EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Empowering individuals
The rules bring clarity to the rights of data principals, empowering individuals to maintain control over their personal data. From withdrawing consent to requesting corrections or erasure, the regulations provide actionable avenues to ensure data accuracy and address grievances. Additionally, fiduciaries are required to notify data breaches promptly and provide detailed reports within 72 hours to the Data Protection Board, fostering trust in the system.
Data protection as a cornerstone
Privacy and data protection forms the bedrock of the DPDPA Rules, 2025. Mandated measures include the use of encryption, virtual tokens, and robust access controls to protect personal data. Special provisions for safeguarding children’s data, such as obtaining verifiable parental consent, underscore the emphasis on vulnerable groups. Furthermore, a well-crafted privacy policy plays a vital role in informing individuals about how their data is processed and protected.
Operational guidelines for fiduciaries
Data fiduciaries are tasked with implementing stringent practices, including providing notices with required information, enabling ease of exercising data principal rights. Significant data fiduciaries face additional responsibilities, such as conducting Data Protection Impact Assessments (DPIAs), annual audits, compliance with algorithmic fairness, and cross-border data transfer protocols. These measures ensure a structured approach to data governance and mitigate risks associated with processing sensitive information.