NAVIGATING THE DIGITAL DATA REGIME: AN ANALYSIS OF THE DPDP ACT & DPDP RULES 2025

Maheshwari & Co. Advocates & Legal Consultants | View firm profile

Abstract

The Digital Personal Data Protection Act, 2023 (DPDP Act) and the Draft DPDP Rules, 2025 are a milestone piece of legislation in India’s data protection landscape. The Act prescribes a clear legislative framework for the processing, storing, sharing, and collecting of personal data, to enable digital privacy.

The following article deals with important definitions within the Act, such as personal data, data principal, data fiduciary, and data processor, to help understand the compliance requirements. The article states procedural requirements such as valid consent being obtained, transparent notices given, and categorization of the data. It also addresses the practical compliance actions, such as in-house data mapping, security arrangements such as encryption and multi-factor authentication, and provisions about the cross-border transfer of data. Also, it enlightens on the most important provisions of the draft 2025 Rules, specifically those concerning consent management, notice requirements, and the State’s role in data processing. Overall, the article is a practical manual for enterprises to adapt to new legal requirements while upholding data protection and the rights of users under the changing Indian privacy framework.

Introduction

The Digital Personal Data Protection Act, 2023 (DPDP Act), read with the draft Digital Personal Data Protection Rules, 2025 (DPDP Rules), constitute the keystone in India’s efforts to regulate the collection, processing, and protection of digital personal data. These regulations serve to protect privacy rights while outlining legal parameters for businesses. Here’s where we will explore how these regulations create the mechanics around data collection and analysis, while also contextually defining terms for how this works that preceded the Act.

History and Evolution of the Act

The legal framework of India for data protection was initiated with the historic Supreme Court decision in Justice K.S. Puttaswamy (Retd.) v. Union of India, which adjudged the right of privacy to be a constitutional right under Article 21 of the Constitution. The Court emphasized that privacy is the core of the liberty of individuals and set out the test of proportionality for any restriction. This decision gave constitutional bases for a sound system of data protection that influenced the key features of the Digital Personal Data Protection (DPDP) Act, 2023, such as informed consent, data minimization, and rights of the individual about personal data.

Before the DPDP Act, the Information Technology (IT) Act, 2000, was the major law governing digital data. Yet, it provided scant protection, with just Sections 43A and 72A protecting personal data security. The digital economy is evolving, and with it, we’ve seen a rise in data misuse that has exposed the gaps in the IT Act. This situation called for a comprehensive data protection law. It was in 2017 that the Justice B.N. Srikrishna Committee was established to tackle these matters, recommending a rights-based framework based on responsibility, consent, and localisation of data. This gave way to the Personal Data Protection (PDP) Bill in 2019. The bill came under criticism due to its robust data localization requirement and the general powers granted by it to the government under Section 35. Following delays and 81 amendments proposed by the Joint Parliamentary Committee, the PDP Bill was withdrawn in 2022. Subsequently, the DPDP Bill, 2022, was brought, with a more balanced and business-friendly approach, and was finally enacted as the DPDP Act, 2023. The Act creates a consent-based regime, enshrines roles such as data fiduciaries and principals, gives individuals the right to access, correct, and delete data, and imposes draconian penalties for non-compliance, a huge leap towards privacy-oriented data governance in India.

Key Definitions in the act involved in gathering and processing the personal data under this act:

  1. Data Fiduciary– It signifies that any individual who alone or together with other individuals determines the purpose and method of processing of personal data.
  2. Data Principal- A Data Principal is the person to whom the personal data refers. If the person is a child or an individual with disability, their legitimate guardian represents them. Data Principals have rights under the DPDP Act, such as accessing, correcting, or deleting their data.
  3. Personal Data- It refers to any information relating to a natural person who is or can be identified by such information.
  4. Consent Manager- A Consent Manager is an individual or company that assists people (referred to as Data Principals) in controlling their permission (consent) on the use of their personal data. They facilitate people to provide, monitor, or withdraw their consent whenever needed. Consent Managers must adhere to tight guidelines so the process remains transparent, safe, and easy to use

