Draft Digital Personal Data Protection Rules, 2025

The Indian government has released the draft Digital Personal Data Protection Rules, 2025 under the Digital Personal Data Protection Act (DPDPA) of 2023. These rules aim to strengthen privacy safeguards, define responsibilities for organizations handling personal data, and empower individuals with greater control over their information. Let’s break down what these rules mean for businesses and citizens in simple terms.

Key Highlights of the Draft Rules

Transparency and Consent
- Clear Notices: Organizations (called Data Fiduciaries) must inform individuals (Data Principals) in plain language about how their data will be used. Notices must detail the type of data collected, the purpose of processing, and how users can withdraw consent.
- Consent Managers: A new role, Consent Managers, will act as intermediaries to help users manage consent across platforms. For example, if you sign up for a service using a digital locker, the Consent Manager ensures your data is shared securely and only with your permission.
Data Security Measures
- Organizations must implement robust security practices like encryption and access controls to prevent data breaches. They must also maintain logs of data access and retain backups for at least one year.
- In case of a breach, companies must notify affected users within 72 hours and provide details about the incident, risks, and steps taken to resolve it.
Children’s Data and Vulnerable Groups
- Processing children’s data requires verifiable parental consent. Platforms must use age-checking tools (e.g., digital lockers or government-issued IDs) to confirm a parent’s identity.
- Special protections apply to individuals with disabilities, requiring due diligence to confirm guardianship through legal authorities.
Data Erasure Rights
- Users can request deletion of their data if it’s no longer needed for the stated purpose. For instance, if you close an e-commerce account, the company must erase your data after a specified period unless required by law.
Cross-Border Data Transfers
- Data processed outside India must comply with government-notified safeguards. This ensures that Indian users’ data remains protected even when stored or handled abroad.

DPDP Draft Rules 2025 Download

Exemptions and Special Cases

Research and Public Services: Data used for research, archiving, or public welfare (e.g., subsidy distribution) is exempt from certain rules, provided it follows government-specified standards.
Healthcare and Education: Hospitals, schools, and childcare centers can process children’s data without strict consent requirements if it’s for safety or health purposes.

Role of the Data Protection Board

A Data Protection Board of India (DPBI) will oversee compliance and resolve grievances. Key features include:

Digital-First Approach: The Board will operate online, reducing the need for physical hearings.
Appeals Process: Individuals or organizations can appeal the Board’s decisions to an Appellate Tribunal, which also functions digitally.
Penalties: Non-compliance may lead to fines, though specific amounts are not detailed in the draft.

What Businesses Need to Do

Appoint Consent Managers: Platforms must integrate with registered Consent Managers to streamline user consent.
Strengthen Security: Implement encryption, access logs, and breach response plans.
Update Privacy Policies: Ensure notices are clear, concise, and easily accessible.
Prepare for Audits: Significant Data Fiduciaries (e.g., large social media or e-commerce platforms) must conduct annual data protection audits.

What Users Gain

More Control: Easily withdraw consent or request data deletion.
Transparency: Know exactly how your data is used and who to contact for queries.
Safety Nets: Mandatory breach notifications and safeguards for vulnerable groups.

Meet Concur—your trusted partner on this journey. It’s not just a tool, but a friend that helps you create a secure and compliant digital future.