Pricoris

Digital Personal Data Protection Act 2023 + DPDP Rules 2025: Complete Compliance Guide (Pricoris LLP)

By /

India has entered a new era of digital governance. With the Digital Personal Data Protection Act, 2023 (DPDP Act) and the subsequently notified DPDP Rules, 2025, organisations now have a clear, codified, and enforceable data protection regime—backed by timelines, duties, rights, and regulatory oversight.

This article provides a comprehensive and implementation-focused view of the Act and Rules, along with a corrected compliance window, and a downloadable 1-page infographic summarising the framework.

1. Scope of the DPDP Act (Section 3)

The DPDP Act applies to:

  • All digital personal data processed within India.
  • Processing outside India if goods or services are offered to individuals in India.
  • State entities, private organisations, individuals, companies, and firms.
  • Both digital-native data and digitised offline data.

The Central Government has notified an 18-month compliance window to assist organisations in phased implementation.

2. Key Actors Under the DPDP Framework (Act Section 2; Rules 4, 17–23)

Data Principal: The individual to whom the personal data relates.

Data Fiduciary (DF): The entity that determines the purpose and means of processing.

Significant Data Fiduciary (SDF): Organisations that meet certain risk-based thresholds and are designated by the Central Government.

Data Processor: Processes personal data on behalf of a DF under a lawful contract.

Consent Manager (Rule 4)

  • Must be an Indian company.
  • Must maintain a registered platform with the Data Protection Board (DPB).
  • Shall retain consent-related records for 7 years.
  • DPB may suspend or revoke registration for non-compliance.

Data Protection Board of India (DPB)

  • A digital-by-design adjudicatory body.
  • Handles complaints, imposes penalties, orders remedial actions, and allows voluntary undertakings.
  • Appeals lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

3. What Counts as Personal Data? (Section 2(13))

  • Any data that identifies or can identify an individual.
  • The Act does not create a separate category for “sensitive personal data.”
  • The Rules introduce additional safeguards for:
    • Children (parental consent; no profiling, tracking, targeted advertising).
    • Persons with disability under lawful guardianship (Rule 11).

4. Lawful Processing of Personal Data

A. Consent Requirements (Act Section 6; Rule 3)

Consent must be:

  • Free, specific, informed, unconditional, and unambiguous.
  • Based on a standalone notice with details mandated under Rule 3.
  • Provided in English or any Eighth Schedule language.

The notice must include:

  • Purposes of processing
  • Data categories
  • Goods/services enabled
  • Withdrawal mechanism
  • Grievance redress details
  • Cross-border reference (if applicable)
  • Retention principles

B. Legitimate Uses (No Consent Required) (Section 7)

A Data Fiduciary may process personal data without consent for:

  • Voluntary data provided by the individual
  • State functions (as per Rule 5 and Schedule II)
  • Compliance with law or court orders
  • Public health and disaster response
  • Employment-related purposes
  • Public order

5. Duties of Data Fiduciaries (Act Section 8; Rules 3–12, 14)

Security Safeguards (Rule 6)

DFs shall implement reasonable technical and organisational measures. This includes:

  • Access control
  • Encryption and masking
  • Monitoring and logging
  • Backups and disaster recovery
  • Authentication controls
  • 1-year mandatory log retention

Processor Management

DFs must ensure processors follow all security safeguards.

Retention & Erasure (Rule 8)

  • Data shall be erased once the purpose is fulfilled.
  • 48-hour prior intimation to individuals (where Rule 8 applies).
  • Sectoral retention:
    • Up to 3 years (e-commerce, social media, gaming).
    • 1-year retention for State security cases.

Breach Notification (Rule 7)

DF must notify:

  • DPB without delay
  • Data Principals as soon as possible
  • Submit full details within 72 hours

Children’s Data (Rules 10 & 12)

  • Verifiable parental consent
  • No tracking/profiling/targeted ads
  • Limited exemptions for healthcare, education, real-time safety

Persons with Disability (Rule 11)

  • Verifiable lawful guardian consent

Grievance Redress (Rule 9 & 14)

  • Publish grievance mechanism
  • Respond within 90 days
  • Publish DPO or designated contact

6. Duties of Significant Data Fiduciaries (Act Section 10; Rule 13)

SDFs must:

  • Appoint a Data Protection Officer located in India
  • Appoint an independent data auditor
  • Conduct an annual DPIA
  • Conduct an annual independent audit
  • Implement additional organisational and technical safeguards
  • Ensure Government-identified restricted data does not leave India

7. Rights of Data Principals (Act Sections 11–14; Rule 14)

  • Right to access personal data
  • Right to correction and updating
  • Right to erasure
  • Right to grievance redress
  • Right to nominate a representative

DFs must publish rights, verification steps, and timelines.

8. Cross-Border Transfers (Act Section 16; Rule 15)

  • Data may be transferred unless restricted by the Central Government.
  • Additional safeguards may be prescribed.

9. Research, Archiving & Statistics (Rule 16; Schedule II)

  • Exemptions apply if strict standards are met.
  • No decisions may be made about individuals using such processed data.

10. Data Protection Board & Penalties (Act Chapter V; Rules 17–23)

  • Fully digital functioning
  • Online complaints and hearings
  • Mediation & voluntary undertakings
  • Penalties up to ₹250 crore per violation
  • Appeals to TDSAT

11. DPDP Compliance Timeline (Three Phases)

Phase 1 — Immediate (13 November 2025)

  • Applicability & definitions
  • Data Principal rights
  • DPB establishment, penalties, appeals

Phase 2 — One Year Post-Publication (13 November 2026)

  • Legal proceedings basis (Section 6(9))
  • Cross-border safeguard for legal obligations (Section 27(1)(d))
  • Consent Manager obligations commence (Rule 4)

Phase 3 — Eighteen Months Post-Publication (13 May 2027)

Operational implementation across:

  • DF controls: security, breach response, retention, processors, children’s data
  • Lawful processing: consent flows, legitimate uses, cross-border checks
  • SDF duties: annual DPIA & audit, enhanced safeguards
  • Enforcement-ready documentation

Note:
Government has notified an 18-month rollout. The Act/Rules do not define sub-phases beyond these effective dates.

12. SARAL Framework (PIB 3 January 2025 — Government Communication)

The Government describes the DPDP framework as SARAL:
Simple, Accessible, Rational, Actionable Law.
This is not a legal obligation but an interpretive design principle.

How Pricoris LLP Can Help

At Pricoris LLP, we support organisations in:

  • DPDP Act readiness assessments
  • Data flow mapping and governance framework design
  • Consent management architecture
  • DPIAs and SDF classification
  • Policy drafting and documentation
  • Technical and organisational control implementation
  • Incident and breach management readiness
  • Board and workforce training

For assistance, contact:
📧 info@pricoris.com
📞 +91 95989 90815 | +91 80588 77450

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top