Decoding DPDP Rules for businesses: What businesses need to know and how to align with it

In August 2017, a nine-judge bench of the Supreme Court unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21. This changed the regime on data privacy in the country and the Government appointed a committee of experts for Data protection that submitted a report in July 2018 along with a draft Data Protection Bill.

Thereafter, the Government published Digital Personal Data Protection Act (DPDPA) which provided a legal framework to process digital personal data, and this was passed by parliament in 2023. To that effect, Draft Digital Personal Data Protection Rules have been issued in January 2025, that supplements DPDP Act 2023, providing operational clarity on the provisions of the Act.

Data privacy today transcends beyond compliance for global businesses, and it is a strategic imperative for establishing trust, enhancing reputation and driving success. Along with rapid technology led innovation including adoption of Artificial Intelligence (AI), the world is also witnessing significant amount of digital data being created and regulations like this enable businesses to bring order in such environments.

Globally data protection acts have stringent punitive measures, which have also been included in the DPDPA. Non-compliance to the regulation could lead to hefty fines, potentially up to INR 250 crores, along with reputational risks.

DPDP Draft Rules

The draft rules published by government are progressive and straightforward, that should enable the country to strengthen the data protection regime. Its effectiveness is dependent on swift establishment and operation of the Data Protection Board. There may be areas of ambiguity which may have emerged due to simplicity, and this should eventually get addressed over a period of time.

The rules are primarily focused on the below:

Notification of Personal Data Breach

The rules provide more specificity on informing the authorities and data principal along with timelines and information that should be included in notification. The rules highlight the need to have a layered approach, with immediate notification in case of data breach followed by 72 hours period for detailed information.

Consent Management

The rules enable the key principles of active consent management from data subjects and goes into details of language for publishing notice, content to be covered upon, and communication channels to be published. The rules also focus on mechanisms for consent withdrawal and establishing a consent management entity. There is also a focus on coverage of consent from parents for children and coverage of people with disability.

Security Safeguards

The rules highlight the need for organisations to have reasonable data security and protection safeguards. These transcend the boundaries of entities and cover upon third party/ supply chains as well.

Empowering the Data Principal

The rules enable in establishing adequate mechanisms to empower the data principal, which includes grievance management, data updates and / or removal, appointment of nominees.

Data retention

The rules highlight the data retention period based on the nature of services/ intermediaries along with exception management.

Key Imperatives for Organisations

DPDPA enables the country to make a pivotal shift in the overall approach to manage data privacy for digital data. This shall further enable organisations to create an environment of trust with their key stakeholders (customers, regulators, investors) leading to constant value enhancement and innovation through digital technologies.

As organisations adopt the DPDPA, it will be important to look at it holistically and not consider it from a lens of compliance only. This will require an effective synergy across the C-suite where every function is expected to play an important role, such as marketing must balance personalisation with consent, procurement must ensure that third parties are adequately covered from data privacy requirements, research & development and / or engineering departments should be sensitive on using personal information, customer services teams need to have effective grievance mechanisms, technology teams need to establish foundation for data security and legal functions should safeguard compliance without curbing innovation.

This is an opportunity for organisations to drive strategic advantage where ethical data stewardship builds loyalty, enhances reputation, and fosters trust in an era where customer experience defines success.

Way forward

Fostering a privacy-centric culture under the DPDP Act should begin with leadership commitment, where C-suite has to set the tone by championing a “privacy-first” mindset, keeping trust and transparency principles at the epicenter, embedding accountability into governance frameworks, and allocating reasonable budgets.

DPDP rules enables in establishing compliance, which is the beginning of data privacy practices. The regulation offers far more than a mere mandate—it is a strategic lever to elevate trust, accountability, and innovation in the digital economy. By aligning data privacy and protection with strategic goals, organisations could cultivate a future where trust and progress are inseparable, proving that regulatory frameworks can drive both ethical responsibility and commercial success.

Lastly, enterprises should look to seize this opportunity to foster 'Digital Trust' across their ecosystem, which includes customers, employees, regulators, and third-party partners."

A version of this article was published in Express Computer Online on April 04 2025. The same can be read here