Overview of Draft DPDP Rules

On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection (DPDP) Rules 2025. A 45-day public consultation period is now open, allowing stakeholders to submit feedback—whether objections or suggestions—until February 18, 2025.

This phase is crucial as it enables stakeholders to help refine the rules, making them practical and effective for real-world application. After the consultation, MeitY will review the feedback and finalize the rules, moving closer to fully implementing the Digital Personal Data Protection Act (DPDPA) 2023.

Summary of the DPDP Rules:

Rules: 1 – 10

1. Specify the short title and commencement of the rules, highlighting the rules will come into force upon publication, with specific provisions—namely rules 3, 15, 21, and 22—becoming effective at a later stage. 

2. Defines key terms used in the rules to ensure clarity and consistent interpretation alongside the DPDPA.

3. Requires Data Fiduciaries to provide clear and understandable notices to data principals about the personal data being processed, its purposes, and how individuals can exercise their rights.

4. Sets the registration requirements and obligations for Consent Managers, who handle consent for data processing.

5. Allows the State to process personal data to provide benefits and services, adhering to standards in the Second Schedule.

6. Mandates Data Fiduciaries to implement security measures like encryption and monitoring to prevent data breaches.

7. Outlines the procedures for notifying data principals and the Data Protection Board about personal data breaches, specifying timelines and the required information.

8. Sets timeframes for the erasure of personal data once it is no longer needed, particularly for specific entities like e-commerce and social media platforms.

9. Requires Data Fiduciaries to provide contact details for someone who can address questions about data processing or appoint a Data Protection Officer.

10. Clarifies the requirement for verifiable consent from parents/guardians for processing children’s or persons with disabilities data, with specific measures for validating consent.

Rules: 11 – 22

11. Provides exemptions for certain Data Fiduciaries from parental consent requirements and restrictions on children’s data, under specific conditions.

12. Imposes additional obligations on Significant Data Fiduciaries, including conducting Data Protection Impact Assessments (DPIA), audits, and ensuring algorithmic transparency.

13. Details the rights of data principals, including access to information, data erasure, and the option to nominate others to exercise these rights.

14. Regulates the transfer of personal data outside India, subject to conditions set by the Central Government.

15. Exempts certain data processing activities for research, archiving, or statistical purposes from the Act, provided the standards in the Second Schedule are followed.

Rules 16-20: Cover the Data Protection Board’s structure and functions, including the appointment of the Chairperson and Members, and procedural matters.

21. Provides the process for appealing decisions made by the Board to the Appellate Tribunal.

22. Grants the Central Government the power to request information from Data Fiduciaries or intermediaries for specific purposes.

For more detailed information, refer to the official notification: DPDP Draft Rules 2025

Learn more about Vincular’s service offerings from here: Data Protection and Security Service

For any queries or to understand the rules contact us at +91 80888 05577 or email us at info@vincular.in