Draft DPDP Rules, 2025: First Glance
Draft DPDP Rules, 2025: First Glance
Draft DPDP Rules, 2025: First Glance
Draft DPDP Rules, 2025: First Glance
The draft DPDP Rules 2025 have been released by the Ministry of Electronics and Information Technology (MeitY) for public consultation on January 3, 2025 (Any suggestions can be submitted to the MeitY till February 18, 2025, via the MyGov Portal - https://mygov.in). These Rules have been prepared after consulting with various key stakeholders and aim to operationalise the DPDP Act, 2023 upon publication.
These rules will come into force upon publication after consultation, except for rules 3 to 15, 21 and 22 which will be effective from a later date.
Let’s take a look at what the draft Rules prescribe:
The draft DPDP Rules 2025 have been released by the Ministry of Electronics and Information Technology (MeitY) for public consultation on January 3, 2025 (Any suggestions can be submitted to the MeitY till February 18, 2025, via the MyGov Portal - https://mygov.in). These Rules have been prepared after consulting with various key stakeholders and aim to operationalise the DPDP Act, 2023 upon publication.
These rules will come into force upon publication after consultation, except for rules 3 to 15, 21 and 22 which will be effective from a later date.
Let’s take a look at what the draft Rules prescribe:
The draft DPDP Rules 2025 have been released by the Ministry of Electronics and Information Technology (MeitY) for public consultation on January 3, 2025 (Any suggestions can be submitted to the MeitY till February 18, 2025, via the MyGov Portal - https://mygov.in). These Rules have been prepared after consulting with various key stakeholders and aim to operationalise the DPDP Act, 2023 upon publication.
These rules will come into force upon publication after consultation, except for rules 3 to 15, 21 and 22 which will be effective from a later date.
Let’s take a look at what the draft Rules prescribe:
The draft DPDP Rules 2025 have been released by the Ministry of Electronics and Information Technology (MeitY) for public consultation on January 3, 2025 (Any suggestions can be submitted to the MeitY till February 18, 2025, via the MyGov Portal - https://mygov.in). These Rules have been prepared after consulting with various key stakeholders and aim to operationalise the DPDP Act, 2023 upon publication.
These rules will come into force upon publication after consultation, except for rules 3 to 15, 21 and 22 which will be effective from a later date.
Let’s take a look at what the draft Rules prescribe:
Notice to Data Principals (Rule 3)
Notice to Data Principals (Rule 3)
Notice to Data Principals (Rule 3)
Notice to Data Principals (Rule 3)
Rule 3 mandates that Data Fiduciaries provide notices to Data Principals in clear and plain language, ensuring they can give specific and informed consent for processing their personal data. The notice must itemize the types of personal data being processed, the purposes for which it is used, and the services enabled by such processing. It must also include methods for withdrawing consent, exercising rights, and filing complaints.
This rule emphasizes the importance of transparency in data handling, ensuring that Data Principals are fully informed before consenting.
Rule 3 mandates that Data Fiduciaries provide notices to Data Principals in clear and plain language, ensuring they can give specific and informed consent for processing their personal data. The notice must itemize the types of personal data being processed, the purposes for which it is used, and the services enabled by such processing. It must also include methods for withdrawing consent, exercising rights, and filing complaints.
This rule emphasizes the importance of transparency in data handling, ensuring that Data Principals are fully informed before consenting.
Rule 3 mandates that Data Fiduciaries provide notices to Data Principals in clear and plain language, ensuring they can give specific and informed consent for processing their personal data. The notice must itemize the types of personal data being processed, the purposes for which it is used, and the services enabled by such processing. It must also include methods for withdrawing consent, exercising rights, and filing complaints.
This rule emphasizes the importance of transparency in data handling, ensuring that Data Principals are fully informed before consenting.
Rule 3 mandates that Data Fiduciaries provide notices to Data Principals in clear and plain language, ensuring they can give specific and informed consent for processing their personal data. The notice must itemize the types of personal data being processed, the purposes for which it is used, and the services enabled by such processing. It must also include methods for withdrawing consent, exercising rights, and filing complaints.
This rule emphasizes the importance of transparency in data handling, ensuring that Data Principals are fully informed before consenting.
