Draft Rules Under DPDPA 2025: Key Steps Towards Compliance for Data Fiduciaries

Sameer Ahirrao -

On January 3, 2025, India’s Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025, providing crucial guidance on the Digital Personal Data Protection Act, 2023 (DPDPA). Set to take effect on February 18, 2025, these draft Rules mark a significant milestone in India's journey toward implementing its first comprehensive data protection framework and strengthening data privacy regulations.

This blog post is focused on the draft Rules and its implication for Data Fiduciaries, outlining key compliance measures required. It does not cover all implementation requirements under the DPDPA but serves as a targeted guide to the draft Rules.

1. Notices: Ensuring Transparency and Informed Consent

Notices must be clear, that are easy to understand. They should:

  • Detail the specific personal data being processed.
  • Clearly state the purpose of the processing and describe the related goods or services.
  • Include a link to the Data Fiduciary's website or app for further information.
  • Inform Data Principals about how to withdraw consent, exercise their rights, and file complaints with the Board.
How can we help through the TurtleShield DSAR module?
  • We have user-friendly methods for obtaining and withdrawing consent along with the provision for communication links, making the process as simple and seamless as possible for the Data Principal.
  • We have customisable templates to help you to easily create compliant notices and consent mechanisms which may be tailored to your specific needs and regulatory environment.
  • We are always updating our offerings according to changing regulatory requirements and ensure that your notices and consent mechanisms are regularly up-to-date with new legal requirements.

2. Data Principal Rights and Grievance Redressal

Data Fiduciaries must:

  • Provide an easily accessible communication channel (e.g., a form) on their website or app for Data Principals to withdraw consent or exercise their rights.
  • Specify and publish the response time for handling Data Principal requests and grievances.
  • Set up a grievance redressal system with a clear process for submitting complaints, ensuring the response timeframe is prominently displayed on their website or app.
How can we help through TurtleShield Suite?
  • We have customisable templates to help you to easily create compliant notices and policies which may be tailored to your specific needs and regulatory environment.
  • We are always updating our offerings according to changing regulatory requirements and ensure that your policies are regularly up-to-date with new legal requirements.

3. Data Fiduciary and Processor Relationship: Collaborative duty

The draft rules make it clear that Data Fiduciaries are accountable for protecting personal data, even when it is processed by Data Processors on their behalf. This includes ensuring the implementation of appropriate security measures.

Contracts between Data Fiduciaries and Processors must clearly outline data protection responsibilities, with specific provisions for reasonable security safeguards.

4. Implement Effective Security Through Multiple Layers of Protection

  • Securing personal data: This involves using methods like encryption, obfuscation, masking, or virtual tokens tied to the data.
  • Access control: Adequate measures must be implemented to restrict access to systems that process personal data.
  • Monitoring and visibility: Systems handling personal data should be continuously monitored, and logs should be maintained to ensure clear visibility into data access.
  • Threat/attack response: Data Fiduciaries must have a strong plan in place to respond to potential security threats or incidents.

5. Data Breach Notification: Prompt and Clear

Content of Communication:

  • Breach Description: The nature, scope, timing, and location of the breach.
  • Consequences for the Data Principal: Potential effects of the breach on the individual.
  • Measures Taken by the Data Fiduciary: Actions taken to reduce risks.
  • Actions Required by the Data Principal: Steps the individual can take to protect themselves.
  • Contact Information: How the Data Principal can get in touch for further questions.

Mode of Communication:

  • The breach notification should be delivered via the Data Principal's user account or another registered communication method.
How can we help through the TurtleShield PA module?
  • Identify key data points of breach
  • Regularly updated RoPA pinpoints where breach occurred
  • Immediately assess and contain the breach

6. Data Breach Notification to the Data Protection Board

  • Detailed Report within 72 Hours: A comprehensive report must be submitted to the Board within 72 hours of discovering the breach. This should include updated information on the breach, the factors leading to it, mitigation actions, the cause of the breach, corrective measures taken, and details about the notifications sent to affected Data Principals.
  • Data Breach Notification to Data Principals: Data Fiduciaries must promptly notify the Data Protection Board of any breach, including details like its nature, extent, timing, location, and potential impact. and provide a report detailing the notifications issued to the affected Data Principals.

