DPDP act
DPDP act

Transforming data privacy: DPDP Rules, 2025

India’s DPDP Rules, 2025, aim to enhance privacy and data protection, but ambiguities like consent and third-party risks need addressing.

In brief

  • Data principles gain the ability to access, correct, and erase their data, along with mechanisms to withdraw consent and handle complaints effectively.
  • Data fiduciaries ensure privacy and security through defined retention timelines, compliance audits, and transparent processes, establishing a responsible framework for data management.
  • The Rules mandate encryption, breach reporting within 72 hours, and robust identity verification to safeguard sensitive personal details, especially for children and persons with disabilities.

The Digital Personal Data Protection Rules, 2025, introduced under the Digital Personal Data Protection Act (DPDPA), 2023, mark a critical step in India’s journey towards establishing a robust framework for data privacy in India. With comprehensive measures to ensure transparency, accountability and data security, the rules aim to balance individual rights with organizational compliance obligations.

Welcome to “Gateway to data privacy and protection,” an innovative podcast series that delves deep into the realm of data privacy and protection.

Empowering individuals

 

The rules bring clarity to the rights of data principals, empowering individuals to maintain control over their personal data. From withdrawing consent to requesting corrections or erasure, the regulations provide actionable avenues to ensure data accuracy and address grievances. Additionally, fiduciaries are required to notify data breaches promptly and provide detailed reports within 72 hours to the Data Protection Board, fostering trust in the system.

 

Data protection as a cornerstone

 

Privacy and data protection forms the bedrock of the DPDPA Rules, 2025. Mandated measures include the use of encryption, virtual tokens, and robust access controls to protect personal data. Special provisions for safeguarding children’s data, such as obtaining verifiable parental consent, underscore the emphasis on vulnerable groups. Furthermore, a well-crafted privacy policy plays a vital role in informing individuals about how their data is processed and protected.

 

Operational guidelines for fiduciaries

 

Data fiduciaries are tasked with implementing stringent practices, including providing notices with required information, enabling ease of exercising data principal rights. Significant data fiduciaries face additional responsibilities, such as conducting Data Protection Impact Assessments (DPIAs), annual audits, compliance with algorithmic fairness, and cross-border data transfer protocols. These measures ensure a structured approach to data governance and mitigate risks associated with processing sensitive information.

October is Cybersecurity awareness month special, and this special podcast series is dedicated to helping you stay safe online. Join us as we dive into the world of cybersecurity, providing insights, tips, and expert interviews to help you stay safe in the digital realm.

Addressing ambiguities

 

Despite its robust framework, certain ambiguities in the rules present challenges for stakeholders:

  • Data privacy assessment: Assess the current Data Privacy posture, working practices and documentation against the requirement of DPDP Act and Rules
  • Data discovery and mapping: Identify the Personal Data touch points and conduct data discovery and mapping activities
  • RoPA and data flow diagram: Document personal data processing activities and its flow across various such as processes, systems, applications and third parties
  • Consent and notice management: Prepare consents, cookie banners, cookie policies and privacy notices to be implemented across touchpoints where personal data is collected
  • Privacy impact assessment: Identify data privacy concern risks by performing privacy impact assessments for processing activities and define controls to be implemented for mitigation
  • Third-party risk management: For third parties processing personal data, ensure organizational and technical security measures are implemented through inclusion within contracts and strong governance practices
  • Technical safeguards: Identify and implement the required technical safeguards to ensure protection of personal data from data breaches
  • Data protection office setup: Setup a data protection office by identifying the right team accountable and responsible for ensuring compliance within the organization
  • Implementation and automation: Implement the controls required to achieve compliance and identify opportunities for automation to bring efficiency in managing compliance
  • Monitoring and sustenance: Implement a periodic monitoring program to assess compliance at various intervals to sustain what has been implemented

Start-ups, in particular, face operational challenges due to undefined thresholds for exemptions. Moreover, the retrospective applicability of consent obligations lacks clarity, raising concerns over the validity of prior consents.

Download the full pdf


Related articles

How Technology and Policy can shape strong Real Estate and Infrastructure foundations

India's 2024 real estate saw investment surges in luxury homes and infrastructure, with REITs boosting funds and investor liquidity. Find out more.

21 Jan 2025 EY India

How LT Foods achieved 2x revenue growth with digital supply chain transformation

LT Foods elevates supply chain transformation and doubles revenue with EY's Asterisk platform, enhancing agility and service in the food market.

24 Dec 2024 EY India

An enabler for transformation: EY Global Cloud Implementation study

Discover how EY's Global Cloud Implementation study acts as a catalyst for business transformation and innovation in the digital era. Learn more.

23 Dec 2024 Abhinav Johri

    Summary

    The DPDPA Rules, 2025, signify a monumental step forward in shaping India’s digital future, providing a foundation for secure and transparent data handling practices. However, ambiguities must be addressed to ensure comprehensive compliance and ease of implementation. A collaborative approach among businesses, regulators, and policymakers will be crucial in refining these rules, fostering innovation while safeguarding privacy.


    About this article

    Authors


    You are visiting EY in (en)
    in en