Registration and Obligations of Consent Managers (Rule 4 and First Schedule)
Registration and Obligations of Consent Managers (Rule 4 and First Schedule)
Registration and Obligations of Consent Managers (Rule 4 and First Schedule)
Registration and Obligations of Consent Managers (Rule 4 and First Schedule)
Rule 4 outlines the requirements for Consent Managers, entities responsible for managing Data Principals’ consents. To register as a Consent Manager, an entity must apply to the Data Protection Board and meet conditions specified in Part A of the First Schedule. These include being a company incorporated in India with a net worth of at least ₹2 crore, having robust technical and operational capacity, and adhering to high standards of integrity.
Once registered, Consent Managers are bound by obligations listed in Part B of the First Schedule. These include enabling Data Principals to give, manage, and withdraw their consent, maintaining transparency, avoiding conflicts of interest, and ensuring data security. They must also retain records of consents for at least seven years and allow Data Principals to access these records in machine-readable formats
Rule 4 outlines the requirements for Consent Managers, entities responsible for managing Data Principals’ consents. To register as a Consent Manager, an entity must apply to the Data Protection Board and meet conditions specified in Part A of the First Schedule. These include being a company incorporated in India with a net worth of at least ₹2 crore, having robust technical and operational capacity, and adhering to high standards of integrity.
Once registered, Consent Managers are bound by obligations listed in Part B of the First Schedule. These include enabling Data Principals to give, manage, and withdraw their consent, maintaining transparency, avoiding conflicts of interest, and ensuring data security. They must also retain records of consents for at least seven years and allow Data Principals to access these records in machine-readable formats
Rule 4 outlines the requirements for Consent Managers, entities responsible for managing Data Principals’ consents. To register as a Consent Manager, an entity must apply to the Data Protection Board and meet conditions specified in Part A of the First Schedule. These include being a company incorporated in India with a net worth of at least ₹2 crore, having robust technical and operational capacity, and adhering to high standards of integrity.
Once registered, Consent Managers are bound by obligations listed in Part B of the First Schedule. These include enabling Data Principals to give, manage, and withdraw their consent, maintaining transparency, avoiding conflicts of interest, and ensuring data security. They must also retain records of consents for at least seven years and allow Data Principals to access these records in machine-readable formats
Rule 4 outlines the requirements for Consent Managers, entities responsible for managing Data Principals’ consents. To register as a Consent Manager, an entity must apply to the Data Protection Board and meet conditions specified in Part A of the First Schedule. These include being a company incorporated in India with a net worth of at least ₹2 crore, having robust technical and operational capacity, and adhering to high standards of integrity.
Once registered, Consent Managers are bound by obligations listed in Part B of the First Schedule. These include enabling Data Principals to give, manage, and withdraw their consent, maintaining transparency, avoiding conflicts of interest, and ensuring data security. They must also retain records of consents for at least seven years and allow Data Principals to access these records in machine-readable formats
Processing by the State and Its Instrumentalities (Rule 5 and Second Schedule)
Processing by the State and Its Instrumentalities (Rule 5 and Second Schedule)
Processing by the State and Its Instrumentalities (Rule 5 and Second Schedule)
Processing by the State and Its Instrumentalities (Rule 5 and Second Schedule)
Under Rule 5, the State and its instrumentalities may process personal data to provide subsidies, benefits, services, certificates, licenses, or permits. Such processing must follow the standards outlined in the Second Schedule, including ensuring data accuracy, limiting retention periods, and maintaining robust security safeguards. Rule 5 underscores that processing must align with lawful purposes and public interest objectives.
Under Rule 5, the State and its instrumentalities may process personal data to provide subsidies, benefits, services, certificates, licenses, or permits. Such processing must follow the standards outlined in the Second Schedule, including ensuring data accuracy, limiting retention periods, and maintaining robust security safeguards. Rule 5 underscores that processing must align with lawful purposes and public interest objectives.
Under Rule 5, the State and its instrumentalities may process personal data to provide subsidies, benefits, services, certificates, licenses, or permits. Such processing must follow the standards outlined in the Second Schedule, including ensuring data accuracy, limiting retention periods, and maintaining robust security safeguards. Rule 5 underscores that processing must align with lawful purposes and public interest objectives.
