Print Icon
 

Dear Sir/Madam,


We hope you are well. 

 

The Indian government has notified the Digital Personal Data Protection Rules, 2025 (“Rules”) earlier today. The substantive portions of these Rules will come into force in 18 months from their date of publication.

 

You may remember that India had passed the Digital Personal Data Protection Act, 2023 (“DPDPA”), more than two years ago. The Law’s implementation had been on hold pending the formulation of the rules to be issued under it. These Rules have now been finalized and notified.   

  

You can access the final version of the Rules here  

 

What do the final Rules say: The final Rules spell out how the substantive provisions of the DPDPA are to be implemented. They include additional guidance on matters such as the constituent elements of a Privacy Notice, mechanism and timelines for reporting personal data breaches, and data retention periods based on the nature of the entity (for e.g., social media intermediaries, e-commerce entities, etc.). They also contain some administrative elements relating to the establishment of India’s data regulator, the Data Protection Board. 

  

What this means for businesses collecting data: With the Rules now in force, the stakes for data compliance are raised significantly. The DPDPA prescribes steep monetary penalties (up to INR 250 crore per breach in some cases) for non-compliance with its provisions. Organizations will need to revisit their operations and determine the gaps that need addressing. This includes reviewing how privacy notices are drafted, how data principal’s consent and withdrawal processes are operationalized, breach reporting mechanisms, retention practices, data principals’ exercise of their rights, and grievance redressal procedures. 

  

What this means for ‘processors’ of data: Entities that are operating in support of Data Fiduciaries (i.e., data collectors) will also need to align their practices for conformity with the DPDPA. These ‘processors’ can expect specific contractual clauses in their agreements with Data Fiduciaries, mandating compliance with DPDPA norms, breach-reporting measures, and data retention requirements. While most obligations under the DPDPA will fall on the Data Fiduciary, a Data Processor may also be called upon to show compliance in certain instances.  

  

What happens next: The privacy Rules will be implemented in a phased manner. Rules that pertain to ‘consent managers’ come into force in one year from publication, and some administrative portions of these Rules come into force immediately. Provisions impacting security safeguards, breach intimations, verifiable consent, etc., are coming into force 18 months from the date of publication.  

  

As you can imagine, the passage of this law will result in reshaping the privacy framework and the approach towards it. BTG Advaya will keep tracking its developments and keep you posted. If you have any questions, please do not hesitate to contact practicemanager@btgadvaya.com.    

   

Kind regards, 

Vikram Jeet Singh

Partner | BTG Advaya

https://stratus.campaign-image.in/images/43922000010836004_zc_v1_1707907135998_untitled_design_(1).png

Our mailling address is:

practicemanager@btgadvaya.com

Want to change how you receive these emails?

you can update your preferences or unsubscribe from this list.

   
 
Not interested? Unsubscribe | Manage Preference | Update profile
BTG Legal | 2nd Floor, Hague Building, SS Ram Gulam Marg, Ballard Estate, Fort, Mumbai, Maharashtra 400 001 |