on vulnerable groups. Furthermore, a well-crafted privacy policy plays a vital role in informing individuals about how their data is processed and protected.

Operational guidelines for fiduciaries

Data fiduciaries are tasked with implementing stringent practices, including providing notices with required information, enabling ease of exercising data principal rights. Significant data fiduciaries face additional responsibilities, such as conducting Data Protection Impact Assessments (DPIAs), annual audits, compliance with algorithmic fairness, and cross-border data transfer protocols. These measures ensure a structured approach to data governance and mitigate risks associated with processing sensitive information.

Addressing ambiguities

Despite its robust framework, certain ambiguities in the rules present challenges for stakeholders:

• Data privacy assessment: Assess the current Data Privacy posture, working practices and documentation against the requirement of DPDP Act and Rules

• Data discovery and mapping: Identify the Personal Data touch points and conduct data discovery and mapping activities

• RoPA and data flow diagram: Document personal data processing activities and its flow across various such as processes, systems, applications and third parties

• Consent and notice management: Prepare consents, cookie banners, cookie policies and privacy notices to be implemented across touchpoints where personal data is collected

• Privacy impact assessment: Identify data privacy concern risks by performing privacy impact assessments for processing activities and define controls to be implemented for mitigation

• Third-party risk management: For third parties processing personal data, ensure organizational and technical security measures are implemented through inclusion within contracts and strong governance practices

• Technical safeguards: Identify and implement the required technical safeguards to ensure protection of personal data from data breaches

• Data protection office setup: Setup a data protection office by identifying the right team accountable and responsible for ensuring compliance within the organization

• Implementation and automation: Implement the controls required to achieve compliance and identify opportunities for automation to bring efficiency in managing compliance

• Monitoring and sustenance: Implement a periodic monitoring program to assess compliance at various intervals to sustain what has been implemented

Start-ups, in particular, face operational challenges due to undefined thresholds for exemptions. Moreover, the retrospective applicability of consent obligations lacks clarity, raising concerns over the validity of prior consents.