Under Rule 5, the State and its instrumentalities may process personal data to provide subsidies, benefits, services, certificates, licenses, or permits. Such processing must follow the standards outlined in the Second Schedule, including ensuring data accuracy, limiting retention periods, and maintaining robust security safeguards. Rule 5 underscores that processing must align with lawful purposes and public interest objectives.
Security Safeguards (Rule 6)
Security Safeguards (Rule 6)
Security Safeguards (Rule 6)
Security Safeguards (Rule 6)
Rule 6 requires Data Fiduciaries to implement reasonable security measures to prevent data breaches. These measures include encryption, access controls, maintaining logs, and ensuring data availability during emergencies. Contracts with data processors must also include provisions for such safeguards.
If a breach occurs, Data Fiduciaries must notify affected Data Principals promptly, describing the breach, its consequences, and the steps taken to mitigate risks. They must also notify the Data Protection Board within 72 hours.
Rule 6 requires Data Fiduciaries to implement reasonable security measures to prevent data breaches. These measures include encryption, access controls, maintaining logs, and ensuring data availability during emergencies. Contracts with data processors must also include provisions for such safeguards.
If a breach occurs, Data Fiduciaries must notify affected Data Principals promptly, describing the breach, its consequences, and the steps taken to mitigate risks. They must also notify the Data Protection Board within 72 hours.
Rule 6 requires Data Fiduciaries to implement reasonable security measures to prevent data breaches. These measures include encryption, access controls, maintaining logs, and ensuring data availability during emergencies. Contracts with data processors must also include provisions for such safeguards.
If a breach occurs, Data Fiduciaries must notify affected Data Principals promptly, describing the breach, its consequences, and the steps taken to mitigate risks. They must also notify the Data Protection Board within 72 hours.
Rule 6 requires Data Fiduciaries to implement reasonable security measures to prevent data breaches. These measures include encryption, access controls, maintaining logs, and ensuring data availability during emergencies. Contracts with data processors must also include provisions for such safeguards.
If a breach occurs, Data Fiduciaries must notify affected Data Principals promptly, describing the breach, its consequences, and the steps taken to mitigate risks. They must also notify the Data Protection Board within 72 hours.
Retention and Erasure of Personal Data (Rule 8 and Third Schedule)
Retention and Erasure of Personal Data (Rule 8 and Third Schedule)
Retention and Erasure of Personal Data (Rule 8 and Third Schedule)
Retention and Erasure of Personal Data (Rule 8 and Third Schedule)
Rule 8 mandates that Data Fiduciaries erase personal data when the specified purpose is no longer served unless retention is required by law. Before erasure, Data Fiduciaries must notify the Data Principal, giving them 48 hours to re-engage if they wish to retain their data.
The Third Schedule specifies time periods for retaining data based on the type of fiduciary and purpose. For example, e-commerce entities with over two crore users must erase data after three years unless it is needed for user account access or other specified purposes.
Rule 8 mandates that Data Fiduciaries erase personal data when the specified purpose is no longer served unless retention is required by law. Before erasure, Data Fiduciaries must notify the Data Principal, giving them 48 hours to re-engage if they wish to retain their data.
The Third Schedule specifies time periods for retaining data based on the type of fiduciary and purpose. For example, e-commerce entities with over two crore users must erase data after three years unless it is needed for user account access or other specified purposes.
Rule 8 mandates that Data Fiduciaries erase personal data when the specified purpose is no longer served unless retention is required by law. Before erasure, Data Fiduciaries must notify the Data Principal, giving them 48 hours to re-engage if they wish to retain their data.
The Third Schedule specifies time periods for retaining data based on the type of fiduciary and purpose. For example, e-commerce entities with over two crore users must erase data after three years unless it is needed for user account access or other specified purposes.
Rule 8 mandates that Data Fiduciaries erase personal data when the specified purpose is no longer served unless retention is required by law. Before erasure, Data Fiduciaries must notify the Data Principal, giving them 48 hours to re-engage if they wish to retain their data.
The Third Schedule specifies time periods for retaining data based on the type of fiduciary and purpose. For example, e-commerce entities with over two crore users must erase data after three years unless it is needed for user account access or other specified purposes.
Rights of Data Principals (Rule 13)
Rights of Data Principals (Rule 13)
Rights of Data Principals (Rule 13)
Rights of Data Principals (Rule 13)
Rule 13 empowers Data Principals to access, correct, and erase their personal data and nominate representatives to exercise these rights. Data Fiduciaries must facilitate these rights through accessible mechanisms and publish grievance redressal timelines. Data Fiduciaries are also required to inform Data Principals of their rights and provide user-friendly interfaces for exercising them.
