Express Computer

Home  »  Guest Blogs  »  Decoding DPDP Rules for businesses: What businesses need to know and how to align with it

Decoding DPDP Rules for businesses: What businesses need to know and how to align with it

Guest BlogsSecurity
By Express Computer
0 101

By Atul Gupta, Partner and Head of Digital Trust and Cyber Security Services, KPMG in India

In August 2017, a nine-judge bench of the Supreme Court unanimously held that Indians have a constitutionally protected fundamental right to privacy that is an intrinsic part of life and liberty under Article 21. This changed the regime on data privacy in the country and the Government appointed a committee of experts for Data protection that submitted a report in July 2018 along with a draft Data Protection Bill.

Thereafter, the Government published Digital Personal Data Protection Act (DPDPA) which provided a legal framework to process digital personal data, and this was passed by parliament in 2023. To that effect, Draft Digital Personal Data Protection Rules have been issued in January 2025, that supplements DPDP Act 2023, providing operational clarity on the provisions of the Act.

Data privacy today transcends beyond compliance for global businesses, and it is a strategic imperative for establishing trust, enhancing reputation and driving success. Along with rapid technology led innovation including adoption of Artificial Intelligence (AI), the world is also witnessing significant amount of digital data being created and regulations like this enable businesses to bring order in such environments.

Globally data protection acts have stringent punitive measures, which have also been included in the DPDPA. Non-compliance to the regulation could lead to hefty fines, potentially up to INR 250 crores, along with reputational risks.

DPDP Draft Rules
The draft rules published by government are progressive and straightforward, that should enable the country to strengthen the data protection regime. Its effectiveness is dependent on swift establishment and operation of the Data Protection Board. There may be areas of ambiguity which may have emerged due to simplicity, and this should eventually get addressed over a period of time.

The rules are primarily focused on the below:

Notification of Personal Data Breach: The rules provide more specificity on informing the authorities and data principal along with timelines and information that should be included in notification. The rules highlight the need to have a layered approach, with immediate notification in case of data breach followed by 72 hours period for detailed information.

Consent Management: The rules enable the key principles of active consent management from data subjects and goes into details of language for publishing notice, content to be covered upon, and communication channels to be published. The rules also focus on mechanisms for consent withdrawal and establishing a consent management entity. There is also a focus on coverage of consent from parents for children and coverage of people with disability.

Security Safeguards:  The rules highlight the need for organisations to have reasonable data security and protection safeguards. These transcend the boundaries of entities and cover upon third party/ supply chains as well.

Empowering the Data Principal: The rules enable in establishing adequate mechanisms to empower the data principal, which includes grievance management, data updates and / or removal, appointment of nominees.

Data retention: The rules highlight the data retention period based on the nature of services/ intermediaries along with exception management

Key Imperatives for Organisations

DPDPA enables the country to make a pivotal shift in the overall approach to manage data privacy for digital data. This shall further enable organisations to create an environment of trust with their key stakeholders (customers, regulators, investors) leading to constant value enhancement and innovation through digital technologies.

As organisations adopt the DPDPA, it will be important to look at it holistically and not consider it from a lens of compliance only. This will require an effective synergy across the C-suite where every function is expected to play an important role, such as marketing must balance personalisation with consent, procurement must ensure that third parties are adequately covered from data privacy requirements, research & development and / or engineering departments should be sensitive on using personal information, customer services teams need to have effective grievance mechanisms, technology teams need to establish foundation for data security and legal functions should safeguard compliance without curbing innovation.

This is an opportunity for organisations to drive strategic advantage where ethical data stewardship builds loyalty, enhances reputation, and fosters trust in an era where customer experience defines success.

Way forward
Fostering a privacy-centric culture under the DPDP Act should begin with leadership commitment, where C-suite has to set the tone by championing a “privacy-first” mindset, keeping trust and transparency principles at the epicenter, embedding accountability into governance frameworks, and allocating reasonable budgets.

DPDP rules enables in establishing compliance, which is the beginning of data privacy practices. The regulation offers far more than a mere mandate—it is a strategic lever to elevate trust, accountability, and innovation in the digital economy. By aligning data privacy and protection with strategic goals, organisations could cultivate a future where trust and progress are inseparable, proving that regulatory frameworks can drive both ethical responsibility and commercial success.

Lastly, enterprises should look to seize this opportunity to foster ‘Digital Trust’ across their ecosystem, which includes customers, employees, regulators, and third-party partners.”

Get real time updates directly on you device, subscribe now.

Express Computer

Express Computer is one of India's most respected IT media brands and has been in publication for 24 years running. We cover enterprise technology in all its flavours, including processors, storage, networking, wireless, business applications, cloud computing, analytics, green initiatives and anything that can help companies make the most of their ICT investments. Additionally, we also report on the fast emerging realm of eGovernance in India.

You might also like More from author
Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 
Powered by Convert Plus

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image