Overview of the Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules, 2025

Digital Personal Data Protection Act, 2023 (DPDP Act)

The DPDP Act, approved by the President if India on August 11, 2023, sets a strong legal framework for data protection in India. It covers the processing of digital personal data within India and applies to processing outside India if it involves offering goods or services to Data Principals in India [1, Section 3].

Key Definitions

The Act introduces important definitions to clarify its scope and application [1, Section 2]:

• Data Fiduciary: Any person who determines the purpose and means of processing personal data, either alone or with others.

• Data Principal: The individual to whom personal data pertains. This includes parents or legal guardians for children and guardians for persons with disabilities.

• Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.

• Significant Data Fiduciary: A Data Fiduciary or group of Data Fiduciaries identified by the Central Government based on the volume and sensitivity of personal data processed, the risk to Data Principals' rights, and potential impacts on India's sovereignty and integrity.

• Personal Data: Any information about an identifiable individual.

• Digital Personal Data: Personal data in a digital format.

• Consent Manager: A registered individual with the Data Protection Board, serving as a single contact point for Data Principals to manage their consent.

• Data Protection Board of India (Board): An independent body set up by the Central Government under Section 18 of the Act to enforce its provisions.

Grounds for Processing Personal Data

The DPDP Act allows processing of personal data only for lawful purposes, either with the Data Principal's consent or for specific legitimate uses [1, Section 4]. A lawful purpose is defined as any purpose not forbidden by law.

Consent Requirements

Consent must be free, specific, informed, unconditional, and clear, shown through affirmative action. It should only cover personal data necessary for the stated purpose. Data Principals can withdraw consent anytime, and the process of withdrawal should be as simple as giving consent [1, Section 6].

Obligations of Data Fiduciaries

Data Fiduciaries have several obligations, including notifying Data Principals about the personal data to be processed and its purpose, ensuring data accuracy and completeness, implementing security measures to prevent data breaches, and deleting personal data when consent is withdrawn or when the purpose is no longer applicable [1, Sections 5, 6, 8]. Significant Data Fiduciaries have extra duties, such as appointing a Data Protection Officer and carrying out Data Protection Impact Assessments.

Rights of Data Principals

Data Principals have various rights, including the right to access information about their personal data, the right to correct and erase personal data, the right to file complaints, and the right to designate someone else to exercise these rights in case of death or incapacity [1, Sections 11, 12, 13].

Data Protection Board of India

The Act requires establishing the Data Protection Board of India, an independent body that enforces the Act's provisions. The Board will investigate personal data breaches, direct Data Fiduciaries to take necessary actions, and impose penalties [1, Sections 18-26]. It will consist of four members, and its head office will be located in the National Capital Region of India.

Penalties

The DPDP Act imposes hefty penalties for non-compliance, with fines reaching up to several crores of rupees, depending on the violation's nature and severity [1, Section 33].

Digital Personal Data Protection Rules, 2025 (DPDP Rules)

The DPDP Rules, 2025, provide the operational framework to implement the provisions of the DPDP Act, 2023. These rules outline specific procedures and requirements for Data Fiduciaries, Data Processors, and Data Principals.

Notice Requirements

Rule 3 states that the notice given by a Data Fiduciary to a Data Principal must be separate from other information and written in clear, plain language. It should detail the categories of personal data to be processed, the specific purposes, and how Data Principals can exercise their rights and file complaints [2, Rule 3].

Consent Manager Registration and Accountability

Rules 4 and 5 explain the registration process for Consent Managers with the Board and their accountability to Data Principals. Consent Managers must meet specific technical, operational, financial, and other requirements established by the Board [2, Rules 4, 5].

Processing of Children's Personal Data

Rule 10 requires Data Fiduciaries to adopt appropriate technical and organizational measures to ensure verifiable parental consent before processing a child's personal data. This includes due diligence to verify that the person claiming to be a parent is an adult [2, Rule 10].

Data Security Safeguards

Rule 6 obligates Data Fiduciaries to implement reasonable security measures to protect personal data they hold or control. These measures may include encryption, anonymization, masking, controlled access to computer resources, access logs, and procedures for ongoing processing in case of data loss or destruction [2, Rule 6].

Personal Data Breach Notification

Rule 7 requires Data Fiduciaries to notify the Board and affected Data Principals of any personal data breach without delay. The notification must provide details about the breach, its nature, scope, relevant consequences, and actions taken or planned to reduce risks [2, Rule 7].

Retention and Erasure of Personal Data

Rule 8 mandates that Data Fiduciaries must erase personal data when the specified purpose is no longer relevant unless retention is needed for legal compliance. They must inform Data Principals at least forty-eight hours before erasure, allowing them to interact with the Data Fiduciary regarding the specified purpose [2, Rule 8].

Enforcement Timeline for the DPDP Act

The DPDP Act, 2023, will be implemented gradually, with different provisions taking effect on varying dates.

• Immediate effect (Effective from 13th Nov 2025): Section 1(2), Section 2, Sections 18-26, Sections 35, 38-43, Section 44(1) & (3)

• One year later (Effective from 13th Nov 2026): Section 6(9), Section 27(1)(d)

• Eighteen months later (Effective from 13th May 2027): Sections 3-5, Section 6(1)-(8) & (10), Sections 7-10, Sections 11-17, Section 27 (except 27(1)(d)), Sections 28-34, 36, 37, Section 44(2)

This gradual implementation allows Data Fiduciaries and other stakeholders time to comply with the new regulations.

Conclusion

The DPDP Act, 2023, and the DPDP Rules, 2025, create a clear and forward-thinking legal framework for protecting digital personal data in India. By balancing individual privacy rights with the legitimate demands of data processing, this law aims to build a secure and trustworthy digital environment. The formation of the Data Protection Board of India and the detailed rules for implementation show the government's commitment to effective data management.

References

1. Digital Personal Data Protection Act 2023

2. Digital Personal Data Protection Rules, 2025