Rule 13 empowers Data Principals to access, correct, and erase their personal data and nominate representatives to exercise these rights. Data Fiduciaries must facilitate these rights through accessible mechanisms and publish grievance redressal timelines. Data Fiduciaries are also required to inform Data Principals of their rights and provide user-friendly interfaces for exercising them.
Rule 13 empowers Data Principals to access, correct, and erase their personal data and nominate representatives to exercise these rights. Data Fiduciaries must facilitate these rights through accessible mechanisms and publish grievance redressal timelines. Data Fiduciaries are also required to inform Data Principals of their rights and provide user-friendly interfaces for exercising them.
Rule 13 empowers Data Principals to access, correct, and erase their personal data and nominate representatives to exercise these rights. Data Fiduciaries must facilitate these rights through accessible mechanisms and publish grievance redressal timelines. Data Fiduciaries are also required to inform Data Principals of their rights and provide user-friendly interfaces for exercising them.
Processing of Children’s Data and Verifiable Consent (Rule 10 and Fourth Schedule)
Processing of Children’s Data and Verifiable Consent (Rule 10 and Fourth Schedule)
Processing of Children’s Data and Verifiable Consent (Rule 10 and Fourth Schedule)
Processing of Children’s Data and Verifiable Consent (Rule 10 and Fourth Schedule)
Rule 10 requires Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing a child’s data. Verification can involve checking identity documents or digital tokens. Specific exemptions are granted to Data Fiduciaries such as healthcare providers, educational institutions, and childcare centres under the Fourth Schedule, provided the processing is necessary for health, education, or safety purposes.
Rule 10 requires Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing a child’s data. Verification can involve checking identity documents or digital tokens. Specific exemptions are granted to Data Fiduciaries such as healthcare providers, educational institutions, and childcare centres under the Fourth Schedule, provided the processing is necessary for health, education, or safety purposes.
Rule 10 requires Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing a child’s data. Verification can involve checking identity documents or digital tokens. Specific exemptions are granted to Data Fiduciaries such as healthcare providers, educational institutions, and childcare centres under the Fourth Schedule, provided the processing is necessary for health, education, or safety purposes.
Rule 10 requires Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing a child’s data. Verification can involve checking identity documents or digital tokens. Specific exemptions are granted to Data Fiduciaries such as healthcare providers, educational institutions, and childcare centres under the Fourth Schedule, provided the processing is necessary for health, education, or safety purposes.
Additional Obligations for Significant Data Fiduciaries (Rule 12)
Additional Obligations for Significant Data Fiduciaries (Rule 12)
Additional Obligations for Significant Data Fiduciaries (Rule 12)
Additional Obligations for Significant Data Fiduciaries (Rule 12)
Significant Data Fiduciaries (SDFs) are Data Fiduciaries notified by the government based on criteria such as the volume or sensitivity of data processed. Rule 12 outlines additional obligations for SDFs, including conducting annual Data Protection Impact Assessments and ensuring compliance with data localization requirements. SDFs must also ensure that algorithmic systems used do not harm Data Principals’ rights.
Significant Data Fiduciaries (SDFs) are Data Fiduciaries notified by the government based on criteria such as the volume or sensitivity of data processed. Rule 12 outlines additional obligations for SDFs, including conducting annual Data Protection Impact Assessments and ensuring compliance with data localization requirements. SDFs must also ensure that algorithmic systems used do not harm Data Principals’ rights.
Significant Data Fiduciaries (SDFs) are Data Fiduciaries notified by the government based on criteria such as the volume or sensitivity of data processed. Rule 12 outlines additional obligations for SDFs, including conducting annual Data Protection Impact Assessments and ensuring compliance with data localization requirements. SDFs must also ensure that algorithmic systems used do not harm Data Principals’ rights.
Significant Data Fiduciaries (SDFs) are Data Fiduciaries notified by the government based on criteria such as the volume or sensitivity of data processed. Rule 12 outlines additional obligations for SDFs, including conducting annual Data Protection Impact Assessments and ensuring compliance with data localization requirements. SDFs must also ensure that algorithmic systems used do not harm Data Principals’ rights.