7. Data Erasure Timelines: E-commerce, Social Media, and Online Gaming

  • Specific Timelines: E-commerce platforms, social media companies with over 2 crore users in India, and online gaming companies with over 50 lakh users must delete personal data within 3 years unless required by law or for account access or transactions involving money, goods, or services.
  • User Notification: Data Fiduciaries must notify Data Principals at least 48 hours before deleting their data, giving them time to take action if they wish to retain it.
How can we help through the TurtleShield AD module?

With TurtleShield Assured Deletion (Right to Erasure), businesses are empowered to comply with mandatory deletion of personal data. It starts from small, obvious data points and expands to a cost-efficient, data protection project. The automation and governance of deletion is managed by TurtleShield platform (in-house Platform as a Service) and/or by Ardent Privacy as an independent audit entity (SaaS). Businesses can protect liability with assured deletion in case of data breaches and non-compliance.

8. Verifiable Consent for Children and Individuals with Disabilities

  • Parental or Guardian Consent: Data Fiduciaries must secure verifiable consent from parents or legal guardians before processing the data of children or persons with disabilities, ensuring added protection for these vulnerable groups.
  • Identity Verification: Data Fiduciaries must verify the identity of the consenting parent or guardian by checking reliable details of identity and age, either already available or provided voluntarily, including through virtual tokens.

9. Additional Responsibilities for Significant Data Fiduciaries (SDFs)

  • DPIAs and Audits: SDFs are required to perform Data Protection Impact Assessments (DPIAs) and conduct audits annually. A summary of these assessments and audits must be submitted to the Data Protection Board.
  • Algorithmic Software: SDFs must ensure that algorithmic software used in data processing does not harm Data Principals. This involves evaluating potential risks and implementing measures to mitigate them.
  • Data Transfers: SDFs must comply with restrictions on transferring specific personal data outside India, as outlined by the Central Government.
How can we help through the TurtleShield Suite?
  • Conduct regular DPIAs with ease with our automated tools through PA module
  • Identify risks to Data Principle rights through assessments through PA module
  • Discover the location of data through Data Discovery module and our unique concept of Data Bill of Materials

10. Transfer of Personal Data Outside India

  • Restrictions: The Central Government imposes restrictions on transferring personal data outside India to safeguard the data of Indian citizens.
How can we help through the TurtleShield Suite?

Ardent Privacy's TurtleShield is an AI-powered enterprise software platform that helps businesses discover, identify, inventory, map, minimize, and securely delete personal data. In addition to getting to know your data, TurtleShield assists companies in acting on their data and implementing a privacy by design approach. By utilizing TurtleShield, organizations can gather the necessary information to perform comprehensive Transfer Impact Assessments

11. Non-Applicability of DPDP Act: Research, Archival, and Statistical Purposes

Exemption

  • Data processing for research, archival, and statistical purposes is exempt from the DPDP Act, acknowledging the societal value of these activities.

12. Consent Managers: Empowering Data Principal Control

  • Ensure data security: Consent Managers must safeguard data and keep records of consents given, denied, or withdrawn.
  • Provide access and secure sharing: They should offer Data Principals access to their consent records and enable secure data sharing.
How can we help through the TurtleShield Suite?

TurtleShield CM (Consent Management) automates required user privacy notices, the gathering and management of consent/opt-out privacy preferences, and the operational honoring of preferences by both internal and downstream third-party data sharers.

13. Processing for Provision of Subsidies, Benefits, or Services by State and its Instrumentalities

  • The Rules specify that the State and its agencies can process personal data to deliver subsidies, benefits, services, certificates, licenses, or permits in accordance with the law.
  • This provision ensures the effective delivery of essential services while maintaining data protection standards. Such processing must comply with principles like legality, purpose limitation, data accuracy, and security safeguards.

Conclusion

In conclusion, the draft Digital Personal Data Protection Rules, 2025, provide crucial guidance for implementing the DPDPA. Data Fiduciaries must familiarize themselves with and comply with these detailed requirements, covering aspects like notices, data principal rights, data security, breach notification, data erasure, consent for vulnerable individuals, and additional obligations for Significant Data Fiduciaries. By adhering to these rules, Data Fiduciaries can build transparency, accountability, and trust in their handling of personal data.

Additionally, the draft Rules highlight the importance of collaboration with stakeholders such as Data Processors and Consent Managers. Data Fiduciaries must ensure their data processing activities align with the DPDPA’s requirements and data protection principles. This includes implementing proper security safeguards, conducting regular risk assessments, and having clear procedures for managing data subject rights and breach notifications. By adopting a proactive and responsible approach, Data Fiduciaries can help create a strong data protection framework in India, promoting trust and confidence in the digital economy.