The Indian government unveils the draft Digital Personal Data Protection (DPDP) Rules for public consultation. 

"Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent," India's Press Information Bureau (PIB) said in a statement released Sunday.

The rules, designed to enforce the Digital Personal Data Protection Act, 2023, grant individuals enhanced control over their data, including the ability to provide informed consent for its processing, request deletion from digital platforms, and resolve grievances effectively.

To safeguard personal data, companies in India are mandated to implement robust security protocols, including encryption, access management, and regular data backups, ensuring its protection and availability.

The DPDP Act includes several significant requirements for data fiduciaries, as detailed below: 

1. Establish systems for breach detection, response, and log maintenance.
2. In case of a data breach, report to the Data Protection Board (DPB) within 72 hours (or longer if allowed), detailing the sequence of events, mitigation measures taken, and, if known, the identity of those involved.
3. Personal data that is not needed after three years should be deleted, with individuals being informed 48 hours in advance of its removal.
4. Websites and apps must visibly present the contact information of a designated Data Protection Officer (DPO) to handle questions related to the processing of users' personal data.
5. Before processing the personal data of children under 18 or individuals with disabilities, verifiable consent must be obtained from parents or legal guardians, with exceptions for healthcare professionals, educational institutions, and childcare providers, limited to activities such as health services, education, safety monitoring, and transportation tracking.
6. Perform an annual Data Protection Impact Assessment (DPIA) and a thorough audit, submitting the findings to the Data Protection Board (DPB).
7. Comply with federal government regulations regarding cross-border data transfers, with a specialized committee determining the specific categories of personal data that must remain within India's borders.

The draft rules include safeguards for citizens' data when processed by federal and state agencies, ensuring the process is lawful, transparent, and aligned with legal and policy standards.

Failure to protect personal data or notify the DPB of a security breach could result in monetary penalties up to ₹250 crore (nearly $30 million) for organizations that misuse or neglect data.

The Ministry of Electronics and Information Technology (MeitY) is inviting public feedback on the draft regulations until February 18, 2025, assuring that all submissions will remain confidential.

The DPDP Act, which was formally passed in August 2023 after several revisions since 2018, was introduced following a 2017 Supreme Court ruling that recognized the right to privacy as a constitutional fundamental right.