/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us/dq/media/media_files/2025/04/07/S93rEevPJePecxG2GW1C.png)
The Ministry of Electronics and Information Technology (MeitY) recently released the draft rules for the Digital Personal Data Protection (DPDP) Act, initiating a public consultation process aimed at enhancing transparency and securing personal data processing in compliance with legal standards. This Act, which was enacted on August 11, 2023, serves as a foundational framework for managing the digital personal data of individuals. The DPDP Act emphasizes individual ownership and protection of personal data, reinforcing the right to privacy while allowing for lawful data processing.
One of the significant aspects of the DPDP Act is its requirement for digital platforms to adopt consent-based data processing. Organizations must obtain explicit consent from individuals in English or any of the 22 languages recognized in the Indian Constitution.
This inclusive approach is designed to eliminate language barriers and facilitate seamless compliance with the Act. However, despite its comprehensive framework, the DPDP Act can face challenges in implementation due to complex terminology that may hinder understanding among businesses. Simplifying these terms will be crucial for effective adaptation across various sectors.
Let’s dive deeper into the key concepts:
Data Fiduciary
Any person or entity who determines the purpose and means of handling data will be regarded as a ‘Data Fiduciary.’ This can include companies, government departments, and many other organizations who collect and process personal information. Data Fiduciaries have specific obligations under the DPDP Act-:
● They must implement stringent security safeguards to protect particular data from unauthorized access and breaches, ensuring confidentiality, integrity, and availability.
● Notifying affected individuals (Data Principals) and the Data Protection Board (DPB) of any breaches within 72 hours. Notifications must detail the nature, extent, and impact of the breach, as well as actions taken to mitigate risks.
● They are obligated to erase personal data upon withdrawal of agreement by the Data Principal or upon expiry of the stipulated purpose for managing, as cast by the Act.
● Significant Data Fiduciaries must appoint a Data Protection Officer (DPO) responsible for overseeing submission with data protection regulations and addressing any grievances.
Data Principal
Data Principal is that individual whose own data is processed. In the DPDP Act, these individuals are conferred a variety of rights concerning their data:
● Personal data may only be processed if consented by the Data them, is explicit and must be informed, specific, and not ambiguous.
● They have the right to access their data as held by Data Fiduciaries. They are entitled to obtain corrections or changes to the information in conjunction with deletion at appropriate times.
For instance, if an individual opens a bank account online, they share their information with the bank including their name and identification numbers. In this regard, they play the role of the Data Principal while the bank becomes the Data Fiduciary responsible for managing that information according to legal standards.
Consent Manager
Consent Managers pose as intermediaries facilitating the management of an individual’s accord regarding their personal data processed. Their mandate includes:
● Registration with the DPB, and adherence to stringent rules intended to maintain transparency in management of consent.
● They must possess proper documentation of all consents provided by the Data Principals. This should be kept in a form that allows individuals to retrieve their history whenever they want.
● They should provide a user-friendly platform enabling individuals to give, manage, review, or withdraw their consensus effortlessly.
Data Processor
Any person or entity (companies, organizations, or government bodies) will be referred to as a Data Processor. Data Processors follow the instructions of the Data Fiduciary and do not determine the purpose or means of processing.
● Data Processor performs tasks such as data collection, storage, retrieval, and analysis based on the Data Fiduciary’s instructions.
● They are required to process the data as directed, without any authority to determine how the data is used.
Compliance and Accountability
Compliance with the DPDP Act is mandatory for both Data Fiduciaries and Consent Managers. The key pieces include:
● Organizations classified as major Data Fiduciaries will be required to conduct Data Protection Impact Assessment (DPIAs) regularly to determine the risks that exist with their data administering activities.
● The DPDP commands that businesses establish an effective grievance redressal mechanism to address complaints from Data Principals successfully.
● The DPB has the power to audit organizations' agreement with the DPDP Act. It can suspend or cancel registrations of Consent Managers or impose penalties on businesses for non-compliance, if required.
Special Provisions
The Act also encompasses specific provisions for susceptible groups, such as children and disabled people. Parental or guardian consent is compulsory for processing their material. Yet, certain entities like healthcare providers may be exempt from some requirements when such handling is necessary for safety and well-being.
Challenges in Implementation
A key provision of the DPDP Act is its emphasis on consent-based data processing, requiring digital platforms to obtain explicit agreement from individuals in English or any of the 22 languages recognized by the Indian Constitution. This inclusive approach aims to break down language barriers and ensure smooth adherence with the Act. However, the Act’s complex terminology may hamper businesses, particularly startups and MSMEs, from fully understanding their obligations. To address this, the government must simplify the language of the Act and provide clear guidelines, templates, and toolkits to enable seamless adoption and effective obedience across diverse sectors.
Building a Secure Digital Future
In summary, the DPDP Act is a vital step in safeguarding citizens' private documents, promoting precision, and ensuring robust security measures. By addressing implementation challenges and promoting an environment of trust, the Act can enable innovation and inclusive growth in India’s digital economy. As the country advances toward its vision of a secure and inclusive digital future, the Act stands as a cornerstone for empowering individuals and strengthening the foundation of India’s digital ecosystem.
-By Manish Bharvey, Director - Product Manager, Signzy