Brief Overview:
Draft of Digital Personal Data Protection Rules, 2025 (Draft Rules) have been released to provide for necessary details and implementation framework of the Digital Personal Data Protection Act, 2023 (DPDP Act). The DPDP Act received the assent of the Hon’ble President on 11th August 2023.
Feedback/comments from stakeholders on the Draft Rules are sought for by 18th February 2025.
Technical details:
The Draft Rules inter alia covers the following:
1) Requirements to be fulfilled under a notice sent by Data Fiduciary to Data Principal.
2) Registration requirements and obligations of a Consent Manager.
3) Pursuant to specific standards the State and its instrumentalities may process the personal data of Data Principals to provide or issue subsidies, benefits, services, certificates, licenses, or permits, as defined under law or policy or using public funds.
4) Data Fiduciary to implement reasonable security measures to protect personal data.
5) Data Fiduciary to promptly notify all affected Data Principals on becoming aware of a personal data breach.
6) Time period for specified purpose to be deemed as no longer being served.
7) Data Fiduciary to ensure display of contact information for addressing data processing queries.
8) Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must comply with any requirements of the Central Government.
JC takeaway:
The Draft Rules are going to impose additional compliances on businesses regarding consent management, security protocols and systems to check the data usage such as data protection impact assessments and software verifications. It will be interesting to see the final form of the Rules.
For further details, please see:
For any queries/clarifications, please feel free to ping us and we will be happy to chat: