top of page
Search

Draft DPDP Rules 2025: The Compliance Shift That Could Reshape Indian Businesses

In August 2023, India crossed a major milestone with the enactment of the Digital Personal Data Protection (DPDP) Act.  Fast forward to January, 2025—the Ministry of Electronics and Information Technology (MeitY) released the Draft DPDP Rules, laying out the operational blueprint for how the Act will be implemented.


With data breaches becoming alarmingly frequent and the compliance landscape tightening fast, businesses can no longer afford to wait. These rules aren’t just paperwork—they're a playbook for survival in a data-sensitive world.


India's Data Breach Landscape


Let’s begin with the facts. India ranked fifth globally in data breaches in 2023, with over 5.3 million accounts compromised, according to Surfshark’s global breach report. This isn’t just an IT problem—it’s a legal liability waiting to explode.


5.3M+ accounts breached in 2023
5.3M+ accounts breached in 2023

Take the case of AIIMS Delhi in late 2022. A massive ransomware attack paralyzed systems and compromised patient data. The breach led to operational delays, reputational damage, and sparked urgent calls for better cybersecurity protocols across government and private sectors.

The Draft DPDP Rules now make reporting data breaches mandatory. If a company delays or fails to inform the Data Protection Board of India (DPB), it risks not just fines, but serious legal scrutiny.


Case Studies


AIIMS Ransomware Attack


A glaring example of the critical need for enhanced data security is the ransomware attack on the AIIMS Delhi in November 2022. The attack resulted in the encryption of 1.3 terabytes of sensitive data, and the perpetrators allegedly demanded a ransom of ₹200 crore. This incident not only disrupted hospital operations but also exposed the personal information of numerous patients, emphasizing the catastrophic consequences of inadequate data protection measures.


₹200 Cr ransom. 1.3 TB data locked.
₹200 Cr ransom. 1.3 TB data locked.


MobiKwik Data Breach


In early 2021, digital wallet provider MobiKwik faced allegations of a significant data breach involving the personal information of nearly 110 million users. The compromised data reportedly included Know Your Customer (KYC) documents, Aadhaar card details, and credit card information . Although MobiKwik denied the breach, the incident raised serious concerns about data security practices within fintech companies.


110 million users' data allegedly compromised.
110 million users' data allegedly compromised.

Key Provisions of the Draft DPDP Rules


The Draft DPDP Rules serve to operationalize the DPDP Act, 2023, by delineating specific compliance obligations for businesses handling personal data. Notable provisions include:

  • Consent Management: Organizations must obtain clear and explicit consent from individuals before processing their personal data. Consent managers are required to be incorporated in India, ensuring that international businesses offering such services operate through an Indian entity .

  • Data Fiduciary Responsibilities: Entities classified as Data Fiduciaries are obligated to implement robust data protection measures. This includes conducting regular data protection impact assessments and appointing a Data Protection Officer to oversee compliance .

  • Breach Notification: In the event of a data breach, organizations are mandated to promptly notify the Data Protection Board of India (DPB) and the affected individuals, facilitating swift remedial actions .


What are the DPDP rules 2025?


The Draft Rules give life to the DPDP Act by setting out compliance expectations in detail. Here are the key highlights for legal practitioners and business advisors:

  • Consent & Processing: Businesses must obtain clear, informed, and verifiable consent before processing personal data. Gone are the days of vague disclaimers and buried checkboxes.

  • Privacy Notices: These must be simple, clear, and accessible—explaining what data is collected, why, and for how long. Companies cannot just copy-paste policies from elsewhere.

  • Retention & Deletion: The rules emphasize “data minimization.” Businesses must delete personal data once the purpose is fulfilled, unless required by law to retain it.

  • Children’s Data: Processing data of minors (under 18) requires parental consent and is under tighter scrutiny.

  • Data Fiduciaries: Companies handling large volumes or sensitive data may be classified as “Significant Data Fiduciaries” and will have to meet additional compliance requirements such as regular audits and appointment of a Data Protection Officer (DPO).

  • Grievance Redressal Mechanism

    • Every Data Fiduciary must appoint a Grievance Officer.

    • Individuals must be able to easily contact the officer and get issues resolved within a specified timeline (usually 7 days).

    • If not resolved, the complaint can be escalated to the Data Protection Board.

  •  Voluntary Undertaking Provision

    • A non-punitive mechanism where companies can submit a voluntary undertaking to the Data Protection Board of India to avoid formal penalties.

    • This is a compliance-saving feature, similar to a consent decree.


From Compliance to Culture: The Latest Update


The Draft Rules aren’t just a checklist—they demand a mindset shift. Here’s what companies (and the lawyers who guide them) should already be doing:


a. Run Data Privacy Risk Assessments

Industries like e-commerce, fintech, banking, and healthcare, which rely on massive volumes of user data, should start with thorough privacy audits. Many Indian companies have outdated data handling practices that are no longer legally defensible.


b. Review Consent and Notification Mechanisms

The rules demand verifiable consent. Businesses must demonstrate when and how consent was obtained, and users must be allowed to withdraw it anytime. Tools like consent dashboards or preference centers will become the norm.


c. Implement “Privacy by Design”

Privacy can no longer be an afterthought. The law now pushes for privacy to be embedded at every stage of a product or service—right from design to deployment. This applies not just to tech platforms but to any business collecting customer data.


d. Train Your Teams

Even the best policies fail if employees don’t follow them. Ongoing training on privacy laws and internal SOPs is now a legal necessity, especially for those in customer support, marketing, product development, and IT.

Final Thoughts


This isn’t just a compliance exercise—it’s a moment of reckoning for how India balances innovation, privacy, and digital inclusion.


The Draft DPDP Rules especially those governing children’s data, are setting the tone for the next decade of India’s digital growth. Businesses that merely aim to "tick the box" will fall behind. Those that lead with trust, transparency, and user empowerment will earn something far more valuable than regulatory approval: long-term customer loyalty.

To quote Rajeev Chandrasekhar, Minister of State for Electronics and IT:

“The DPDP Act and its rules aim to empower citizens while fostering innovation. It’s a forward-looking framework for India’s digital economy.”

It’s now up to lawmakers, platforms, and the legal community to shape that framework into one that protects without excluding, empowers without overwhelming, and ensures that every citizen—especially the youngest—can navigate the digital world safely and freely.

Comments

BharatLaw.AI is revolutionising the way lawyers research cases. We have built a fantastic platform that can help you save up to 90% of your time in your research. Signup is free, and we have a free forever plan that you can use to organise your research. Give it a try.

bottom of page