On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) in India unveiled the much-anticipated draft of the Digital Personal Data Protection Rules 2025 (DPDP Rules). This marks a significant step toward operationalizing the Digital Personal Data Protection Act (DPDPA) of 2023, which aims to safeguard the privacy of individuals’ personal data in the digital realm.  

Amit Baghel, Truyo Director of Product Engineering, says, “The final rules will be tabled in the parliament for approval in the monsoon session in July 2025. Organizations will have two years to become compliant with DPDP.” Baghel went on to list what he finds most compelling in the DPDP rules:    

• To nurture the innovation ecosystem in India, the start-ups will have reduced compliance requirements.  
• To protect children’s personal data, the data fiduciaries must implement measures to obtain verifiable parental consent. 
• Data localisation for certain types of personal data is mandatory and a central committee will specify the types of data that cannot be transferred outside the territory of India.  
• The DPDP rules omit any information on penalties while covering the process and body responsible, perhaps to retain flexibility.  

With these draft rules now open for public consultation until February 18, 2025, businesses, stakeholders, and individuals must pay close attention to how these guidelines will shape the future of data privacy in India. In this blog, we will break down the key elements of the DPDP Rules 2025 and what organizations should do to prepare for full compliance. 

The Draft Digital Personal Data Protection Rules 2025: An Overview 

The DPDP Rules 2025 lay out a comprehensive framework for handling personal data in India, covering everything from consent management to data security measures. These rules are essential for making the DPDPA operational and ensuring robust data protection in India’s rapidly evolving digital economy. 

Here are some of the key provisions under the draft DPDP Rules: 

1. Data Fiduciary Responsibilities:
   • Rule 3 requires Data Fiduciaries (the organizations that process personal data) to provide clear notices to data principals (the individuals whose data is being processed). These notices must detail the data being processed, the purposes of processing, and the rights data principals have under the DPDPA. 
   • Rule 6 mandates that Data Fiduciaries implement reasonable security safeguards such as encryption, obfuscation, and access controls to prevent data breaches. 
2. Consent Managers and Parental Consent:
   • Rule 4 introduces Consent Managers, entities responsible for managing and verifying consent for data processing. 
   • Rule 10 provides clear guidance on obtaining verifiable parental consent when processing data of children or persons with disabilities. It outlines how Data Fiduciaries should confirm the identity and age of parents before processing such sensitive data. 
3. Data Protection Impact Assessments (DPIA):
   • Rule 12 places additional obligations on Significant Data Fiduciaries to conduct DPIAs and annual audits to assess their data protection practices. These organizations must also ensure transparency regarding the algorithms used for data processing. 
4. Data Breaches and Notifications: 
   • Rule 7 requires all personal data breaches, regardless of the severity, to be reported to affected individuals and the Data Protection Board. The rules emphasize timely notifications and transparency in breach handling. 

Key Provisions Impacting Organizations 

Organizations in India will need to take concrete steps to ensure compliance with the new rules. Some of the most pressing provisions that businesses should be aware of include: 

• Verifiable Parental Consent: For organizations that deal with children’s data or the data of persons with disabilities, Rule 10 outlines strict measures for obtaining and verifying parental consent. This may require changes to current processes for collecting data from minors, including developing a mechanism for verifying consent through third-party services like Digital Locker. 
• Data Fiduciary Obligations: Data Fiduciaries must ensure that clear notices are provided to data principals about what data is being collected and how it will be used. Organizations will need to update their privacy policies and user agreements to meet these standards. 
• Security Measures: Rule 6 emphasizes that organizations must implement security measures such as data encryption and regular monitoring to safeguard personal data. This includes adopting best practices for securing sensitive data both in transit and at rest. 
• Data Retention and Erasure: Rule 8 provides guidelines on how long personal data can be retained. Organizations must establish processes for deleting personal data once it is no longer needed for its intended purpose. This will require a careful review of data storage and retention practices. 

The Consultation Process: Stakeholder Input 

The release of the DPDP Rules 2025 comes with an open invitation for stakeholders to provide feedback. The consultation period is open until February 18, 2025, and offers organizations, privacy advocates, and other interested parties a chance to shape the final rules. The MeitY has indicated that it will carefully review all submissions and may incorporate relevant suggestions into the final version. 

According to experts, there are areas where further clarification or adjustments may be needed. For instance, some stakeholders have called for an extension of the consultation period, arguing that the initial 45 days may not provide enough time for thorough analysis. As organizations evaluate the draft rules, they should consider submitting their concerns or suggestions to MeitY to ensure that their voices are heard during the finalization process. 

What Should Organizations Do Now? 

As the draft DPDP Rules 2025 are still in the consultation phase, businesses should take proactive steps to prepare for full compliance once the final rules are published. Here are a few actions organizations can take now: 

• Conduct Gap Assessments: Review existing data protection practices and identify areas where improvements are needed to align with the draft rules. 
• Start Infrastructure Development: Begin building the infrastructure needed to comply with the draft rules. This includes developing systems for managing consent, ensuring security measures are in place, and implementing protocols for data erasure. 
• Update Privacy Policies: Organizations should revise their privacy policies and notices to include the clear and transparent information required under Rule 3. Additionally, ensure that mechanisms are in place to handle data breach notifications as outlined in Rule 7. 
• Train Staff: It is essential to train employees, especially those handling personal data, on the new requirements. This will help ensure that everyone is aware of the changes and can implement them effectively. 

The release of the draft Digital Personal Data Protection Rules 2025 represents a pivotal moment in India’s journey towards stronger data privacy protections. These rules, along with the Digital Personal Data Protection Act, 2023, will significantly impact how personal data is collected, processed, and protected in India’s digital ecosystem. 

Organizations must stay ahead of the curve by reviewing the draft rules, submitting their feedback during the consultation period, and taking steps to align their practices with the anticipated requirements. With the final rules expected to be enforced in the near future, businesses that prepare now will be better positioned to ensure compliance and protect the privacy of their users. 

By actively engaging in the consultation process and taking steps to adapt to these new regulations, organizations can contribute to shaping the future of digital privacy in India while safeguarding their operations against potential risks.