Procedure for Collecting and Analysing Data under DPDP Act and Rules[1]

Notice sent for processing data by Data Fiduciary to Data Principal under the Draft DPDP Rules of 2025 and the Digital Personal Data Protection Act of 2023, a Data Fiduciary has to provide a clear and distinct notice to the Data Principal prior to collecting or processing any personal data. This notice must be composed in clear, simple language and must specify the kinds of personal data being gathered, the grounds for processing as per law, and the character of the goods or services. The notice must also notify the Data Principal of their rights, such as the right to withdraw consent, rectify their data, and lodge complaints with the Data Protection Board. Even if prior consent was received before the implementation of the Act, the Data Fiduciary is nonetheless required to give a new notice with all necessary information. The notice should be standalone, understandable in isolation, and available in both electronic and print media as necessary. The Data Fiduciary should also keep a record of notices given and issue a revised notice if there are any alterations in the purpose or means of data processing. This helps in ensuring transparency, accountability, and safeguarding personal data in accordance with the DPDP regime.

 Reasonable Security safeguards undertaken by Data Fiduciary[2]

For the secure processing of personal information, the Data Fiduciary will be required to employ a range of reasonable measures to secure data. These would be technical ones, such as encryption, masking, and obfuscation, as well as virtual tokens, for securing the confidentiality, integrity, and availability of personal information. Compelling access controls and regular surveillance of computer facilities, complete with periodic logging of activity will have to be instituted to detect unauthorized access and provide for effective investigation and remediation. Furthermore, the Data Fiduciary needs to provide data retention and business continuity by keeping regular data backups and keeping logs and personal data for a minimum period of one year, unless otherwise mandated by law. Contractually, Data Fiduciaries should ensure that Data Processors are also bound to implement similar safeguards. Organizational and technical measures shall be taken to effectively enforce these obligations, with the expression “computer resource” being interpreted as per the Information Technology Act, 2000.

Role of the Consent Manager while processing the data of the Data Principal[3]

A Consent Manager, under Section 2(g) of the DPDP Act, 2023, is a registered organization with the Data Protection Board that provides for the provision, administration, evaluation, and revocation of consent by Data Principals using an accessible, transparent, and interoperable platform. The task can be administered internally in an organization or contracted out to a third-party legal organization. The DPDPA suggests a process where a Data Fiduciary hires a Consent Manager to handle consent and act in the interest of the Data Principal. This structure follows the B.N. Srikrishna Committee’s suggestion of taking a fiduciary approach to protecting data and putting individual consent at the centre of processing digital data. The key function of a Consent Manager is to ensure that consent is sought in an informed, purpose-specific, and verifiable way. They keep records of consent, enable its withdrawal, and ensure that consent comes before any data processing. Serving as a middleman between Data Fiduciaries and Data Principals, Consent Managers facilitate transparency and user control over personal data. By stopping unauthorized data gathering and making sure that there is accountability, they establish trust within the digital environment and maintain the fundamental tenets of the DPDP Act.

Legal Compliance for obtaining valid consent from the Data Principal[4]

Section 6 of the Digital Personal Data Protection Act, 2023, defines the legal standards and requirements for obtaining proper consent from the Data Principal (the person whose data is being processed). Consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. It should relate only to the personal data necessary for a specific purpose. For example, if a telemedicine app requests consent to access both health data (for its services) and the contact list (which is unrelated), only the consent for health data is valid. Any consent that violates the Act or other existing laws will be considered invalid to that extent. For instance, if an insurance company asks for consent to waive the right to complain to the Data Protection Board, that part of the consent will be void. Consent must be presented in plain language, in English or any language listed in the Eighth Schedule of the Constitution and must include the contact details of the Data Protection Officer or authorized person. Data Principals have the right to withdraw consent at any time, and the withdrawal process should be as simple as the process of giving consent. However, the consequences of withdrawal (such as loss of access to services) will be borne by the Data Principal and will not affect processing done before the withdrawal. For example, if someone withdraws consent after placing and paying for an order, the order will still be fulfilled. Once consent is withdrawn, the Data Fiduciary and any associated Data Processor must cease processing the personal data unless allowed by law. Consent may also be managed through Consent Managers, who act on behalf of Data Principals and must be registered with the Data Protection Board. In legal proceedings, the burden of proving valid consent lies with the Data Fiduciary.

