Kicking off data Privacy Week with Key Insights on New DPDP Rules!
- 1. 2 Draft of Indiaโs Digital Personal Data Protection Act 2023
- 2. 2 Overview On January 3, 2025, the Union Ministry of Electronics and Information Technology (MeitY) unveiled the much-anticipated draft of Digital Personal Data Protection Rules, or DPDP Rules, 2025, marking a signi๏ฌcant milestone in Indiaโs efforts to safeguard digital privacy. These rules, designed under the framework of the Digital Personal Data Protection Act, 2023 (DPDP Act), outline the legal mechanisms for the collection, processing, and storage of personal data. As India increasingly embraces the digital age, these rules aim to balance the protection of individual privacy with the promotion of innovation, setting the stage for robust data governance and greater accountability in the countryโs growing digital ecosystem.
- 3. 3 The rules are called the Digital Personal Data Protection Rules, 2025. Rules 3-15, 21, and 22 will come into effect from a speci๏ฌed date (to be determined). Other rules will come into force upon publication in the Of๏ฌcial Gazette. Data Fiduciaries must provide clear, understandable notices to Data Principals that include: Itemized description of personal data to be processed. Speci๏ฌed purpose and description of goods/services enabled by processing. Means to withdraw consent, exercise rights, and complain to the Board. Scope and Commencement Letโs go through the draft: Notice Requirements Consent Managers must meet conditions in First Schedule Part A to register with the Board. The Board can suspend/cancel registration if conditions are not met. Consent Managers have obligations speci๏ฌed in First Schedule Part B. Consent Manager Registration
- 4. 4 Security Safeguards Data Fiduciaries must implement reasonable security measures including: Encryption, access controls, monitoring, and backups. Retaining logs and data for 1 year. Appropriate contractual provisions with Data Processors. Notify affected Data Principals without delay with breach details, con- sequences, and mitigation measures. Notify Board within 72 hours with detailed information on breach, impact, and remedial steps. Data Breach Noti๏ฌcation Erase data after speci๏ฌed periods in Third Schedule if Data Principal is inactive. Inform Data Principal 48 hours before erasure. Data Retention and Erasure Data Fiduciaries must publish means for Data Principals to exercise rights. Enable access to information, erasure, and nomination rights. Rights of Data Principals State entities can process personal data to provide subsidies, bene๏ฌts, services etc. under law/policy or using public funds. Must follow standards in the Second Schedule. Processing by State Entities
- 5. 5 Conduct annual data protection impact assessment and audit. Verify algorithmic software does not pose risks to Data Principal rights. Restrictions on cross-border data transfers. Additional Obligations for Signi๏ฌcant Data Fiduciaries The First Schedule of the Digital Personal Data Protection Rules, 2025 outlines critical points regarding Consent Managers. Here are the key aspects: Registration Conditions for Consent Managers Obtain veri๏ฌable parental consent before processing child's data. Verify identity and age of parent. Veri๏ฌable Parental Consent Must be a company incorporated in India. Minimum net worth requirement of 2 crore rupees. Suf๏ฌcient technical, operational, and ๏ฌnancial capacity. Sound ๏ฌnancial condition and management. Directors and key personnel must have good reputation and integrity. Memorandum and Articles of Association must contain provisions for adherence to obligations.
