Key Provisions of the DPDP Rules
Phased Implementation of the DPDPA and DPDP Rules:
(i) First Phase – Effective Immediately
As was expected, the first phase that becomes effective immediately relates to the constitution, functioning and staffing of the Data Protection Board of India, the authority that will oversee the implementation and enforcement of the DPDPA. Together with the notification of the DPDP Rules, MEITY has also issued a notification establishing the Data Protection Board of India and setting out details regarding its composition, meeting procedures, timelines and digital functioning. Interestingly, the DPDP Rules provide that the Data Protection Board will function as a digital office and may conduct proceedings without requiring any physical presence of individuals but will have the powers akin to civil courts to summon and examine persons under oath.
(ii) Second Phase – Effective 12 months from the date of the DPDP Rules
The relevant provisions of the DPDPA and DPDP Rules regarding the registration and obligations of Consent Managers will come into effect from 13 November 2026. The DPDP Rules set out detailed conditions and requirements for registration as Consent Manager and also set out provisions regarding the removal or suspension of a Consent Manager in certain circumstances.
(iii) Third and Final Phase – Effective 18 months from the date of the DPDP Rules
All other provisions of the DPDPA and DPDP Rules including obligations of data fiduciaries, issuance of privacy notices, rights of data principals, breach reporting, handling of children’s data, cross-border transfers, grievance redressal, appeals, government information requests will come into effect from 13 May 2027 marking the day on which the DPDPA will become fully operational.
Notice Requirements
As required under the DPDPA, privacy notices must be in clear and plain language and must contain information pertaining to the data being collected, purpose for collection, processing of data etc. In addition to this, the DPDP Rules provide that notices must also include communication links for accessing the website or application of the data fiduciary and mechanisms to allow the data principal to (a) withdraw consent; (b) exercise its rights; and (c) make a complaint with the Data Protection Board.
Data Storage Obligations
The DPDP Rules set out the requirement for data fiduciaries to retain personal data, associated traffic data and processing logs for a period of at least one year from the date of processing for the following purposes: (i) to facilitate the State or any of its instrumentalities to act in the interest of sovereignty, integrity, security of the country, performance of any function under any law, or disclosure of information to fulfil any legal obligation; and (ii) for assessing whether a data fiduciary should be notified as a significant data fiduciary. In addition, for data fiduciaries such as social media intermediaries, gaming intermediaries and e-commerce intermediaries meeting certain thresholds, the DPDP Rules prescribe the maximum timeline for retention of personal data by such intermediaries.
Grievance redressal
The DPDP Rules specify that any grievances raised by data principals must be redressed within a maximum of ninety days by data fiduciaries and consent managers.
Processing of Children’s Personal Data
For data fiduciaries offering services or products to children, the DPDP Rules prescribe detailed requirements for obtaining verifiable consent from parents as well as to conduct due diligence of the person identifying themselves as the parent. Due diligence may be carried out through means such as information regarding identity and age voluntarily provided by the parent/guardian or through a virtual token mapped to such details issued by an authorised entity such as a Digital Locker services provider. The DPDP Rules also set out a list of data fiduciaries such as health care providers, educational institutions, day care centres that would be exempted from the requirements to obtain verifiable consent.
Reasonable Security Safeguards
The DPDPA and DPDP Rules require data fiduciaries to implement reasonable security safeguards to protect the personal data under their control and possession (including where processing has been outsourced to data processors). The DPDP Rules allow businesses flexibility to determine the nature of such security safeguards but at the minimum require that measures such as encryption, masking or use of virtual tokens, access controls to computer resources, monitoring to prevent or detect unauthorised access and backups and other organizational and technical measures are implemented to ensure adequate protection. The DPDP Rules also require that appropriate provisions for implementation of reasonable security measures must also be included in contracts executed between data fiduciaries and data processors.
Data Breach Notification
In case of a data breach, the DPDP Rules require that (i) a notification without delay is issued to affected data principals with a description of the breach, timing, consequences, mitigation steps, safety measures that the data principal may undertake and contact details of a responsible officer; and (ii) a notification to the Data Protection Board is issued without delay containing the description, timing and nature of breach followed by a detailed report within 72 hours, including broad facts of the incident, findings regarding identity of the person who caused the breach, remedial measures, report regarding notifications sent to affected data principals.
Cross-Border Transfer of Data
The provisions regarding cross-border transfer of personal data have not been amended from those contained in the draft rules. The DPDP Rules continue to provide that cross-border transfers to any foreign government, person or entity would be subject to the data fiduciary meeting such requirements as the Central Government may, by general or special order, specify. It is expected that such orders may be issued during the course of the 18 months in which the DPDPA will be operationalized.
Other Provisions
The notified DPDP Rules also include other provisions regarding detailed information to be set out in privacy notices, requirement to obtain verifiable consent for processing data of persons with disability, contact information of relevant person for grievance redressal, additional obligations for significant data fiduciaries etc. These provisions are in line with the draft rules issued in January with minor revisions.
Next Steps
In terms of next steps, given the timeline of 18 months for the DPDPA to become fully effective, data fiduciaries should utilize the time to lay down the groundwork for implementation. Amongst others, data fiduciaries must (i) review and update existing data privacy policies to ensure compliance with the DPDPA, (ii) prepare or update the privacy notices in plain and clear language containing the information as required under the DPDPA and the DPDP Rules and have versions ready in the multiple Indian languages, (iii) take steps to implement security measures to protect personal data in data fiduciaries custody (including data processing that is or will be outsourced), (iv) execute new contracts with data processors in line with the requirements under the DPDPA, and (v) establish proper governance and structures for responding to data principal requests, notifying data breaches and addressing grievances.