Intimation of Data Breach to Data Principal[5]

a. Immediate Intimation to Data Principals:

The Data Fiduciary must promptly inform each affected Data Principal in a clear, concise, and plain manner through their registered mode of communication (such as user account, email, or mobile number). The notice must include:

i. Nature, extent, timing, and location of the breach,

ii. Likely consequences for the individual,

iii. Mitigation measures being taken,

iv. Personal safety measures the individual can adopt,

v. Contact details of a responsible person to answer queries.

b. Notification to the Data Protection Board (Initial Report):

The Data Fiduciary must immediately inform the Board with a basic description of the breach, covering its nature, extent, timing, location, and likely impact, even before a full investigation is complete.

c. Follow-up Detailed Report within 72 Hours:

Within 72 hours of becoming aware of the breach (or a longer time if permitted by the Board), the Data Fiduciary must submit A report of all notifications sent to affected Data Principals.

i. Detailed breach information,

ii. Circumstances and reasons leading to it,

iii. Risk mitigation measures taken or proposed,

iv. Identity of the person responsible (if known),

v. Remedial actions to avoid future incidents.

Obligations of a Data Fiduciary while collecting and analysing the data of the Data Principal[6]

a. Accountability and Engagement of Data Processors: A Data Fiduciary remains fully responsible for complying with the Act and its rules, even if the Data Principal fails to fulfil their duties or regardless of any contrary agreement. It may engage or appoint a Data Processor to process personal data on its behalf, but only under a valid contract and solely for activities related to providing goods or services to Data Principals.

b. Data Usage and Accuracy for Disclosure or Decision-Making: If personal information is utilized to make decisions that have an impact on a Data Principal or is released to another Data Fiduciary, the initial Data Fiduciary should guarantee the completeness, accuracy, and consistency of the data.

c. Security Measures and Breach Intimation: A Data Fiduciary must implement suitable technical and organizational measures to follow the provisions of the Act and prevent data breaches. This includes protecting data in its control and any processing done by a Data Processor. In case of a data breach, it must notify both the Data Protection Board and each affected Data Principal in the prescribed manner.

d. Data Retention and Erasure Obligations: Unless obligated under a requirement to maintain data according to law, a Data Fiduciary has to destroy personal data when consent is withdrawn by the Data Principal or if purpose of data is reasonably understood as fulfilled—whichever comes first.

e. Transparency, Grievance Redressal, and Communication: The Data Fiduciary must publish the contact information of a Data Protection Officer or another responsible person to address queries. Additionally, it must set up an effective grievance redressal mechanism for Data Principals. A Data Principal is considered inactive if she hasn’t contacted the Fiduciary through any form—physical or electronic—within a prescribed period.

In case of processing the data of a minor or a person with a disability, the data fiduciary has certain duties to carry out the processing of their personal data[7]

a. Mandatory Verifiable Consent

Before processing a child’s personal data or the personal data of an individual with a disability with a lawful guardian, a Data Fiduciary is required to get verifiable consent of the parent of the child or the lawful guardian, as the case may be. The phrase “consent of the parent” shall embrace the consent of a lawful guardian where such applies. The process and manner of obtaining this consent shall be as prescribed under the Rules

b. Protection of Child’s Well-being

Data Fiduciaries are strictly prohibited from processing personal data in ways that may have a detrimental effect on the well-being of a child. This is a precautionary measure to prevent misuse of children’s data and to uphold their safety and dignity online.

c. Ban on Tracking and Targeted Advertising

The Act bars Data Fiduciaries from engaging in tracking, behavioural monitoring, or targeted advertising directed specifically at children. These restrictions aim to protect children from being manipulated or exploited through personalized content or advertisements.

d. Exemptions for Certain Fiduciaries

The Central Government may exempt a Data Fiduciary from obtaining parental consent and from restrictions on tracking, behavioural monitoring, and targeted advertising if it is satisfied that the Data Fiduciary processes children’s data in a verifiably safe manner. This exemption applies only after a government notification and may specify an age( which shall be above 18) above which these obligations no longer apply. It is granted on a case-by-case basis and aims to balance child data protection with innovation.

e. Due Diligence and Identity Verification

Data Fiduciaries shall apply technical and organizational measures sufficient to enable a parent or guardian’s consent to be verified. They shall ensure that the consenting party is an adult by examining trustworthy identity and age information available to the Fiduciary or voluntarily supplied information, such as a virtual token provided by a legally recognized body, such as a Digital Locker service provider.

