Ministry of Electronics and Information Technology has unveiled the Digital Personal Data Protection Rules, 2025 to facilitate the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act).
This act aims to regulate how businesses and government bodies handle the personal data of Indian citizens. The newly drafted rules will strengthen the Act by providing an actionable framework. The draft follows the SARAL framework, which emphasizes simplicity and clarity of language, making it easier for everyone to understand.
Digital Personal Data Protection Rules, 2025 – Key elements of the draft include:
- Guidelines for Data Fiduciaries to ensure transparency and accountability.
- Consent Managers, responsible for managing and facilitating user consent, must register with the Data Protection Board. They must, at all costs, ensure users’ data is processed according to individual preferences.
Consent Manager must be a company incorporated in India with sound financial and operational capacity. Once registered, the Consent Manager must comply with specific obligations of ensuring that Data Principals can easily give, manage, review, and withdraw consent for data processing, maintaining records of consents and data sharing, and providing transparent access to such records.
- Safeguards against data breaches and rules for sensitive data, including for children and persons with disabilities.
When a Data Fiduciary becomes aware of a personal data breach, it is required to promptly notify all affected Data Principals. This notification must be clear and straightforward, explaining the breach’s nature, extent, and timing, along with potential consequences for the affected individuals.
- Provisions for setting up the Data Protection Board and appeals process.
- Special rules have been provided for processing the personal data of children or persons with disabilities who have a lawful guardian. Verifiable prior consent from the parent or guardian must be obtained before processing any personal data of a child.
This provision outlines the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities. Specifically, a Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian is identifiable.
Up for Public Feedback
For more details, the public can read the Draft Digital Personal Data Protection Rules, 2025, and the Explanatory Note on the Draft Digital Personal Data Protection Rules, 2025. Additionally, feedback and comments can be submitted via the MyGov portal until 18th February 2025.