The Indian government took a long-awaited leap forward on the application of the Digital Personal Data Protection Act with the recent release of draft regulations to operationalize the law.

The draft rules have materialized more than a year after the DPDPA was originally finalized in August 2023. The Indian government only completed its inter-ministerial meetings to approve the 22 draft rules during the final weeks of 2024.

India's Ministry of Electronics and Information Technology opened public consultation on the draft rules the same day they were published and will take input through 18 Feb. According to an MeitY explanatory notice, rules covering operational requirements and the rights of citizens under the law will not enter into force for upward of two years.

The draft rules cover a broad range of DPDPA provisions that require further details or clarifications to support proper implementation. The topics covered include requirements bestowed upon data fiduciaries, notice requirements to data principals for obtaining consent, registration of in-house consent managers with the board, data breach notification requirements and obligations for processing children’s data.

Minister of Electronics and Information Technology Ashwini Vaishnaw wrote an op-ed in the Hindustan Times to outline the most notable aspects and impacts of the rules. He called the DPDPA and its draft rules a "pragmatic and growth-oriented" approach to regulation, intentionally going in contrast to "some international models that lean heavily towards regulation."

"The rules are designed with simplicity and clarity, ensuring that every Indian, regardless of their technical knowhow, can understand and exercise their rights," Vaishnaw added. "The rules are designed with graded responsibilities, taking into account the varying capacities of stakeholders."

Tsaaro CEO and founder Akarsh Singh, CIPP/E, CIPM, CIPT, FIP, told the IAPP the DPDPA is "a landmark legislation in itself" and the release of the draft DPDPA rules now takes India one step closer to "ushering in a new era of data protection."

The rules and potential impacts

The draft rules not only clarify perceived ambiguities in the DPDPA, but they also bring definition to some of its most novel and important aspects.

Rule 2 defines key terms in the act, such as data fiduciary and data principal — otherwise known as data controllers and data subjects in other frameworks. The rules also outline both the obligations and registration requirements for consent managers, which are the single points of contact for data principals to exercise their rights under the DPDPA.

Persistent Systems Senior Vice President and General Manager for Digital Governance Shivangi Nadkarni told the IAPP that the DPDPA will fundamentally change how Indian citizens understand consent online and how they exercise their digital rights, all while enhancing the country's security posture in cyberspace.

"Most organisations in India who have yet to begin their privacy journeys will have to reorient their entire business approach from, 'Do as you like with the data in your custody,' to 'Do only what is permitted,'" Nadkarni said. "The overall security posture of India as a country will get significantly elevated because the fines for breaches are significant."

Indian law firm Khaitan & Co Partner Supratim Chakraborty said the draft DPDPA rules governing consent may have the greatest impact on the economy.

"Consent, as the primary basis for processing personal data under the DPDPA — with limited exceptions for legitimate uses — may have a profound impact on India's digital economy and regulatory landscape," Chakraborty said. "Consent requests are expected to become more granular and specific, fostering a stronger culture of privacy and data protection. This shift will not only empower data principals but also drive businesses to embed privacy-by-design principles into their operations."

Specifics around enforcement are also outlined within the draft rules. The formation and procedures around the Data Protection Board, the new authority that will oversee DPDPA enforcement, are covered, as well as details around citizens' right to appeal board decisions.

Additionally, the draft rules explain when the government can compel access to data if there are threats to the "sovereignty and integrity of India or security of the State."

The transition period

Companies could be positioned to tackle rules at their own pace if the government holds firm on its proposed transition period.

Nadkarni said having approximately two years to operationalize the DPDPA rules is a reasonable length of time so the new regulations would not cause severe disruption to India's economy.

"This is in line with what the (MeitY) has been saying all along," Nadkarni said. "My personal view is that this is fair given that most privacy laws globally have been giving 18-24 months for implementation."

Chakraborty said the transition presents "both opportunities and challenges, especially given the diversity in nature, size and culture of Indian businesses." He indicated the ramp-up period will allow smaller businesses to invest in the necessary technology to ensure compliance and capacity-building initiatives. However, he said the delay in full implementation may come with some drawbacks as well.

"The delay does admittedly introduce a fair degree of regulatory uncertainty, potentially leading to a fragmented approach where some businesses prepare proactively while others defer compliance efforts," Chakraborty said. "Clear communication from the government, including phased timelines and interim measures, will be helpful to ensure stakeholder confidence and a smooth transition to full compliance."

Nonetheless, once the DPDPA enters into full force, it will undoubtedly cause a sea change in how India's digital economy operates. Given India's large population and the disparate nature of businesses' digital governance throughout the economy, the question remains how difficult some businesses may find complying with the DPDPA's rules once they ultimately enter into force.

Tsaaro's Singh recommended that Indian businesses should begin to take proactive steps today to best position themselves to comply with the law when the enforcement deadlines begin. He recommended companies explore purchasing data mapping tools to get a better grasp on the personal data they have collected.

"For the entire organisation, understanding the length and breadth of data they possess; how it is used by each team, product or service," Singh said. "Understanding those data flows is the biggest challenge."

The lingering DPDPA compliance concerns may ultimately boil down to how well-resourced each company is.

Nadkarni said there will need to be an infusion of digital responsibility talent within the Indian economy to ensure organizations' effort to comply with the DPDPA's rules occurs with as little friction as possible.

"(There is a) severe shortage of resources to operationalise the implementation of the DPDPA," Nadkarni said. "The available talent is heavily skewed toward expert lawyers. However, the on-the-ground requirements of operationalising controls at the process and technology levels requires a different set of skills, of which there is currently acute paucity, leading to confusion oftentimes."

Alex LaCasse is a staff writer for the IAPP.