Draft of India's Digital Personal Data Protection Act 2023

1
Draft of Indias Digital Personal Data
Protection Act 2023
2
2
Overview On January 3, 2025, the Union Ministry
of Electronics and Information Technology (MeitY)
unveiled the much-anticipated draft of Digital
Personal Data Protection Rules, or DPDP Rules,
2025, marking a significant milestone in Indias
efforts to safeguard digital privacy. These
rules, designed under the framework of the
Digital Personal Data Protection Act, 2023 (DPDP
Act), outline the legal mechanisms for the
collection, processing, and storage of personal
data. As India increasingly embraces the digital
age, these rules aim to balance the protection of
individual privacy with the promotion of
innovation, setting the stage for robust data
governance and greater accountability in the
countrys growing digital ecosystem.
3
Lets go through the draft Scope and
Commencement The rules are called the Digital
Personal Data Protection Rules, 2025. Rules 3-15,
21, and 22 will come into effect from a specified
date (to be determined). Other rules will come
into force upon publication in the Official
Gazette. Notice Requirements Data Fiduciaries
must provide clear, understandable notices to
Data Principals that include Itemized
description of personal data to be processed.
Specified purpose and description of
goods/services enabled by processing. Means to
withdraw consent, exercise rights, and complain
to the Board. Consent Manager Registration Consen
t Managers must meet conditions in First Schedule
Part A to register with the Board. The Board can
suspend/cancel registration if conditions are not
met. Consent Managers have obligations specified
in First Schedule Part B.
4
Processing by State Entities State entities can
process personal data to provide subsidies,
benefits, services etc. under law/policy or using
public funds. Must follow standards in the Second
Schedule. Security Safeguards Data Fiduciaries
must implement reasonable security measures
including Encryption, access controls,
monitoring, and backups. Retaining logs and data
for 1 year. Appropriate contractual provisions
with Data Processors. Data Breach
Notification Notify affected Data Principals
without delay with breach details, con-
sequences, and mitigation measures. Notify Board
within 72 hours with detailed information on
breach, impact, and remedial steps. Data
Retention and Erasure Erase data after specified
periods in Third Schedule if Data Principal is
inactive. Inform Data Principal 48 hours before
erasure. Rights of Data Principals Data
Fiduciaries must publish means for Data
Principals to exercise rights. Enable access to
information, erasure, and nomination rights.
5
Additional Obligations for Significant Data
Fiduciaries Conduct annual data protection impact
assessment and audit. Verify algorithmic software
does not pose risks to Data Principal rights.
Restrictions on cross-border data
transfers. Verifiable Parental Consent Obtain
verifiable parental consent before processing
child's data. Verify identity and age of
parent. The First Schedule of the Digital
Personal Data Protection Rules, 2025 outlines
critical points regarding Consent Managers. Here
are the key aspects
Registration Conditions for Consent Managers Must
be a company incorporated in India. Minimum net
worth requirement of 2 crore rupees. Sufficient
technical, operational, and financial capacity.
Sound financial condition and management. Director
s and key personnel must have good reputation and
integrity. Memorandum and Articles of Association
must contain provisions for adherence to
obligations.
6
Obligations of Consent Managers Enable data
principals to give, manage, review and withdraw
consent. Maintain records of consents, notices,
and data sharing. Provide data principals access
to their records. Maintain records for at least 7
years. Develop and maintain a website/app for
services. Implement reasonable security
safeguards. Avoid conflicts of interest with data
fiduciaries. Publish information about promoters,
directors, and shareholding. Conduct regular
audits and report to the Board. Obtain Board
approval for transfer of control. The Second
Schedule of the Digital Personal Data Protection
Rules, 2025 outlines standards for processing
personal data by the State and its
instrumentalities under specific sections of the
Act. These standards aim to ensure lawful and
responsible data processing. Key points include
Lawful processing All data processing must be
carried out in a lawful manner. Purpose
limitation Processing should be done only for
specified uses under clause (b) of section 7 or
purposes under clause (b) of sub-section (2) of
section 17 of the Act. Data minimization Only
necessary personal data should be processed for
the specified uses or purposes.
7

