{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.text}}
The issue
More than three-quarters of the world’s population will soon have basic privacy protections, thanks to regulatory actions recently taken by India. On January 3, 2025, India’s Ministry of Electronics and Information Technology (MeitY) released the much awaited draft rules for complying with the country’s Digital Personal Data Protection Act (DPDPA). The rules will offer multinational companies a framework for compliance once the DPDPA becomes enforceable later this year or in 2026.
With this landmark step, companies that operate in India will have a fiduciary duty to offer informed consent for processing personal information, as well as protections for data confidentiality, integrity and availability.
The DPDPA, along with payment system data restrictions from the Reserve Bank of India (RBI), also include data-localization requirements. The RBI requirements, which affect financial institutions, mandate that payment system data be stored exclusively within India while allowing foreign processing under strict conditions.
The MeitY draft rules implementing DPDPA could be finalized any time now, as the public consultation period closed in March 2025. Multinational companies that haven’t yet assessed their compliance posture — especially those in nine highly impacted sectors — should take prompt action, starting with six “no regrets” steps to jumpstart their path to readiness.
The regulator’s take
MeitY’s draft rules provide a detailed framework for operationalizing the DPDPA. Here are the key provisions.
| Topic | Requirements | Source |
| Notice by data fiduciaries | Data fiduciaries must provide data principals (individuals whom the personal data relates to) with a clear, standalone notice before processing personal data. The notice must be understandable without reference to other materials, use plain language and contain an itemized description of personal data being collected, the purpose and a description of goods or services provided through the data processing. It must also include links for withdrawing consent, exercising rights or lodging complaints. | Rule 3 |
| Consent managers | Entities that meet certain criteria may apply for registration as a consent manager. Once registered, they must operate a platform that enables data principals to give, manage and withdraw consent for data processing by data fiduciaries. They must preserve consent records for at least seven years, act in a fiduciary capacity and avoid conflicts of interest with data fiduciaries. The Data Protection Board of India (DPBI) may suspend or cancel registration for noncompliance. | Rule 4 First Schedule, Part B |
| Data security | Data fiduciaries must adopt reasonable safeguards to prevent data breaches. These include encryption, masking and virtual tokens, access controls, monitoring mechanisms, data backup and retention of access logs and data for at least one year. Contracts with data processors must include similar obligations. | Rule 6 |
| Breach notification | In the event of a breach, data fiduciaries must notify affected individuals promptly with details including the breach nature, consequences and suggested precautions. They must also report the breach to the DPBI within 72 hours with a full description, mitigation measures and findings. | Rule 7 |
| Data retention and deletion | Certain data fiduciaries — such as e-commerce platforms, online gaming intermediaries and social media platforms — must erase data if no user activity or rights have been exercised for three years. They must inform data principals 48 hours before deletion. | Rule 8 Third Schedule |
| Data of children and disabled persons | Verifiable parental consent is required before processing a child’s data. Verification may involve identity checks or digital tokens issued by authorized bodies. For persons with disabilities, the guardian’s legal authority must be verified. Some data fiduciaries like schools and health professionals are exempt from certain obligations when processing a child’s data for safety, education or healthcare. Further exemptions apply when processing is done for legal duties, issuing subsidies or confirming harmful information isn’t accessible to children. | Rules 10 and 11 Fourth Schedule |
| Data protection impact assessments | “Significant data fiduciaries” must conduct annual data protection impact assessments and audits. They must submit significant audit findings to the DPBI, confirm algorithms don’t pose risks to data principals and implement restrictions on international data transfers based on government recommendations. | Rule 12 |
| Rights of data principals | Data fiduciaries must publish how data principals can exercise their rights, such as accessing or deleting data. Redressal mechanisms and timelines must be public and effective. Principals can nominate others to act on their behalf posthumously. | Rule 13 |
| Cross-border data transfers | Personal data can only be transferred outside India if the data fiduciary complies with specific requirements imposed by the central government. | Rule 14 |
Sector compliance challenges. While the RBI provides sector-specific compliance guidelines for financial institutions, the DPDPA establishes a broader data protection framework that can quickly impact various sectors.
| Financial services: Banking, payment processors and financial technology | RBI requires domestic storage of end-to-end transaction details along with the information collected or processed. For the foreign leg of the transaction, data can also be stored in the foreign country as long as it’s made available in India within 24 hours. |
| Retail: E-commerce | Stricter user consent and data collection rules impact customer targeting and personalization. |
| Information technology: Cloud computing and AI | Indian clients’ localized cloud infrastructure to comply with data transfer restrictions. |
| Health industries: Pharmaceutical, life sciences | Elevated compliance for clinical trials, patient data security and research-related cross-border transfers. |
| Technology, media and telecommunications: Consumer platforms | Obligations for metadata storage, security and government access provisions. |
| Marketing: Social media and digital ads | Regulations on ad targeting, consent-based data collection and content governance. |
| Business process outsourcing | Call centers handling Indian customer data may be required to store that data within India, particularly those deemed significant data fiduciaries. |
| Travel and hospitality | Compliance with data residency requirements for travel booking and customer data. |
| Industrial products: Manufacturing and automotive | Internet of Things (IoT) and vehicle data protection regulations for global auto companies. |
Your next move
Companies doing business in India should begin or accelerate their DPDPA readiness capabilities. Consider these six “no regrets” actions.
- Identify a data protection officer. Hire a DPO based in India to serve as regulatory liaison. Make sure it’s accessible on company websites, applications or other relevant communication platforms.
- Prioritize data discovery and classification. Conduct data assessments to classify personal data in India, identifying processing that requires consent and allows access or deletion requests.
- Start data-localization contingency planning. Assess potential exposure to data-transfer restrictions and technological and procedural options for local mirroring or storage.
- Prepare for data protection impact assessments (DPIAs). Scope out distinct data processing that requires separate DPIAs and determine implementation options.
- Establish an incident-response process. Map out protocols for notifying the DPBI and impacted individuals in case of a breach.
- Strengthen third-party privacy governance. Assess and address gaps in your governance process for third-party data processors. Update contracts and third-party risk management policies and controls to meet DPDPA compliance obligations.
India’s data protection rules trigger race to readiness
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Follow us
