In today’s digital era, data is one of the most valuable assets for businesses, governments, and individuals. With the exponential rise in data breaches, cyber threats, and privacy concerns, data protection has become a critical focus for organizations globally. One of the most important pieces of legislation in India’s history is the Digital Personal Data Protection Act 2023. Which has now gained  momentum with the notification of much-awaited Digital Personal Data Protection Rules on 14 November 2025.

In this Article, we have discussed some of the key provisions of the DPDP Act read with the rules:

APPLICABILITY: DPDPA applies if personal data (Personally Identifiable Information) of individuals is either collected in digital form or collected non digitally and subsequently digitised

KEY PARTIES INVOLVED: Let’s go through some of the key parties involved in the DPDP Act:

A Data Principal is the individual to whom the personal data relates. In case the Data Principal is a child, the Act has expanded the definition of Data Principal to include her parents or lawful guardian and where the Data Principal is a person with a disability then it includes her lawful guardian, acting on her behalf.

A Data Fiduciary is the entity which alone or in conjunction with others determines the purpose and the means of processing per-sonal data.

Finally, a Data Processor is any entity which processes personal data on behalf of a Data Fiduciary.

What is a “Significant Data Fiduciary”? The Central Government is likely to notify any or a class of data fiduciaries as Significant Data Fiduciaries considering factors like volume and sensitivity of personal data processed, risk to the Data Principal, potential impact upon the sovereignty and integrity of India,

Data protection board- The central government shall notify the establishment of a data protection board who shall act as an independent body for handling of data breaches and complaints. It shall have the same power as vested in a Civil court

Consent Manager- A “Consent Manager” is an entity who is accountable to Data Principals and act on their behalf to manage their consent. It will be registered with the Data Protection Board and act as a single point of contact to enable the Data Principal to give, manage, review and withdraw her consent

REQUIREMENTS OF THE ACT:

• Grounds for data processing

The whole basis for privacy legislation is what is your ground for processing data. The personal data of individuals can now be processed under 2 scenarios-i. On obtaining consent from individuals or ii. It falls under the exemptions defined in the Act For ex. if personal data is required by the state/health emergencies, to comply with any law and order etc

• Privacy Notice:
• Every request made to a Data Principal under section 6 of the DPDP Act for consent shall be accompanied by a notice given by the Data Fiduciary to the Data Principal, informing them about: What is the Personal Data and purpose for which data is supposed to be processed., how can the data principal exercise their rights and make complaint to the Board. The recently released rules emphasize on specific description rather than an itemised list
• Notice needs to be clear and in simple language and independent i.e. it cannot be hidden or clubbed in T&C. Also notice has to provide proper mechanism of how consent can be withdrawn and their ability to exercise their rights.  The requirement of a notice also applies if the consent has been given before this act came into place
• Processing of personal data of children
• Before processing any personal data, we need to identify if the user is a child or person with disability. The DPDP Rules finally elaborate stating that data fiduciaries must implement measures to ensure verifiable consent is obtained from a child’s parent.
• Data collection and sharing should be minimised and profiling that can allow children to be served up targeted content should be switched off by default.
• Data Principal Rights
• With every consent that individuals have been asked for using their personal data, they have to be provided access to their rights which includeright to ask what all personal data has been processed, to whom it has been shared
• Further data principals have the right to correct, update or erase their personal data for processing and also nominate other individual to exercise their rights in case of death/incapacity
• Consent
• Consent is where you write to someone and say ‘can I process your personal information and can I process it for these purposes? Consent must be freely given, must be specific, informed, unconditional.
• There must be an unambiguous indication of consent in a clear affirmative action.
• Obligations of Consent Manager
• Consent Manager is supposed to be an interoperable platform for facilitating data principals to provide consent. It is quite akin to account aggregator framework and it is a regulated activity which requires pre authorization from the board.
• Basically, a consent manager has to enable data principals to give consent for processing data. All the records of consent given/denied/withdrawn, notice and data shared must be maintained by the consent manager and be made accessible to the customers.
• The DPDP Rules have laid down a formal process for consent managers to apply to the Board for registration unlike the draft rules which outlined only the eligibility requirement
• Security safeguards & data retention
• Organizations handling personal data of individuals need to implement adequate security controls to prevent data breach which include securing personal data through encryption, masking, virtual tokens, controls for detection of unauthorised access, maintaining backups, appropriate provisions in contracts with the third-party data processors and having appropriate controls to ensure effectiveness of these safeguards
• Data Fiduciaries (and their Data Processors) cannot retain data longer than the purpose for which it is collection however personal data, traffic data and processing logs for specified regulatory purposes are required to be retained for 1 year from the date of processing
• Handling personal data breaches
• In event of a personal data breach, data fiduciaries are required to report to the affected individual and Data Protection Board of India immediately with certain information I.e. nature of the breach, timing, location of the breach.
• Within 72 hours of the breach, organizations have to give a detailed report to the Board along with reasons leading to the breach, measures implemented/proposed to prevent recurrence, findings on person/factor that led to the breach
• Grievance redressal