- 6. 6 Obligations of Consent Managers Enable data principals to give, manage, review and withdraw consent. Maintain records of consents, notices, and data sharing. Provide data principals access to their records. Maintain records for at least 7 years. Develop and maintain a website/app for services. Implement reasonable security safeguards. Avoid con๏ฌicts of interest with data ๏ฌduciaries. Publish information about promoters, directors, and shareholding. Conduct regular audits and report to the Board. Obtain Board approval for transfer of control. Lawful processing: All data processing must be carried out in a lawful manner. Purpose limitation: Processing should be done only for speci๏ฌed uses under clause (b) of section 7 or purposes under clause (b) of sub-section (2) of section 17 of the Act. Data minimization: Only necessary personal data should be processed for the speci๏ฌed uses or purposes. The Second Schedule of the Digital Personal Data Protection Rules, 2025 outlines standards for processing personal data by the State and its instrumentalities under specific sections of the Act. These standards aim to ensure lawful and responsible data processing. Key points include:
- 7. 7 Accuracy: Reasonable efforts must be made to ensure the accuracy of personal data. Retention limitation: Personal data should be retained only as long as required for the speci๏ฌed uses/purposes or to comply with applicable laws. Security safeguards: Reasonable measures must be implemented to prevent data breaches and protect personal data. Noti๏ฌcation requirements: When processing under clause (b) of section 7, the Data Principal must be informed with: a) Contact information for queries about data processing b) Means to access the Data Fiduciary's website or app c) Information on how to exercise rights under the Act Compliance with government policies: Processing must be consistent with standards set by Central Government policies or applicable laws. Accountability: The entity determining the purpose and means of data processing is accountable for observing these standards. These standards aim to balance the State's data processing needs with individuals' privacy rights, ensuring transparency, security, and accountability in government data handling. The Third Schedule of the Digital Personal Data Protection Rules, 2025 specifies the time periods after which certain classes of Data Fiduciaries must erase personal data if the Data Principal has not approached them or exercised their rights. Here's a summary in table format:
- 8. 8 Action Plan Identify if your organization falls into any of these categories based on the number of registered users. Implement a system to track user inactivity periods. Develop an automated process to erase personal data after 3 years of inactivity. Create a noti๏ฌcation system to inform Data Principals at least 48 hours before data erasure. Establish exceptions for data retention required for compliance with other laws. Ensure your data erasure process excludes data necessary for user account access and virtual tokens issued by your organization. Update your privacy policy to re๏ฌect these data retention and erasure practices. Train relevant staff on these new data handling procedures. Regularly audit your systems to ensure compliance with these erasure requirements.
- 9. 9 The Fourth Schedule of the Digital Personal Data Protection Rules, 2025 outlines exemptions from certain obligations applicable to processing personal data of children. It is divided into two parts: Part A and Part B. Part A: Exempted Data Fiduciaries Part A speci๏ฌes classes of Data Fiduciaries exempt from sub-sections (1) and (3) of section 9 of the Act, subject to certain conditions. These likely include: Clinical establishments and healthcare professionals Educational institutions Creches and childcare centers Transportation providers for children Part B: Exempted Purposes Part B speci๏ฌes purposes for which processing of children's personal data is exempt from sub-sections (1) and (3) of section 9 of the Act, subject to certain conditions. These likely include: Compliance with law Provision of subsidies, bene๏ฌts, or services Email communication Protecting children from harmful information Age veri๏ฌcation
- 10. 10 Action Plan Identify if your organization falls under any of the exempted categories in Part A Review your organization's activities and services Consult legal experts to con๏ฌrm your exemption status Review and update your data processing policies Clearly de๏ฌne procedures for handling children's data Ensure compliance with other relevant sections of the Act Analyze your data processing purposes Document how they relate to the exempted purposes Implement age veri๏ฌcation mechanisms Develop robust systems to verify the age of users Consider using digital locker services for age veri๏ฌcation Establish parental consent procedures Create user-friendly interfaces for parents to provide consent Implement secure methods to verify parental identity Train staff on exemptions and obligations Conduct regular training sessions on handling children's data Ensure staff understand the scope and limitations of exemptions Assess if any of your data processing activities align with exempted purposes in Part B
- 11. 11 Implement data minimization practices Review data collection processes to ensure only necessary data is collected Regularly audit and purge unnecessary data Enhance data security measures Implement strong encryption for children's data Restrict access to children's data on a need-to-know basis Develop clear communication channels Create child-friendly privacy notices Establish procedures for responding to data access requests from children or parents Conduct regular compliance audits Schedule periodic reviews of your data processing activities Ensure ongoing compliance with the Act and any changes in regulations Establish a process for handling complaints and inquiries Set up a dedicated channel for addressing concerns related to children's data Ensure timely and appropriate responses to all inquiries
- 12. 12 The Fifth Schedule of the Digital Personal Data Protection Rules, 2025 specifies the salary, allowances, and other terms and conditions of service for the Chairperson and other Members of the Board. "The Chairperson and every other Member shall receive such salary and allowances and shall have such other terms and conditions of service as are speci๏ฌed in Fifth Schedule." These provisions ensure transparency in the compensation and service conditions for Board members, promoting their independence and effectiveness in carrying out their duties under the Digital Personal Data Protection Act. Key points likely covered in the Fifth Schedule: Salary structure for the Chairperson and Members Allowances provided to the Chairperson and Members Leave entitlements Pension and retirement bene๏ฌts Travel allowances and accommodations Medical bene๏ฌts and insurance Terms of appointment and tenure Conditions for removal from of๏ฌce Restrictions on post-retirement employment Any other relevant terms of service