(Vikram Jeet Singh & Rhea Sethi)
After a year and a half of anticipation, the much-awaited draft of the Digital Personal Data Protection Rules, 2025 (“Rules”) have finally been released for public comments. With the publication of these Rules, the clock has started to tick for businesses to ensure that they are on track with their compliance obligations before the Digital Personal Data Protection Act, 2023 (“DPDPA”) is notified.
This prompts an important question: Are Indian companies prepared for the implementation of the DPDPA?
Here are a few key questions Indian businesses should consider to determine if they are ‘DPDPA-ready’.
Do you collect or receive ‘Personal Data’ in digital form?
‘Personal data’ means any data about an individual, who can be identified by or in relation to such data. The DPDPA regulated personal data collected or maintained in digital form, and not physical form. Given the wide wording of the law, all Indian companies will be seen as collecting some form of personal data; the most ubiquitous being the data of their employees! As such, in our view all types of businesses will need to abide by the new data law.
Are You Asking for Consent?
Consent is the cornerstone of the DPDPA, allowing businesses to process personal data either with free, explicit, informed, and unambiguous consent or for a legitimate purpose (this is a departure from laws such as the GDPR, that are based on ‘legitimate purpose’ collection as much as consent opt-in). Requests for consent should be clear, concise, transparent, easy to understand, and explain how data will be used, along with how individuals can exercise their rights, like withdrawing consent or filing complaints.
Are You Safeguarding Personal Data?
When it comes to dealing with personal data, security is not just important—it is essential. Businesses must secure data with encryption, strict access controls, and monitoring protocols to prevent unauthorized access (the newly released draft privacy rules offer some guidance on this). Backups are key to ensuring data stays safe and for continuity, even if things go wrong. Finally, logs should be kept for at least a year. Contracts with data processors must include security provisions, while ongoing compliance relies on technical and organizational measures that keep everything secure.
Are Data Principals being made aware of their rights?
Data principals are granted a range of rights to ensure control and transparency over their personal data. They have the right to request a summary of their personal data being processed, information on who it is shared with, and the right to request corrections, updates, or erasure of their personal data. A Data Principal can also raise grievances related to data processing and must be provided a means of redressal, with the obligation to first address grievances with the data fiduciary before escalating to the Data Protection Board of India (“Board”).
Are You Purging the Data When No Longer Needed?
All personal data collected must be deleted once its purpose is met, or if the data principal withdraws their consent. The draft Rules specify timelines for deletion basis the class of data fiduciary, such as ‘an e-commerce entity with 2 crore (or more) registered users must delete personal data within three years of the data principal’s last interaction, etc. This clarity helps ensure that businesses do not retain data longer than necessary, maintaining a more efficient and privacy-centric outlook.
Are You Entering into Data Transfer Agreements?
All data processors engaged by a data fiduciary must be bound by a valid contract. While the DPDPA and the Rules currently impose no restrictions on cross-border transfers, the DPDPA grants the Central Government the authority to impose such restrictions through a notification. The Rules further specify that transfers may only occur if certain requirements are met. Indian businesses should start considering data transfer agreements—whether for transfers within India or abroad—that include clauses ensuring strong security measures, and accountability of third parties or data processors.
Are You Safeguarding Personal Data of Children and Persons with Disability?
Before processing data of children (which is anyone under 18 years of age) or persons with disabilities, businesses must obtain ‘verifiable consent’ from a parent or lawful guardian. The draft Rules require businesses to implement technical and operational measures to ensure such consent is genuine, and conduct due diligence to verify the parent or lawful guardian’s identity. In addition, certain entities like clinical establishments, mental health centers, educational institutions, and crèches may be exempt from this requirement if processing such data for certain specified purposes.
How Are You Managing Personal Data Breaches?
While preventing personal data breaches is crucial, businesses must be prepared to act quickly if one occurs. In the event of a breach, businesses will be required to promptly notify both the Board and the affected data principal. The notice to the data principal should be made promptly, and be clear and concise, outlining the breach, its impact, mitigation steps, recommended actions for the data principal, and business contact details. The notification to the Board should include the breach’s nature, extent, timing, and location. Within 72 hours, a detailed report must be submitted to the Board, covering the facts of the breach and the remedial actions taken.
What Businesses Should Do Next
It is now crunch time for Indian businesses to make a start on data privacy compliance. From securing data, obtaining clear consent, to managing data breaches and protecting vulnerable groups, the DPDPA prioritizes and enforces individuals' data privacy rights. Indian companies that are well prepared not only minimize the risk of legal fines and enforcement, but also foster greater trust with their customers and stakeholders.
To stay ahead, Indian businesses should start conducting gap analyses and data audits to assess their current readiness and address any gaps before the rules are enforced. You can find more details about these steps on our bespoke data privacy microsite.