Cross-Border Data Transfers (Rule 14)
Cross-Border Data Transfers (Rule 14)
Cross-Border Data Transfers (Rule 14)
Cross-Border Data Transfers (Rule 14)
Rule 14 governs cross-border data transfers, allowing data to be transferred outside India only under conditions specified by the Central Government.
Rule 14 governs cross-border data transfers, allowing data to be transferred outside India only under conditions specified by the Central Government.
Rule 14 governs cross-border data transfers, allowing data to be transferred outside India only under conditions specified by the Central Government.
Rule 14 governs cross-border data transfers, allowing data to be transferred outside India only under conditions specified by the Central Government.
Exemptions for Research and Statistical Purposes (Rule 15 and Second Schedule)
Exemptions for Research and Statistical Purposes (Rule 15 and Second Schedule)
Exemptions for Research and Statistical Purposes (Rule 15 and Second Schedule)
Exemptions for Research and Statistical Purposes (Rule 15 and Second Schedule)
Rule 15 provides exemptions for processing personal data for research, archiving, or statistical purposes. Such processing must comply with the Second Schedule’s standards, ensuring it is limited to what is necessary and does not infringe on Data Principals’ rights.
Rule 15 provides exemptions for processing personal data for research, archiving, or statistical purposes. Such processing must comply with the Second Schedule’s standards, ensuring it is limited to what is necessary and does not infringe on Data Principals’ rights.
Rule 15 provides exemptions for processing personal data for research, archiving, or statistical purposes. Such processing must comply with the Second Schedule’s standards, ensuring it is limited to what is necessary and does not infringe on Data Principals’ rights.
Rule 15 provides exemptions for processing personal data for research, archiving, or statistical purposes. Such processing must comply with the Second Schedule’s standards, ensuring it is limited to what is necessary and does not infringe on Data Principals’ rights.
Governance and Operations of the Data Protection Board (Rules 16 to 20 and Fifth Schedule)
Governance and Operations of the Data Protection Board (Rules 16 to 20 and Fifth Schedule)
Governance and Operations of the Data Protection Board (Rules 16 to 20 and Fifth Schedule)
Governance and Operations of the Data Protection Board (Rules 16 to 20 and Fifth Schedule)
Rules 16 to 20 establish the structure and functioning of the Data Protection Board. The Chairperson and members are appointed by the Central Government, following recommendations by a search-cum-selection committee. The Fifth Schedule outlines their service terms, including salaries, allowances, and leave policies.
The Board operates digitally, with meetings conducted virtually to enhance efficiency. It is empowered to summon individuals, review compliance, and issue orders. Disputes can be escalated to the Appellate Tribunal, where appeals are filed digitally, and proceedings prioritize accessibility.
Rules 16 to 20 establish the structure and functioning of the Data Protection Board. The Chairperson and members are appointed by the Central Government, following recommendations by a search-cum-selection committee. The Fifth Schedule outlines their service terms, including salaries, allowances, and leave policies.
The Board operates digitally, with meetings conducted virtually to enhance efficiency. It is empowered to summon individuals, review compliance, and issue orders. Disputes can be escalated to the Appellate Tribunal, where appeals are filed digitally, and proceedings prioritize accessibility.
Rules 16 to 20 establish the structure and functioning of the Data Protection Board. The Chairperson and members are appointed by the Central Government, following recommendations by a search-cum-selection committee. The Fifth Schedule outlines their service terms, including salaries, allowances, and leave policies.
The Board operates digitally, with meetings conducted virtually to enhance efficiency. It is empowered to summon individuals, review compliance, and issue orders. Disputes can be escalated to the Appellate Tribunal, where appeals are filed digitally, and proceedings prioritize accessibility.
Rules 16 to 20 establish the structure and functioning of the Data Protection Board. The Chairperson and members are appointed by the Central Government, following recommendations by a search-cum-selection committee. The Fifth Schedule outlines their service terms, including salaries, allowances, and leave policies.
The Board operates digitally, with meetings conducted virtually to enhance efficiency. It is empowered to summon individuals, review compliance, and issue orders. Disputes can be escalated to the Appellate Tribunal, where appeals are filed digitally, and proceedings prioritize accessibility.
