Digital Personal Data Protection Rules, 2025
India has officially notified the Digital Personal Data Protection Rules, 2025, marking a pivotal advancement in the regulation of personal data processing and protection.
Objectives and Key Provisions
- The rules aim to enforce the Digital Personal Data Protection Act, 2023, establishing guidelines for:
- Data Fiduciaries: Entities responsible for processing data.
- Consent Managers: Facilitators of consent-based data sharing.
- Individual Privacy Rights: Mechanisms to safeguard individual privacy.
- Consent Framework: Emphasizes verifiable consent, particularly for children and persons with disabilities.
- Security Measures: Includes encryption, masking, and access controls to prevent breaches.
- Data Breach Protocol: Data fiduciaries must promptly notify affected individuals and the Data Protection Board (DPB).
- Data Retention and Erasure: Personal data must be erased after specified periods unless legally mandated otherwise.
- Transparency Requirements:
- Publication of data protection officers' contact information.
- Grievance redressal systems.
- Significant Data Fiduciaries: Subject to annual impact assessments and audits.
- Data Transfer Restrictions: Limits on transferring certain personal data outside India to preserve sovereignty and security.
- Exemptions: For research, archiving, and statistical purposes under specified standards.
- Data Protection Board (DPB):
- Details on compensation and service conditions for chairperson and members.
- Empowered to function digitally for streamlined processes.
Implementation and Impact
- The rules enhance individual control over personal data and align India’s framework with global standards.
- Implementation timelines vary, with some provisions effective immediately, while others take 12 to 18 months.
- Implications for technology companies, service providers, and users include:
- Encouragement of responsible data practices.
- Protection of digital identities.
