Ready for the Shift? What India’s New Data Protection Rules Demand of Data Fiduciaries

This blog was originally posted on 31st January, 2025 and updated on 26th November, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY SIDDHANT SHAHANE, REGULATORY COMPLIANCE SPECIALIS, COMPLIANCE & RISKS

The Indian Ministry of Electronics and Information Technology has recently released the highly anticipated Digital Personal Data Protection Rules, which fully operationalise India’s Digital Personal Data Protection Act (“DPDP Act”), enacted in 2023 in line with the country’s commitment to create a robust framework for protecting personal data.

Before finalising the draft Rules, the Ministry of Electronics and Information Technology (MeitY) actively sought public comment through a series of consultations held in seven major cities. The discussions saw broad participation from various groups, including startups, MSMEs, established industry bodies, civil society groups, government departments, and individual citizens. A significant total of 6,915 contributions were received, and these diverse inputs were instrumental in shaping the final version of the Rules.

DPDP Act & its Rules

The DPDP Act and its Rules strengthen citizens’ privacy rights while clarifying their interaction with the Right to Information (RTI) Act. To achieve this harmony, the DPDP Act revises Section 8(1)(j) of the RTI Act. This change formalises an approach already upheld by courts – and affirmed by the Supreme Court in the Puttaswamy judgment – by requiring careful assessment of personal data before disclosure, thereby respecting privacy as a fundamental right. Crucially, this revision does not block disclosure but prevents conflict by ensuring privacy interests are considered.

Together, the Act and the Rules form a clear and citizen-centred framework for the responsible use of digital personal data. They place equal weight on individual rights and lawful data processing.

To carry this vision forward, the Rules outline the following core provisions:

Phased and Practical Implementation

The Rules introduce an eighteen-month period for phased compliance. This gives organisations enough time to adjust their systems and adopt responsible data practices. Every Data Fiduciary must issue a separate consent notice that is clear and easy to understand. The notice must explain the specific purpose for which personal data is collected and used.

Clear Protocols for Personal Data Breach Notification

The Rules set out a simple and timely process for reporting personal data breaches. When a breach takes place, the Data Fiduciary must inform all affected individuals without delay. The message must be in plain language and must explain what happened, the possible impact and the steps taken to address the issue. It must also include contact details for help.

Transparency and Accountability Measures

The Rules require every Data Fiduciary to display clear contact information for queries related to personal data. This may be the contact of a designated officer or a Data Protection Officer. Significant Data Fiduciaries face stronger duties. They must conduct independent audits and carry out impact assessments. They must also follow stricter checks while using new or sensitive technologies. In some cases, they must follow government directions on restricted categories of data, including local storage where needed.

Strengthening the Rights of Data Principals

The Rules reinforce the rights already provided under the Act. Individuals can ask to access their personal data or seek corrections and updates. They may also request the removal of data in certain situations. They can choose someone else to exercise these rights on their behalf.

Mandatory Response within Ninety Days

Data Fiduciaries are required to address all requests related to access, correction, updating or erasure within a maximum of ninety days, ensuring timely action and accountability.

Clear Contact for Queries and Complaints

Data Fiduciaries must provide a point of contact for questions relating to personal data. This may be a designated officer or a Data Protection Officer.

Special Protection for Children

When a child’s personal data is involved, verifiable consent from a parent or guardian is required. This consent is needed unless the processing relates to essential services such as healthcare, education or real-time safety.

Registration and Obligations of Consent Manager

A person who fulfils the conditions for registration of Consent Managers set out in Part A of First Schedule may apply to the Board for registration as a Consent Manager by furnishing such particulars and such other information and documents as the Board may publish in this behalf on its website. Consent Managers, who help people manage their permissions, must be companies based in India.

Reasonable Security Safeguards

A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.

Intimation of Personal Data Breach

On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary. The data fiduciary shall also undertake measures to mitigate risks.

Such an intimation must be provided within 72 hours of becoming aware of the same.

Time Period for the Specified Purpose to be Deemed as no Longer Being Served

A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in the Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force.

At least 48 hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period.

Contact Information of the Person to Answer Questions About Processing

Every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of personal data.

A data fiduciary shall adopt appropriate technical measures to verify consent for the processing of personal data of a child or of a person with a disability who has a lawful guardian.

Penalties Under the DPDP Act, 2023

The DPDP Act imposes substantial financial penalties for non-compliance by Data Fiduciaries. The highest penalty up to ₹250 crore applies to failure of a Data Fiduciary to maintain reasonable security safeguards. Not notifying the Board or affected individuals of a personal data breach, as well as violations of obligations relating to children, can each attract penalties of up to ₹200 crore. Any other violation of the Act or Rules by a Data Fiduciary may attract penalties up to ₹50 crore.

Conclusion

Marking a significant step toward a future-ready digital landscape, the DPDP Act and Rules provide clear guidance on managing personal data. The legislation enhances data principal rights and establishes strict accountability for organisations. Developed through wide public consultation, the framework is practical, inclusive, and tailored to real-world needs. It supports the flourishing digital economy by ensuring privacy is not compromised during growth. This new ecosystem fosters greater safety, transparency, and innovation, ultimately strengthening public trust in digital governance.

Stay Ahead Of Regulatory Changes

Want to stay ahead of these regulatory developments?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

• Accelerate time-to-market for products
• Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
• Enable business continuity by digitizing your compliance process and building corporate memory
• Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
• Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Cutting Through the Chaos: A 2025-2026 Survival Guide to ESG, Sustainability & Product Compliance

Unpack the latest regulatory developments in 2025, gain practical insights, and learn what’s coming next in 2026!

Whether you’re grappling with deadlines or planning for future compliance, join us for a roadmap to navigate the challenges and opportunities ahead.

REGISTER now