NEW DELHI : The Centre is in the final stages of shaping the rules under the Digital Personal Data Protection (DPDP) Act, with an expected completion by April.
The legislation, designed to enhance data privacy in an increasingly digital landscape, is undergoing its final review by the Ministry of Electronics and Information Technology (MeitY).
MeitY is currently assessing feedback from various stakeholders, including industry leaders, privacy advocates, and citizens. Reports indicate that two-thirds of the suggestions received on the draft DPDP Rules 2025 have already been reviewed, with the remaining expected to be processed soon. The finalised regulations are likely to be rolled out by the end of April.
The review process follows a two-month public consultation period, which concluded recently. Despite requests for an extension, the government had firmly stated that there would be no significant changes to the draft and no further delays in finalisation.
ALSO READ: Empanelment for Speakers, Trainers, and Cyber Security Experts Opens at Future Crime Research Foundation
Key Provisions of DPDP Draft Rules
Initially introduced on January 3, the draft rules underwent a consultation phase until March 5. Under these provisions, data fiduciaries—entities responsible for processing personal data—must provide clear details to users and obtain their consent before handling their data. Users also have the right to revoke consent and report violations to the Data Protection Board of India.
To ensure strong data protection, fiduciaries are required to implement:
- Encryption and masking of personal data to prevent unauthorised access.
- Strict access control for computer resources used in data processing.
- Monitoring mechanisms to track who accesses personal data, facilitating investigation and resolution of breaches.
- Measures to maintain continuity in case of data integrity or confidentiality issues.
- Security clauses in agreements between data fiduciaries and processors to ensure compliance.
- Organisational safeguards for robust enforcement of data security measures.
The draft rules also emphasise the protection of data belonging to children and individuals with disabilities. In such cases, data controllers must secure consent from parents or legal guardians before processing any personal information.
Additionally, the framework introduces strict controls over cross-border data transfers. Data can only be shared internationally if approved by the Centre, and the receiving country must meet specified data protection standards.
Certain sectors, such as healthcare, education, and childcare institutions, have been exempted from these regulations. The government believes that these rules will ease compliance requirements for startups and MSMEs while ensuring robust data protection standards.
ALSO READ: Now Open: Pan-India Registration for Fraud Investigators!
However, startup founders have raised concerns over the potential impact on businesses, particularly regarding restrictions on cross-border data transfers.
In January, they met with government officials in a closed-door session to discuss these challenges, especially for ecommerce and travel sectors that rely on global data operations.
As per a report a survey of over 3,000 consumers revealed that 56% were unaware of their data privacy rights. Among 186 surveyed organisations, only 9% demonstrated a thorough understanding of the DPDP Act.
With India’s digital ecosystem expanding rapidly, the implementation of DPDP rules is expected to reshape data privacy regulations, bringing both opportunities and challenges for businesses and individuals alike.
Follow The420.in on
Telegram, Facebook, Twitter, LinkedIn, Instagram and YouTube