The Indian government has released draft rules under the Digital Personal Data Protection Act, 2023. Published in the Gazette of India on January 3, 2025, these rules mark a critical phase in operationalizing the landmark legislation that seeks to safeguard the digital rights of individuals while setting compliance expectations for entities processing personal data.
The draft rules have been made available for public consultation until February 18, 2025. Interested individuals and organizations can provide their inputs through the MyGov platform, reflecting the government’s commitment to inclusive policy making. Post-consultation, the finalized rules will establish the framework for data fiduciaries and processors to comply with the Act.
Here are the key highlights of the draft rules:
- Transparency in Data Processing: Data fiduciaries must issue clear and concise notices to individuals before processing their personal data. The notices should detail the type of data being collected, the purpose of processing, and the measures in place to safeguard privacy.
- Consent Management: Consent managers, a pivotal aspect of the rules, will be registered entities tasked with managing individuals’ consent for data processing. These managers are required to maintain high standards of operational and financial competence, ensuring trust in their ability to safeguard users’ preferences.
- Protections for Minors: Specific provisions mandate verified parental consent for processing the personal data of minors. This requirement emphasizes the Act’s focus on protecting vulnerable groups.
- Cross-Border Data Transfers: The draft rules stipulate conditions under which personal data can be transferred outside India. Such transfers will be allowed only to jurisdictions deemed appropriate by the central government, safeguarding India’s digital sovereignty.
- Data Breach Notification: Data fiduciaries must promptly inform affected individuals and the relevant Data Protection Board in case of data breaches, detailing the nature of the breach, potential consequences, and mitigation measures.
- Data Retention and Erasure: The rules mandate that personal data be retained only as long as necessary for its stated purpose, after which it must be securely deleted.
The draft rules emphasize accountability through periodic data audits and the designation of Data Protection Officers to oversee compliance. Fiduciaries identified as “significant data fiduciaries” will face additional obligations, including conducting impact assessments and audits to mitigate risks associated with data processing.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
