On January 3, 2025, India released the draft Digital Personal Data Protection Rules, 2025 (“the Rules”) in its official Gazette. These Rules aim to operationalize the Digital Personal Data Protection Act, 2023, establishing a robust data protection framework for businesses operating in the country.

The Ministry of Electronics and Information Technology (MeitY) has initiated a public consultation process, allowing stakeholders to submit feedback until February 18, 2025.

Key Compliance Obligations for Businesses

The new Rules impose strict data protection requirements on companies handling personal data in India, referred to as “Data Fiduciaries.”

1. Explicit Consent for Data Processing

Organizations must obtain clear and explicit consent before collecting or processing personal data.

2. Strengthened Security Safeguards

Businesses are required to implement robust security measures to prevent data breaches and unauthorized access.

3. Data Subject Rights: Access & Erasure

Individuals will have greater control over their data, including the right to access, modify, and request deletion of personal information.

4. Introduction of Consent Managers

The Rules propose “Consent Managers”—third-party entities designed to help users manage and withdraw consent efficiently.

Additional Requirements for Significant Data Fiduciaries

Companies handling large volumes of personal data may be classified as Significant Data Fiduciaries, facing stricter compliance mandates, including:

✅ Data Protection Impact Assessments (DPIAs) to evaluate risks.
✅ Data Localization Requirements, potentially restricting cross-border data transfers.

How Businesses Can Prepare for Compliance

Companies offering products or services in India must take immediate action to align with the proposed regulations. Steps include:

🔹 Conducting gap assessments to identify compliance gaps.
🔹 Updating privacy policies and internal procedures.
🔹 Implementing security measures to safeguard personal data.
🔹 Setting up mechanisms for handling data subject requests.

Non-Compliance Risks: What’s at Stake?

Failure to comply with the final Digital Personal Data Protection Rules, 2025 could lead to:

❌ Financial penalties for violations.
❌ Restrictions on data processing activities.
❌ Severe reputational damage for non-compliant businesses.

Final Thoughts: Take Action Now

With the February 18, 2025 consultation deadline approaching, businesses must stay proactive in preparing for India’s evolving data protection landscape.

📢 Stay informed and ensure compliance—act now to protect your business!

Impact on Type Approval and Market Access Requirements? – Yes

Impact on Imports, Customs, Trade, or Market Surveillance? – Yes

Impact on Spectrum Management? – No

Impact on Technical Standards? – No