Alaya Legal

Enhancing Privacy and Security: Suggestions for the Draft Digital Personal Data Protection Rules, 2025

Home / Articles

Enhancing Privacy and Security: Suggestions for the Draft Digital Personal Data Protection Rules, 2025

Draft Digital Personal Data Protection Rules
Reference Date | Version April 14, 2025 | 1.0
Keywords Personal Data, Data Principal, Data Protection, Data Processing, Data Breach, Data Privacy
Legislation(s)/Policies (i) Data Protection Act, 2023

(ii) Draft Digital Personal Data Protection Rules, 2025
Jurisdiction India

The draft Digital Personal Data Protection Rules, 2025, signifies a crucial advancement in India’s data protection landscape, establishing essential frameworks for safeguarding personal data under the Digital Personal Data Protection Act, 2023.

It is crucial not only to understand the obligations of each player involved in the data handling chain but also to appreciate the often far-reaching consequences of any act of omission or commission by any player within that chain.


Introduction

The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025 (“Draft DPDP Rules”) for public consultation on January 3, 2025.

Key provisions include enhanced notice requirements for Data Fiduciaries, governance mechanisms for Consent Managers, and strengthened security safeguards to mitigate risks of data breaches.

This article examines the Draft DPDP Rules, identifies key areas that necessitate scrutiny and offers constructive suggestions to enhance clarity, enforceability, and alignment with the spirit of the DPDP Act.


Meanings

The meanings as given under the DPDP Act and used in the Draft DPDP Rules are reproduced below for ease.

  1. Personal data: any data about an individual who is identifiable by or in relation to such data.
  2. Data Principal: the individual to whom the personal data relates.
  3. Data Fiduciary: any person who determines the purpose and means of processing personal data.
  4. Data Processor: any person who processes personal data on behalf of a Data Fiduciary.
  5. Consent Manager: a person registered with the Data Protection Board of India.

The Draft DPDP Rules – Observations

1. Notice Requirements for Data Fiduciaries

This rule outlines the obligations of a Data Fiduciary to provide notice to the Data Principal at the time of obtaining consent.

  1. Dual Format Notice: The provision should mandate notice in both digital and non-digital formats.
  2. Enhanced Content Requirements: Data Fiduciaries should provide clear and concise notice details.
  3. Clarifying Data Principal Rights: This rule should specify the rights to access, correct, erase, and withdraw consent.
  4. Addressing Subsequent Digitization: Personal data digitized subsequently should comply with all notice requirements.

2. Consent Managers: Strengthening Governance and Accountability

This rule outlines the process for registration of Consent Managers and their obligations.

  1. Integrity of Leadership: Senior management should possess integrity and a clean record.
  2. Data Processing Location: Processing of records should occur within India.
  3. Enhancing Security Safeguards: Consent Managers should implement comprehensive security measures.
  4. Managing Conflicts of Interest: Systems should exist to avoid conflicts with Data Fiduciaries.

3. Reasonable Security Safeguards

This rule requires Data Fiduciaries to implement reasonable security safeguards.

  1. Comprehensive Data Security Measures: Appropriate data protection mechanisms including encryption and masking should be used.
  2. Enhanced Access Visibility: Real-time monitoring and logging should be implemented.
  3. Contractual Security Obligations: Data Processors must follow security obligations under agreements.
  4. Periodic Security Assessments: Vulnerability assessments and audits should be conducted regularly.

4. Data Retention: Balancing Purpose and Privacy

This rule requires Data Fiduciaries to erase personal data once the purpose is fulfilled.

  1. Publicly Available Retention Period: Retention periods should be defined and publicly disclosed.
  2. Pre-Erasure Notification: Data Principals should receive prior notice before data erasure.

Viewpoint

The Draft DPDP Rules represent a significant milestone in establishing a robust data protection framework in India.

The implications of the DPDP Rules extend to both individuals and businesses, promoting a culture of responsible data handling.

The DPDP Rules are a crucial stride toward a more secure and equitable digital ecosystem in India.


Legal Support in the domain of Data Protection and Privacy Laws

Avatar

Riddhi Rahi (Ms), Mr. Tushar Todi and Rachit Singh (Mr)

Most Recent Posts

Reach out

Category

Tags

Disclaimer

The Bar Council of India Rules do not permit law firms to solicit work or advertise. By clicking the ‘I Agree’ button, the Reader accepts that they are seeking information on their own accord. Alaya Legal shall in no way be responsible for any technical inaccuracies on this website, or for any actions taken or not taken based on the information contained herein or accessed through this website. Readers are advised to seek counsel from a qualified professional while dealing with specific issues.

By continuing to use this site, you consent to the use of cookies on your device as mentioned in this Cookie Policy .

The views appearing under various sections, including ‘Trending’, are solely those of the respective author. The author may be contacted by writing to Alaya Legal at contact@alayanew.instantlywebsite.com .

Nothing contained on this website shall be construed as legal advice. Readers are encouraged to obtain independent legal counsel for advice relating to their specific circumstances.