In case if a company is handling a large amount of a personal data of the individuals and has been asked to handle that data by the government, then they are known as Significant Data Fiduciary, and therefore, they have the following obligations as mentioned below:

  1. Designation and Criteria for Notification: The Central Government can issue any Data Fiduciary or class of Data Fiduciaries as an Important Data Fiduciary depending upon the quantum and sensitivity of personal data being processed, threats to Data Principals’ rights, effects on national sovereignty and integrity, electoral democracy, state security, and public order.
  2. Mandatory Appointments: A Significant Data Fiduciary must appoint a Data Protection Officer (DPO) who will be based in India, report directly to the board or equivalent governing body, represent the organization under the Act, and serve as the contact for grievance redressal. It must also appoint an independent data auditor to evaluate its compliance with the Act.
  3. Annual Assessments and Audits: Each twelve months, a Significant Data Fiduciary needs to perform a Data Protection Impact Assessment (DPIA) and data audit to ensure compliance with the Act and related rules in effective way. DPIA should outline purpose of processing, rights of Data Principals, and contain an assessment and control of related risks.
  4. Reporting Requirements: The entity must ensure that the individuals or bodies conducting the DPIA and audit furnish a report to the Data Protection Board, highlighting any significant observations or findings, as part of regulatory oversight.
  5. Algorithmic and Data Localization Compliance: Significant Data Fiduciaries need to make sure that any algorithmic software they use for data processing respects the rights of Data Principals. They also need to ensure that the personal and traffic data, defined by the Central Government, remain in India and are processed domestically, according to the guidelines laid down by the government on localisation.

The Data Principal then has a right to access its data once processed and analysed by the Data Fiduciary, and its rights are enumerated as follows:

  1. Right to Access Personal Data[8]: Under Section 11, a Data Principal has the right to request a summary of her personal data that a Data Fiduciary is processing. This includes details about how her data is being handled. She has the right to know who else, such as other Data Fiduciaries and Data Processors, her data has been passed on to, and a description of that transferred data. And she can request any other information about her personal data and its processing. But note that this right does not extend to sharing data with other Data Fiduciaries that are legally permitted to ask for data for purposes such as crime prevention, investigations, prosecution, or responding to cyber incidents.
  2. Right of Correction and Data Deletion[9]: Under Section 12, people have the right to request corrections for any incorrect or misleading personal information, to complete any gaps in their details, and to rectify any old information. They also have the right to have their personal data deleted.
  3. Right to Grievance Redressal[10]: According to Section 13, the Data Principal has the right to seek grievance redressal from a Data Fiduciary or Consent Manager if there is any failure in fulfilling obligations or if her rights are violated. The Data Fiduciary or Consent Manager is required to respond to such grievances within a prescribed time frame. Importantly, the Data Principal must exhaust these grievance redressal avenues before she can escalate the issue to the Data Protection Board.
  4. Right to Nominate Another Individual[11]: Section 14 states that a Data Principal may nominate some other person to exercise her rights in case she dies or is incapable. The word “incapable” covers cases of unsoundness of mind or physical infirmity preventing her from exercising her rights. Nomination must be done as prescribed under the Act and it facilitates continuity in protecting her data rights.
  5. Scope and Limitations of Rights: While the Act extends substantive rights to the Data Principal, there are certain restrictions. For example, the right of the Data Principal to access data relating to data sharing does not hold when a Data Fiduciary is forced to share data with lawfully authorized agencies in order to prevent or investigate an offence or cyber-attack. Such exceptions do not allow law enforcement and national security interests to suffer while still preserving data protection norms.

