Fine-Tuning Consent And Compliance: A Legal Lens On The DPDP Draft Rules

Mathilda Fernandes, KES' Shri Jayantilal H. Patel Law College

ABSTRACT

In 2023, India enacted the Digital Personal Data Protection Act to establish a comprehensive framework for processing personal data, applicable to both online and digitized offline data. Building upon this, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2025, detailing implementation aspects such as data fiduciary obligations, data principal rights, and the establishment of the Data Protection Board of India.

These draft rules mandate data fiduciaries to implement robust security measures, including encryption and access controls, to safeguard personal data. They are also required to provide clear notices to individuals (data principals) regarding data processing activities and to facilitate rights such as data access, correction, and erasure. The draft rules propose the appointment of Data Protection Officers for significant data fiduciaries and outline penalties for non-compliance, ranging from INR 50 million to 2.5 billion for organizations.

Additionally, the rules address the processing of children’s data, cross-border data transfers, and the role of consent managers in managing user consent.

Keywords: Right to Privacy, Personal Data, Data fiduciary Security, GDPR vs. DPDP, Regulatory Compliance.