The Union Ministry of Electronics and Information Technology (MeitY) of India recently released the Draft Digital Personal Data Protection Rules 2025 (Draft Rules) under the Digital Personal Data Protection Act, 2023 (The Act). These draft rules have been made available for public review inviting comments, objections, and suggestions until 18 February 2025.

With a planned phased timeline for implementation, businesses and organisations are being given time to input in the process and, thereby, time to prepare for the Draft Rules’ implementation.

These developments bring opportunities and challenges for data protection and privacy professionals, as India’s regulatory environment aligns more closely with global data protection standards. Here’s a brief look and some key takeaways of the ‘Rules’:

Key provisions and implications for organisations:

  • Stronger transparency and consent requirements: Organisations must simplify privacy notices, clearly itemising the data collected and purposes for processing. Consent must be easily revocable, signalling a move toward user-centric data governance.
  • Enhanced security obligations: Robust technical and organisational measures, including data encryption and breach response within 72 hours become mandatory, demanding proactive security strategies.
  • Accountability for Significant Data Fiduciaries (SDFs): High-volume data processors will face annual data protection audits and algorithmic risk assessments. This raises the bar for compliance infrastructure and risk management systems.
  • Consent managers and cross-border data transfers: Organisations must engage approved Consent Managers and navigate emerging requirements for international data flows, adding layers of operational complexity.

Strategic priorities for privacy leaders:

  • Advance consent management: Develop dynamic tools to track, manage, and revoke user consent, ensuring seamless experiences and compliance.
  • Update contracts with data processors: Align agreements with updated security and data handling obligations.
  • Prepare for data subject rights: Implement systems that empower users to access, correct, and delete their personal data efficiently.
  • Strengthen security practices: Invest in breach detection, incident response, and proactive data protection impact assessments.

The Draft Rules highlight India’s commitment to a robust digital privacy framework that balances innovation with individual rights. Data protection and privacy leaders must act now, integrating privacy-by-design principles into business operations to foster trust and resilience in the evolving data economy. HewardMills’ team of data protection experts is monitoring the consultation process and can support your team in implementing changes as they come into force.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.