They also have the following duties which they shall adhere to while giving their consent for access to their personal data, they are as follows:[12]

  1. Compliance with Laws: The Data Principal must comply with all applicable laws while exercising her rights under the Act.
  2. No Impersonation: She must not impersonate another person when providing her personal data for any specific purpose.
  3. No Suppression of Material Information: She should not hide or suppress important information while providing personal data for any official documents or government-issued IDs.
  4. No False Grievances: The Data Principal should not file false or frivolous complaints or grievances with a Data Fiduciary or the Data Protection Board.
  5. Authentic Information for Corrections: While requesting correction or erasure of personal data, she must provide only verifiably authentic information.

Data Transfer across Borders[13]

The Central Government can restrict the transfer of personal data outside India by Data Fiduciaries through formal notifications, subject to specific conditions. This power is used to protect national interests or data security. However, suppose any existing Indian laws require stricter protection or local storage (such as regulations from the Reserve Bank of India for payment data). In that case, those rules will take precedence over the general provisions for cross-border data transfer. In contrast to the GDPR, which is based on an adequacy model, India has government-approved restrictions on a concern related to data protection. The Digital Personal Data Protection Act, 2023 contains a few exemptions from its provisions in certain situations. They are processing personal data to enforce legal rights, by courts or regulators to conduct judicial or supervisory tasks, for law enforcement, for cross-border contractual obligations, and in the case of mergers, demergers, or insolvency-related assessments of companies The Act also exempts processing by state instrumentalities for reasons such as national security, sovereignty, or public order, and for research, archiving, or statistical purposes if no decision specific to a Data Principal is taken. Additionally, the government may exempt certain Data Fiduciaries, including recognized startups, from specific compliance obligations based on their size and nature of data processed. Furthermore, certain provisions do not apply to processing by the State where no decision affecting the Data Principal is involved. Lastly, the Central Government may, within five years, exempt specific classes of Data Fiduciaries from any provisions of the Act through official notification.

Composition and Structure of the Data Protection Board of India[14]

The Central Government will establish the Data Protection Board of India on a notified date to enforce the provisions of the Act. This Board will function as a body corporate with its own legal identity, capable of owning property, entering contracts, and being sued or suing in its name. It will consist of a chairperson and other Members as determined by the government. The Central Government will appoint these individuals and must possess integrity along with expertise or experience in fields like data governance, law, dispute resolution, ICT, or digital economy, with at least one member being a legal expert.

Powers and Functions of the Board[15]

The Data Protection Board of India is empowered to take immediate remedial actions and conduct inquiries in case of personal data breaches and impose penalties as necessary. It addresses complaints from Data Principals against Data Fiduciaries or Consent Managers and can also act on referrals from the government or courts. The Board monitors Consent Managers for compliance and can penalize breaches, including those related to registration conditions. It also investigates intermediary breaches referred by the Central Government. Additionally, the Board may issue binding directions, and has the authority to modify, suspend, or cancel them based on representations or government references.

Appeal to the Tribunal from Board’s orders[16]

Any person aggrieved by an order of the Data Protection Board of India can appeal to the Appellate Tribunal within 60 days, with the possibility of extension if a valid reason for delay is shown. The Tribunal, functioning entirely through digital means, hears all parties and may confirm, modify, or cancel the Board’s order, with its decisions holding the same force as a civil court decree. Appeals are best concluded in six months, and delays have to be justified in writing. The Board can also refer disputes to mediation or take voluntary undertakings from the person to settle issues without considering them to be violations, subject to the condition that the undertakings are fulfilled.