Appeals to the Telecom Disputes Settlement and Appellate Tribunal (Rule 21)
Appeals to the Telecom Disputes Settlement and Appellate Tribunal (Rule 21)
Appeals to the Telecom Disputes Settlement and Appellate Tribunal (Rule 21)
Appeals to the Telecom Disputes Settlement and Appellate Tribunal (Rule 21)
This provides a mechanism for appeals against orders or directions of the Data Protection Board. Appeals must be filed digitally, with the procedure detailed on the Appellate Tribunal's website. A fee, akin to that which is applicable to be paid for appeals under the Telecom Regulatory Authority of India Act, 1997, is payable, though the Chairperson may reduce or waive it. The Tribunal follows principles of natural justice rather than the Civil Procedure Code, ensuring flexibility. Proceedings are conducted digitally, enhancing accessibility and efficiency.
This provides a mechanism for appeals against orders or directions of the Data Protection Board. Appeals must be filed digitally, with the procedure detailed on the Appellate Tribunal's website. A fee, akin to that which is applicable to be paid for appeals under the Telecom Regulatory Authority of India Act, 1997, is payable, though the Chairperson may reduce or waive it. The Tribunal follows principles of natural justice rather than the Civil Procedure Code, ensuring flexibility. Proceedings are conducted digitally, enhancing accessibility and efficiency.
This provides a mechanism for appeals against orders or directions of the Data Protection Board. Appeals must be filed digitally, with the procedure detailed on the Appellate Tribunal's website. A fee, akin to that which is applicable to be paid for appeals under the Telecom Regulatory Authority of India Act, 1997, is payable, though the Chairperson may reduce or waive it. The Tribunal follows principles of natural justice rather than the Civil Procedure Code, ensuring flexibility. Proceedings are conducted digitally, enhancing accessibility and efficiency.
This provides a mechanism for appeals against orders or directions of the Data Protection Board. Appeals must be filed digitally, with the procedure detailed on the Appellate Tribunal's website. A fee, akin to that which is applicable to be paid for appeals under the Telecom Regulatory Authority of India Act, 1997, is payable, though the Chairperson may reduce or waive it. The Tribunal follows principles of natural justice rather than the Civil Procedure Code, ensuring flexibility. Proceedings are conducted digitally, enhancing accessibility and efficiency.
Power to Call for Information (Rule 22 and Seventh Schedule)
Power to Call for Information (Rule 22 and Seventh Schedule)
Power to Call for Information (Rule 22 and Seventh Schedule)
Power to Call for Information (Rule 22 and Seventh Schedule)
Rule 22 grants the Central Government the authority to call for information from Data Fiduciaries and intermediaries for purposes specified in the Seventh Schedule. This includes activities related to national security, legal obligations, and assessments for designating Significant Data Fiduciaries.
Rule 22 grants the Central Government the authority to call for information from Data Fiduciaries and intermediaries for purposes specified in the Seventh Schedule. This includes activities related to national security, legal obligations, and assessments for designating Significant Data Fiduciaries.
Rule 22 grants the Central Government the authority to call for information from Data Fiduciaries and intermediaries for purposes specified in the Seventh Schedule. This includes activities related to national security, legal obligations, and assessments for designating Significant Data Fiduciaries.
Rule 22 grants the Central Government the authority to call for information from Data Fiduciaries and intermediaries for purposes specified in the Seventh Schedule. This includes activities related to national security, legal obligations, and assessments for designating Significant Data Fiduciaries.
The draft DPDP Rules, 2025, represent a crucial step forward in India’s journey toward robust data privacy regulation. They set the stage for a more transparent, accountable, and secure digital ecosystem while balancing the rights of individuals with the operational needs of organizations.
The draft DPDP Rules, 2025, represent a crucial step forward in India’s journey toward robust data privacy regulation. They set the stage for a more transparent, accountable, and secure digital ecosystem while balancing the rights of individuals with the operational needs of organizations.
The draft DPDP Rules, 2025, represent a crucial step forward in India’s journey toward robust data privacy regulation. They set the stage for a more transparent, accountable, and secure digital ecosystem while balancing the rights of individuals with the operational needs of organizations.
The draft DPDP Rules, 2025, represent a crucial step forward in India’s journey toward robust data privacy regulation. They set the stage for a more transparent, accountable, and secure digital ecosystem while balancing the rights of individuals with the operational needs of organizations.
