India drafts rules for DPDP Act 2025

13 Jan 2025

2025 will unfold a new era of data security for citizens of India with the government having drafted the rules for its data protection law, DPDP Act. The additional rules will provide clear instructions to all the subjected entities for implementing the Act.

 

Let us explore what the act is about and what the new draft of more than a year-old law means.

Digital Personal Data Protection Act : About

The Indian government framed and enacted the Digital Personal Data Protection Act 2023 to protect the fundamental right to secure the personal data of its citizens.

 

The Ministry of Electronics and Information Technology passed the regulation in 2019 as the “Personal Data Protection Bill” and renamed as “Digital Personal Data Protection Act 2023” It is a regulation that takes best practices of data protection from global gold standard regulations like GDPR.

 

Its main aim is to ensure that the subject entities have taken measures for private and secure measures, processes, and technologies.

Who is subjected to this regulation?

The regulation is subjected to all private and public entities, including companies that are incorporated/registered in India or are outside, who deal with the personal data of citizens. It also includes all the data fiduciaries and corporate bodies, state entities, and all the entities that offer goods services, or both to all the Indian citizens, including those entities that engage in the profiling of Indian citizens.

What does the draft of DPDP rules 2025 mean?

The Ministry of Electronics and Information Technology (MeitY) has posted a draft of the regulation titled “Draft Digital Personal Data Protection 2025”. It provides the much awaited instructions and clear rules for organizations to implement the regulation and a framework to adhere to. As per the MeitY press release on 3rd January 2025, “It aims to strengthen the legal framework for the protection of digital personal data by providing necessary details and an actionable framework”. These rules are going to be an industry data protection standard that will specify:

 

  • Reasonable safeguards for data fiduciaries and data processors, including:
  • appropriate data security measures to secure personal data, be it through the use of virtual tokens mapped to the data, obfuscation, masking, or encryption.
  • measures to control access the computer resources.
  • mechanisms for the detection of unauthorized access to data, its investigation, and remediation to prevent reoccurrence of the event.
  • technical and organizational measures to ensure effective improvement of security safeguards.
  • ensuring transparency/visibility of how such personal data is accessed through logs, monitoring, and review, measures for detection of unauthorized access, investigation and remediation measures for preventing reoccurrence of such event.
  • measures for backup to ensure integrity, confidentiality, and availability of data in the event of destruction or loss of access to personal data.
  • retain logs and personal data for one year in the event of compromise.
  • ensure the provision of security safeguards in third-party, vendor contracts or any contract between data processor and data fiduciary.
  • The way subjected entities notify the customers about their data collected and whether it is breached.
  • Measures to encrypt data at rest and in transit.
  • Controls that data principals have over personal data.
  • The ability of data principals to determine when, how, where, and for what purpose the data will be used.
  • Penalties for entities that are non-compliant with the regulation.

 

To learn more about the Digital Personal Data Protection Act 2023

The release of the draft demonstrates India’s commitment to prioritizing its citizens’ data security in a digital age, holding the subject entities accountable for the personal data of the citizens.

 

The government has issued a deadline for the subject entities to submit all the feedback (by February 18th, 2025).

 

It has stated in its press release that an adequate time period will be given to all the subject entities and stakeholders to adhere to the new law.

Get in Touch With us

Complete Visibility, Continuous Monitoring & Advanced Threat Protection with AI-backed Incident Remediation.

LEARN MORE