Advertising
Layoffs in Adland: Omnicom's acquisition of IPG nears finish line. But at what human cost?
Decoding India’s DPDP Rules: Final Rollout Nears, Businesses Face New Compliance Demands
New framework outlines consent, security, and data retention norms as final rules go live by September 30.
Experts say law is not just regulatory but a strategic lever for trust, innovation, and long-term growth.
India is on the cusp of a new data protection era, with the government preparing to notify the final rules of the Digital Personal Data Protection (DPDP) Act, 2023 by September 30. The legislation, first passed in 2023, seeks to balance individual privacy rights with the needs of a fast-growing digital economy, offering operational clarity through draft rules issued earlier this year.
The Ministry of Electronics and Information Technology (MeitY) recently confirmed that the rules have been finalized after extensive consultations with industry, civil society, and media stakeholders. Implementation will be phased, said IT Secretary S. Krishnan, with the Data Protection Board playing a central role in oversight.
Background
India's digital economy is undergoing a transformative shift, driven by the increasing volume of digital data and a heightened awareness of individual privacy rights. The landmark Supreme Court ruling in 2017, which recognized privacy as a fundamental right, set the stage for a new era of data protection. This culminated in the Digital Personal Data Protection Act (DPDPA) of 2023, followed by the draft Digital Personal Data Protection Rules issued in January 2025, offering crucial operational guidance. India is now gearing up for the final rules of the Digital Personal Data Protection (DPDP) Act, 2023 by September 30.
The Act sets rules for the collection and processing of digital personal data, aiming to balance individual privacy rights with the need for lawful data use. The law is intended to foster a more secure and accountable digital environment, and the government has emphasized that awareness and capacity-building will be key to its rollout.
Beyond mere compliance, data privacy has emerged as a strategic cornerstone for global businesses. It's about building and maintaining trust, safeguarding reputation, and fostering innovation in an increasingly data-driven world, particularly with the rapid adoption of technologies like Artificial Intelligence (AI).
The DPDPA, much like its global counterparts, carries significant weight, with non-compliance potentially leading to substantial fines, running up to ₹200 crore.
Unpacking the DPDP Draft Rules: Key Areas of Focus
The rules are designed to strengthen India's data protection framework. While their effectiveness hinges on the swift establishment and operation of the Data Protection Board, they offer clarity in several critical areas:
Personal Data Breach Notification: The draft rules provide detailed guidelines for informing authorities and data principals about breaches, including specific timelines and required information. A layered approach is emphasized, with immediate notification followed by a comprehensive report within 72 hours.
Consent Management: A core tenet of the draft rules is active consent management. This includes detailed provisions on language for privacy notices, content requirements, and communication channels. Mechanisms for consent withdrawal and the establishment of a consent management entity are also highlighted. Special attention is given to obtaining consent for children and individuals with disabilities.
Security Safeguards: Organizations are mandated to implement robust data security and protection measures. This extends beyond internal operations to encompass third-party vendors and supply chains, underscoring the interconnected nature of data security.
Empowering the Data Principal: The rules are designed to empower individuals by establishing clear mechanisms for grievance redressal, data updates, data removal, and the appointment of nominees.
Data Retention: The draft rules specify data retention periods based on the nature of services and intermediaries, along with provisions for exception management.
In a nutshell, the Act lays down a robust framework to protect individuals' data rights, requiring data fiduciaries - entities that possess personal data - to implement reasonable security safeguards. And to operationalize the law, the government is soon to release the Draft Digital Personal Data Protection Rules, 2025. The draft of the same (published in January 2025), has attracted 6,915 responses from stakeholders and citizens, reflecting strong public engagement.
As part of its broader mission to create a safe, trusted, and accountable cyberspace, the government is also focusing heavily on capacity building and public awareness. Initiatives under this strategy include: cyber security awareness month and safer internet day campaigns to educate users on safe digital practices; CyberShakti (building a skilled women workforce in the cybersecurity domain); the Information Security Education and Awareness (ISEA) programme; and awareness resources are available in multiple languages through platforms like www.staysafeonline.in, www.infosecawareness.in, and www.csk.gov.in, with materials covering deepfakes, secure transactions, and cyber hygiene.
SPOTLIGHT
According to LinkedIn’s research with over 1,700 B2B tech buyers, video storytelling has emerged as the most trusted, engaging, and effective format for B2B marketers. But what’s driving this shift towards video in B2B? (Image Source: Unsplash)
Read MoreExplained: Standing Committee’s draft report on India’s fight against Fake News
India’s parliamentary panel warns fake news threatens democracy, markets and media credibility, urging stronger regulation, fact-checking, AI oversight and global cooperation.