Book a demo

Draft DPDP Rules 2025 – The Real Deal

The Digital Personal Data Protection Bill has been the  most awaited regulation for the Cyber Security and Privacy eco-system in the Country. The Ministry of Electronics and Information Technology (Meity) published DPDP’s draft rules published on 03-Jan-2025 and opened up the same for industry consultation and feedback. The audience has until 18-Feb-2025 to share their feedback and suggestions, based on which revisions (if any) would be considered. 

Meanwhile, the industry has already started closely reviewing the draft rules in order to assess their preparedness to it. This post is intended to provide a quick glance to organisations (Data Fiduciary) that store / process personal information (that of a Data Principal) on the key provisions of the draft rules and possibly measures to prepare. 

Let’s break this down a little…

Key Aspects of DPDP Draft Rules 2025

Notice

Data Fiduciaries would need to provide clear and concise information to a Data Principal to enable him / her to provide Consent for processing their personal information. The Notice needs to include (not limited to):
 
  1. An itemised description of personal data being collected
  2. Specific purpose for collection and services to be provided based on collection
  3. Access of link to an application where a Data Principal could withdraw their consent, exercise their rights under the act, or make a complaint to the Board
 

Reasonable Security Safeguards

A Data Fiduciary would be required to protect personal data collected or stored, and even in case the same is processed by a third party (Data Processor). Following are the listed security safeguards (at a minimum):
  1. Data Security – encryption, obfuscation / masking, tokenisation
  2. Access Control – limit and control access to personal data
  3. Logging, Monitoring and Review – in order to enable detection of suspicious / unauthorised activity and to enable remediation of the same
  4. Resilience and Availability – to ensure continued processing of personal information
  5. Security Safeguards by Data Processors – to be ensured by Data Fiduciaries by way of contracts
  6. Governance – technical and organisational controls to ensure security safeguards
 

Breach Notification

In the event of a Personal Data Breach, the Data Fiduciary would need to:

  1. Notify the Data Principal of the same with details / description, it’s impact, countermeasures implemented, measures the Data Principal might take and relevant contact information of the Data Fiduciary
  2. Notify the Data Protection Board at the earliest, with the details of the breach
  3. Within 72 hours, share further details with the Data Protection Board, around extent of the breach, root cause, measures implemented, future prevention measures, report of communication to Data Principals

Next Steps – What you should do as a Data Fiduciary

While the DPDP Rules are still in draft, it might be a good idea for enterprises to start reviewing their readiness against the same and prepare. Let’s now take a stab at what it takes to level up and meet the requirements of the Draft DPDP Rules.

Notice and Consent

  1. Establish clear processes to provide notice to data principals / users and implement necessary changes in product or application flows as required
  2. Integrate with Consent Managers to facilitate the consent process
  3. Create processes and application interfaces to enable data principals to exercise their rights, such as, withdraw consent, complain to the board

Security Controls

Data Security

  1. Personal Data Encryption using strong encryption algorithms
  2. Encryption at rest and in transit 
  3. Masking or tokenising personal information

Access Control

  1. Limit access to personal data on need to know basis
  2. Implement strong password policies
  3. Avoid using long lived tokens or credentials

Logging and Monitoring

  1. Implement SIEM platforms and integrate logs from required sources to enable investigations and threat detection
  2. Enable security monitoring processes to detect unauthorised or suspicious activity around personal data stores
  3. Enable log retention for one year

Resilience and Availability

  1. Ensure high availability (DR in case required) across data stores, espiecially ones that store and process personal data
  2. Ensure backups are periodically taken to enable restoration
  3. Regularly test for failures to ensure the high availability setup is capable to recovery with no downtime

Oversight

  1. Establish a governance structure within the organisation to oversee the data protection measures and their effectiveness
  2. Periodically review security risks to the organisation and countermeasures in place

Breach Notification

  1. Establish a process to notify all Data Principals and the Data Protection Board in the event of a data breach
  2. The above process should include a procedure to notify the Data Protection Board within 72 hours of the breach, with it’s details as mentioned earlier
  3. Regularly test the incident response procedures via cyber drills to ensure preparedness at the time of breach

Conclusion

The DPDP Draft Rules suggest multiple controls that need to be implemented across technology, people and processes. While we still await the final rules to be published post industry consultation, it is highly recommended organisations start preparing for the required changes.

 

Actionable Security Signals at Cloud Speed

Product

Solutions

Resources

Company

X-twitter Linkedin

@Cy5. All Rights Reserved 2024

Terms & Conditions