• Accuracy Reasonable efforts must be made to
  ensure the accuracy of personal data.
• Retention limitation Personal data should be
  retained only as long as required
• for the specified uses/purposes or to comply with
  applicable laws.
• Security safeguards Reasonable measures must be
  implemented to prevent data breaches and protect
  personal data.
• Notification requirements When processing under
  clause (b) of section 7, the Data Principal must
  be informed with
• Contact information for queries about data
  processing
• Means to access the Data Fiduciary's website or
  app
• Information on how to exercise rights under the
  Act
• Compliance with government policies Processing
  must be consistent with
• standards set by Central Government policies or
  applicable laws. Accountability The entity
  determining the purpose and means of data
  processing is accountable for observing these
  standards.
• These standards aim to balance the State's data
  processing needs with individuals' privacy
  rights, ensuring transparency, security, and
  accountability in government data handling.
• The Third Schedule of the Digital Personal Data
  Protection Rules, 2025 specifies the time periods
  after which certain classes of Data Fiduciaries
  must erase personal data if the Data Principal
  has not approached them or exercised their
  rights.
• Here's a summary in table format

8
Action Plan Identify if your organization falls
into any of these categories based on the number
of registered users. Implement a system to track
user inactivity periods. Develop an automated
process to erase personal data after 3 years of
inactivity. Create a notification system to
inform Data Principals at least 48 hours before
data erasure. Establish exceptions for data
retention required for compliance with other
laws. Ensure your data erasure process excludes
data necessary for user account access and
virtual tokens issued by your organization. Update
your privacy policy to reflect these data
retention and erasure practices. Train relevant
staff on these new data handling
procedures. Regularly audit your systems to
ensure compliance with these erasure requirements.
9
The Fourth Schedule of the Digital Personal Data
Protection Rules, 2025 outlines exemptions from
certain obligations applicable to processing
personal data of children. It is divided into two
parts Part A and Part B.
Part A Exempted Data Fiduciaries
Part A specifies classes of Data Fiduciaries
exempt from sub-sections (1) and (3) of section 9
of the Act, subject to certain conditions. These
likely include Clinical establishments and
healthcare professionals Educational
institutions Creches and childcare centers
Transportation providers for children
Part B Exempted Purposes
Part B specifies purposes for which processing of
children's personal data is exempt from
sub-sections (1) and (3) of section 9 of the Act,
subject to certain conditions. These likely
include Compliance with law Provision of
subsidies, benefits, or services Email
communication Protecting children from harmful
information Age verification
10
Action Plan Identify if your organization falls
under any of the exempted categories in Part A
Review your organization's activities and
services Consult legal experts to confirm your
exemption status Assess if any of your data
processing activities align with exempted
purposes in Part B Analyze your data processing
purposes Document how they relate to the exempted
purposes Review and update your data processing
policies Clearly define procedures for handling
children's data Ensure compliance with other
relevant sections of the Act Implement age
verification mechanisms Develop robust systems
to verify the age of users Consider using digital
locker services for age verification Establish
parental consent procedures Create user-friendly
interfaces for parents to provide consent
Implement secure methods to verify parental
identity Train staff on exemptions and
obligations Conduct regular training sessions on
handling children's data Ensure staff understand
the scope and limitations of exemptions
11
Implement data minimization practices Review data
collection processes to ensure only necessary
data is collected Regularly audit and purge
unnecessary data Enhance data security
measures Implement strong encryption for
children's data Restrict access to children's
data on a need-to-know basis Develop clear
communication channels Create child-friendly
privacy notices Establish procedures for
responding to data access requests from children
or parents Conduct regular compliance
audits Schedule periodic reviews of your data
processing activities Ensure ongoing compliance
with the Act and any changes in
regulations Establish a process for handling
complaints and inquiries Set up a dedicated
channel for addressing concerns related to
children's data Ensure timely and appropriate
responses to all inquiries
12
The Fifth Schedule of the Digital Personal Data
Protection Rules, 2025 specifies the salary,
allowances, and other terms and conditions of
service for the Chairperson and other Members of
the Board. "The Chairperson and every other
Member shall receive such salary and allowances
and shall have such other terms and conditions of
service as are specified in Fifth Schedule." Key
points likely covered in the Fifth
Schedule Salary structure for the Chairperson
and Members Allowances provided to the
Chairperson and Members Leave entitlements Pension
and retirement benefits Travel allowances and
accommodations Medical benefits and insurance
Terms of appointment and tenure Conditions for
removal from office Restrictions on
post-retirement employment Any other relevant
terms of service These provisions ensure
transparency in the compensation and service
conditions for Board members, promoting their
independence and effectiveness in carrying out
their duties under the Digital Personal Data
Protection Act.
13
Contact us www.infosectrain.com
sales_at_infosectrain.com
Follow us on
2