Data Principals are also required to be provided with rights to grievance redressal. Further the DPDP rules elaborate that a fixed timeline of ninety days for responding to grievances has to be streamlined by the organizations and displayed by the organizations on their website/applications accessed by data principals

• Significant data fiduciary

Significant Data Fiduciaries as notified by the Central government will need to comply with additional compliances including appointing a data protection officer, independent data auditor, conduct periodic data protection impact assessment and yearly audits.

• Cross border data transfer

There were two different conditions depending on whether data was processed within or outside India. Final DPDP rules consolidate both scenarios into one straightforward rule i.e. Any transfer may take place only if data fiduciary meets requirement specified by the Central Government

• Penalties

Non-compliance to DPDPA attracts monetary penalties upto Rs 250 crore for non-compliance. Quantum of penalties to be decided by nature, gravity, duration of breach, type of personal data affected, impact, repetitive nature of breach

How can organizations act upon the DPDP Act & the DPDP Rules?

Aligning data practices with the DPDP Act’s requirements will be crucial for leveraging the AI technologies for developing products prioritizing privacy. This enables maintaining compliance with evolving regulatory standards and shift from reactive to proactive data governance.

• Visibility mapping (Data Inventory and Mapping): Keeping track of personal data that is collected, processed, and stored. A detailed exercise to understand the state of personal information in your organization
• Building privacy policy & programs: A comprehensive privacy program needs to be in place that integrates governance, risk management and compliance across all processing activities positions organizations as leaders in data protection and privacy and builds customers’ trust giving as assurance that their personal data is safe.
• Data principal rights: Giving the customers a platform for accessing the rights to their personal data will give them a sense of empowerment and display accountability
• Managing contracts- An organization may use services of a no. of third parties for processing personal data; such contracts need to be revisited to ensure responsibilities for personal data processing are aligned with the Act.
• Ensuring purpose bound usage-Organizations also need to build processes and controls to ensure access to personal information is restricted to only those who have a business need for it. Further controls need to be established to ensure that Personal Information is used only for the purpose for which it is collected & deleted after giving a 48-hour notice to the individual concerned.
• Data security and training: Data privacy and data security are closely intertwined Organizations must have robust security controls. To achieve all of the safety measures organization’s senior management as well as employees need to be made aware and appropriate training to be ensured
• Incident Management: To manage privacy incidents, a formal process needs to be in place, for reporting of data breaches to the Board as well as the data principal, action to be taken to strengthen the control and not repeat the same breaches in future

While organizations have so far preferred to wait till publication of the Final Rules, with DPDP Act now being in force with a definitive timeline for implementation, organizations must initiate and expedite their internal assessments, map data flows, complete gap assessments and begin roll out of their compliance roadmap including updating notices, policies and contracts, revisiting and revamping existing consent mechanisms, evaluating sufficiency and adequacy of security controls and incident – response processes well ahead of the effective date.

How can we help?

• Compliance Gap assessment-
• Data Protection Impact Assessment–
• Privacy Notices:
• Data Privacy Programme:
• Third party risk management solutions
• Trainings
• Data Breach Management
• Expert dispute resolution
• Data privacy audits