News

Significant Step to Initiate Trust & Security in India’s Digital landscape; DPDP Act 2025

Significant Step to Initiate Trust & Security in India’s Digital landscape; DPDP Act 2025

The Union government on Friday released the draft for Digital Personal Data Protection rules (DPDP) and Meity (Ministry of Electronics and Information Technology) invited stakeholders to share their feedback by feb18 on the MyGov portal at the link https://innovateindia.mygov.in/dpdp-rules-2025.

A simple way to understand all about DPDP rule, it is a comprehensive legislation that provides a legal framework for the protection of personal data in India. The law regulates how companies and organizations collect, store, process, and share personal data.

The DPDP draft rules 2025, focuses on having stronger data security, robust consent management, and protocols on data retention. As India moves towards the concept of “digital by design” approach, organizations need to gear up to provide assessment on annual cyber  impact  ensuring all compliance frameworks and digital adjudication has been followed.

Key Focus points of DPDA act 2025:

  • The Data Protection Board itself will function as a digital office and will be “born digital”, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated without their physical presence being required.
  • Under the rules, digital platforms will have to inform and take the consent of people in a language of their choice — either in English or in any of the 22 Indian languages listed in the Constitution.
  • As per rules that have been laid down various precautionary measures such as need for parental consent for children under the age of 18 to create a social media account.
  • All digital platforms would also have to notify their users of the online links using which they may exercise their rights for withdrawing their consent, obtaining information regarding processing of their data, updating and erasing their data, grievance redress, nomination, and making a complaint to the Data Protection Board.
  •  The DPDP Act seeks to strengthen the legal framework for protecting digital personal data by providing necessary details and actionable framework, a statement by the ministry said.  
  • Any quantum of penalty would depend upon the nature, gravity, duration, type, repetitiveness, efforts made to prevent breach, etc. Further, significant data fiduciaries have higher obligations under the Act and rules, while a lower compliance burden is envisaged for startups. Therefore, any penalty imposed for defaults would be fair and proportionate
  • The Act and the draft rules do not mandate that all personal data has to be stored within India. However, they provide that transfer of personal data outside India may be restricted for certain classes. 
  • There will also be clear procedures for users to request access to their data and ask for it to be deleted by companies, known as Data Fiduciaries.
  • The DPDP rule will set timelines for Data Fiduciaries to erase personal data when consent is withdrawn and for resolving user complaints.
  • The DPDP Act places restrictions on the transfer of personal data to foreign countries. Organizations wishing to transfer data outside of India must comply with guidelines set by the Indian government, ensuring that the data remains protected in the receiving country.

Data Processing Framework

Large platforms must follow strict retention guidelines, including:

  • Mandatory erasure of personal data after three years of disuse
  • 48-hour notice period before deletion for platforms with over 2 crore users (e-commerce/social media) or 50 lakh users (gaming)
  • Implementation of robust security standards and monitoring systems

Compliance Structure

The framework introduces tiered obligations with heightened requirements for Significant Data Fiduciaries, while maintaining reasonable compliance burdens for startups. A digital-first Data Protection Board will facilitate citizen complaints and digital adjudication.

Implementation Requirements

Data Processing Standards

Organizations must implement appropriate data security measures including encryption, masking, or tokenization. Provide access controls for computer resources. Monitoring systems for unauthorized access detection and have Data backup and business continuity measures.

Consent Management

This include providing clear instructions to data principals in simple language alongside providing consent withdrawal mechanisms and have detailed records of processing purposes and data collection

Impact Assessment

Significant Data Fiduciaries must conduct annual data protection impact assessments. And as per DPDP rule Submit reports to the Data Protection Board while verifying algorithmic system safety.

Technical Infrastructure

  • Upgrade security systems for encryption and monitoring
  • Implement disaster recovery mechanisms
  • Deploy granular consent management platforms

Process Changes

  • Review data collection practices
  • Establish retention and deletion protocols
  • Create incident response procedures

Documentation Requirements

  • Maintain processing records
  • Document security measures
  • Keep consent records

What has been excluded as per previous DPDP act:

As per previous act non-automated personal data, offline personal data and personal data in existence for at least 100 years have been excluded.

The maximum limit of INR500 crore for penalties has been removed.

At present, the provision for grievance redressal review is not included. The timeline of 72 hours within which a data breach is to be reported to authorities is excluded.

Sources:

Draft DPDP Rules: Parental Consent Mandatory For Children To Create Social Media Accounts Under Proposed Norms

(4) Understanding India’s DPDP Draft Rules 2025 | LinkedIn

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top