India has officially entered a new era of digital governance with the notification of the Digital Personal Data Protection (DPDP) Rules 2025, bringing into effect India’s first full-fledged digital privacy law. The move operationalizes the Digital Personal Data Protection Act, 2023, and introduces a comprehensive, consent-led, rights-based framework governing how organizations collect, process, store, and protect personal data.
Key provisions of the DPDP Rules 2025- Mandatory security safeguards for all Data Fiduciaries
Fiduciaries must implement strong, “reasonable” security controls to prevent breaches, including:Encryption, masking, obfuscation, or tokenization
- Strict access controls
- Continuous logging and monitoring
- One-year log retention
- Verified backup and continuity systems
- Mandatory security clauses in processor contracts
In case of a breach:Affected users must be informed immediately. The Data Protection Board must be notified within 72 hours.
Strict parental consent for processing children’s data
- Mandatory verifiable parental consent for all data of children under 18.
- Verification must rely on reliable identity documents or Digital Locker-verified credentials.
- Exemptions apply for healthcare, safety, and education-related processing.
No comments:
Post a Comment