Outlook Business Desk
The government has now released the administrative rules for the Digital Personal Data Protection (DPDP) Act , placing India among a small group of nations with a national digital privacy system.
The new DPDP rules provide a phased implementation plan, allowing companies, data fiduciaries, data principals and other stakeholders up to 18 months to comply with the guidelines. Consent managers have a shorter window of 12 months to register and act for users.
The Ministry of Electronics and Information Technology (Meity) now mandates that data fiduciaries obtain clear and informed consent from users. They must explain in simple language what personal data will be collected and the exact purpose for its use.
Companies can share personal data across borders, but they must follow rules set by the central government. Extra caution is required when foreign governments or entities could access the data, a point that has previously raised concerns for big tech firms.
All organisations handling digital personal data are now classified as data fiduciaries and users are data principals. These fiduciaries must let users withdraw consent, exercise their rights under the Act, and submit complaints to the Data Protection Board.
Experts say companies must redesign consent systems to be specific, informed and separate from standard terms of use. This prevents users from unknowingly agreeing to broad, bundled permissions, ensuring they fully understand what data they are sharing.
Companies that handle personal data must protect it using tools like encryption, masking or virtual tokens. They should have systems to spot any unauthorised access and keep records of investigations to stop similar problems from happening again.
If a data breach happens, fiduciaries must notify all affected users and the Data Protection Board within 72 hours. They must explain what happened, its impact, the steps taken to fix it, and safety measures users should follow.
Big digital platforms must delete a user’s personal data if the account stays inactive for three years. Users get a 48-hour notice before deletion, and major data fiduciaries must conduct yearly audits and impact checks to stay compliant.