Anushruti Singh
The Draft Digital Personal Data Protection (DPDP) Rules, 2025, reaffirm India’s commitment to safeguarding personal data while fostering growth and inclusivity, according to the Prime Minister’s Office (PMO). In a post on X (formerly Twitter), the PMO emphasised Union Minister for Electronics and IT Ashwani Vaishnaw’s insights into the draft rules, highlighting their alignment with citizen-centric governance and India’s global leadership in data protection norms.
Minister Vaishnaw noted, “Unlike international models that lean heavily towards stringent regulations, India’s approach is pragmatic and growth oriented. This ensures citizens are protected while preserving the innovative spirit that drives startups and businesses.” He further observed that small businesses and startups will benefit from lower compliance burdens under these rules.
India’s human-centric vision is reflected in Prime Minister Narendra Modi’s statement at the recent United Nations Summit of the Future: “When we talk about the global future, then human-centric approaches should be foremost.” This philosophy underpins the DPDP Rules, prioritising simplicity and clarity to empower every citizen, regardless of technical know-how.
The draft rules, once finalised, will operationalise the Digital Personal Data Protection Act, 2023, passed in Parliament in August 2023. The Ministry of Electronics and Information Technology (MeitY) is seeking feedback on the draft through the MyGov portal until February 18, 2025.
Key provisions of draft DPDP rules:
1. Parental consent for children’s data:
– Data Fiduciaries must secure verifiable parental consent before processing a child’s personal data.
– Verification will rely on government-issued IDs or digital tokens linked to identity services like Digital Lockers.2. Baseline security standards:
– Businesses are mandated to adopt robust technical and organisational measures, including encryption and breach detection.
– Breach notification to regulators and affected individuals is mandatory within 72 hours.3. Retention timelines:
– Certain categories of data must be retained for a maximum of three years.
Evaa Saiwal, Head of Cyber Insurance at Policybazaar.com, commented on the importance of these measures, saying, “The draft rules establish comprehensive baseline security requirements for businesses. While compliance is critical, organisations also need multi-layered strategies to manage risks and incident response. Cyber insurance complements these efforts, especially against sophisticated threats.”
Saiwal added that the new rules demand rapid breach reporting and documentation, retention timelines (3 years for certain categories), emphasising the need for robust security measures. Cyber insurance, she noted, plays a vital role in breach response and recovery, helping businesses align with regulatory mandates while maintaining continuity.
India’s DPDP Rules aim to strike a balance between protecting citizens’ data rights and enabling businesses to thrive, setting a global example of inclusive and pragmatic data governance.