Penalties imposed by the board[17]

The Digital Personal Data Protection Act, 2023 (DPDPA) also authorizes the Data Protection Board to levy financial fines on organisations that violate its provisions. The Act Schedule mandates differential penalties depending on the type of breach, with the maximum being ₹250 crore (approximately USD 30 million) for non-compliance by a Data Fiduciary in putting reasonable security practices in place, and ₹200 crore (approximately USD 24 million) for non-compliance in reporting a personal data breach The Board is to report into consideration many factors while determining the penalty amount, including the level of seriousness and gravity of the violation, kind of penalty data, economic advantage or loss prevented, attempts to mitigate the violation, and overall impact of the penalty on the subject entity. Fines may be levied against Data Fiduciaries, Consent Managers, and intermediaries based on the kind of breach. For example, Consent Managers could be fined for failing to adhere to their obligations or registration requirements, and intermediaries could be fined for refusing to block access to data as ordered by the Central Government. Individuals are not, however, granted the right to claim compensation, which might dissuade them from instituting proceedings. The Board should increase transparency by publishing its reasoned decisions and issuing guidance on penalty determination.

Conclusion

In summary, the Digital Personal Data Protection (DPDP) Act of 2023 and its forthcoming Rules are a turning point in the manner India addresses data governance and privacy. The Act is founded on the constitutional definition of privacy as a human right and establishes a consent model that prioritizes transparency, accountability, and user control over personal data. It fills the legislative gap left by the IT Act of 2000 and puts India’s data protection policies on par with the world. The obligations placed on Data Fiduciaries like adoption of strong technical measures and ensuring data minimization and legitimate processing, are an indication of the government’s intent to foster privacy and innovation both. While the Act grants people the right to access, correct, and delete their data, it also aims to balance such rights, national interest, and ease of doing business. How the DPDP Rules are implemented will be key to successful implementation and enforcement to create a safe, responsible, and rights-based digital environment in India. This bill is not just a legislative amendment; it’s a step towards building trust in India’s fast-expanding digital economy.

Authored by Mr. Ketan Joshi, Senior Associate

REFERENCES

A Deep Dive into India’s Draft DPDP Rules, Ikigai Law (Jan. 5, 2025), https://www.ikigailaw.com/article/614/from-principles-to-practice-a-deep-dive-into-indias-draft-dpdp-rules.

Prashant Phillips Paritosh Chauhan Abhishek Singh, Consent Managers under Digital Personal Data Protection Act, Lakshmikumaran Sridharan Attorneys (Jan. 30, 2024), https://www.lakshmisri.com/insights/articles/consent-managers-under-digital-personal-data-protection-act/.

India’s DPDP Act to enable Indian firms align with global standards, International Business Times (Mar. 31, 2025), https://www.ibtimes.co.in/world-backup-day-2025-indias-dpdp-act-enable-indian-firms-align-global-standards-881596.

The Role of a Consent Manager Under the DPDP Act, King Stubb & Kasiva (Mar. 31, 2025), https://ksandk.com/data-protection-and-data-privacy/the-role-of-a-consent-manager-under-the-dpdp-act/.

Digital Personal Data Protection Act, 2023 – A Brief Analysis, Bar and Bench (Aug. 20, 2023), https://www.barandbench.com/law-firms/view-point/digital-personal-data-protection-act-2023-a-brief-analysis.

Enforcement and Penalties under the DPDPA, 2023, Tsaaro Consulting (Mar. 18, 2025), https://tsaaro.com/blogs/enforcement-and-penalties-under-the-dpdpa-2023-and-draft-dpdp-rules-2025/.

Enforcement and Penalties under the DPDPA, 2023, Usercentrics (Feb. 21, 2024), https://usercentrics.com/knowledge-hub/india-digital-personal-data-protection-act-dpdpa/.

[1] Section 4, 5 of DPDP Act

[2] Rule 6 of DPDP Rules

[3] Rule 4 of DPDP Rules

[4] Section 6 of DPDP Act

[5] Rule 7 of DPDP Rules

[6] Section 8 of DPDP Act

[7] Section 9 of DPDP Act

[8] Section 11 of DPDP Act

[9] Section 12 of DPDP Act

[10] Section 13 of DPDP Act

[11] Section 14 of DPDP Act

[12] Section 15 of DPDP Act

[13] Section 16, 17 of DPDP Act

[14] Section 18 of DPDP Act

[15] Section 27 of DPDP Act

[16] Section 29 of DPDP Act

[17] Section 33 of DPDP Act

More from Maheshwari & Co. Advocates & Legal Consultants