Data Processing Rules Under Privacy Laws

𝐖𝐡𝐚𝐭 𝐦𝐚𝐤𝐞𝐬 𝐜𝐨𝐧𝐬𝐞𝐧𝐭 “𝐟𝐫𝐞𝐞, 𝐬𝐩𝐞𝐜𝐢𝐟𝐢𝐜, 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝, 𝐮𝐧𝐜𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐚𝐧𝐝 𝐮𝐧𝐚𝐦𝐛𝐢𝐠𝐮𝐨𝐮𝐬” 𝐮𝐧𝐝𝐞𝐫 𝐃𝐏𝐃𝐏 (with examples that fail the test) Many existing consent mechanisms in India may struggle to meet the DPDP standard. Here’s why. Where consent is the ground for processing, it must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, for a specified purpose, and limited to personal data necessary for that purpose. What the law requires 1. Specific and purpose-limited Consent must relate to a clearly identified specified purpose and only the data necessary for it. The Act illustrates this clearly: a telemedicine app may seek consent for data required to provide telemedicine. Access to phone contacts does not automatically ride on that consent. 2. Informed (notice + Rules) Before consent is taken, the Data Fiduciary must disclose: • personal data processed and the purpose • how she may exercise her rights (including withdrawal) • how to complain to the Data Protection Board The Rules require clear, plain language with itemised data and specific purposes. 3. Unambiguous and affirmative Consent must involve a clear affirmative action. Passive or “do nothing” mechanisms (pre-ticked boxes, “by continuing you consent”) struggle to meet this standard. 4. Unconditional and non-waiving Any part of consent that violates the Act, Rules or any other law is invalid. The Act’s illustration: consent to issue an insurance policy combined with a waiver of the right to complain to the Board. The waiver is invalid. 5. Ongoing control Consent may be withdrawn at any time, with ease comparable to giving it. The notice must clearly show how. Examples that fail the test 1. Bundled, unnecessary permissions A payments app seeks KYC consent while also asking for SMS, contacts and precise location via a single “Accept all” toggle, without necessity or explanation. 2. Consent with rights waivers “I consent to processing and waive my right to complain to the Data Protection Board.” The waiver is invalid. 3. Vague notices A long privacy policy that never itemises data or specifies concrete purposes, but still seeks a generic “I agree”, fails the Rules. 4. Passive consent patterns Pre-ticked boxes or “by continuing to browse you consent” lack a clear affirmative action tied to a specified purpose and proper notice. Takeaway If consent is your ground under DPDP: • Design the notice first • Avoid bundling unrelated processing • Never attach rights-waivers • Make withdrawal obvious and friction-light Get this wrong, and you may not have valid consent at all. What consent patterns are you seeing that concern you? Share in comments. Relevant provisions DPDP Act, 2023: ss. 4, 5, 6, 7, 8(7) DPDP Rules, 2025: rr. 2(1)(d), 3, 9, 14(2) #DPDP #DataProtection #ConsentManagement #PrivacyByDesign #IndianLaw

𝐈𝐧𝐝𝐢𝐚'𝐬 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐏𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐃𝐚𝐭𝐚 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐑𝐮𝐥𝐞𝐬 𝐰𝐞𝐫𝐞 𝐣𝐮𝐬𝐭 𝐧𝐨𝐭𝐢𝐟𝐢𝐞𝐝 𝐨𝐧 𝐍𝐨𝐯𝐞𝐦𝐛𝐞𝐫 𝟏𝟒, 𝟐𝟎𝟐𝟓. This isn't just a compliance issue. It's a strategic governance imperative that Boards can no longer afford to defer. From my experience advising boards, here are five critical implications for directors and corporates: 1. The 18-month runway has conditions. The Rules provide an 18-month phased rollout for full compliance. But breach notification requirements and certain obligations took effect immediately on November 14. Boards that assume they have 18 months to act are mistaken. Incident response plans must be operational now. 2. Data breach penalties reach ₹250 crores. Failure to maintain reasonable security safeguards can attract penalties up to ₹250 crore. Not notifying the Data Protection Board or affected individuals of a breach carries penalties up to ₹200 crore. This isn't operational risk. This is existential risk for many companies. 3. The 72-hour breach notification mandate is live. Data Fiduciaries must provide initial intimation immediately and submit a detailed report to the Data Protection Board within 72 hours of breach detection. Most companies don't have systems to detect breaches in 72 hours, let alone report them. This creates immediate board-level exposure. 4. Significant Data Fiduciaries face annual audits. SDFs must conduct annual Data Protection Impact Assessments and independent audits, with reports submitted to the Data Protection Board. For companies processing large volumes of sensitive data, this elevates data governance to mandatory board oversight, not optional compliance. 5. Consent Managers create a new regulatory layer. Consent Managers must be incorporated in India with minimum net worth of ₹2 crore and operate interoperable platforms compliant with Data Protection Board standards. This fundamentally changes how companies manage user consent, especially for fintech, consumer -tech ,edtech, and digital platforms. Boards must understand these implications for customer experience and operational costs. 𝐓𝐡𝐞 𝐛𝐨𝐚𝐫𝐝 𝐢𝐦𝐩𝐞𝐫𝐚𝐭𝐢𝐯𝐞: India now has operational data protection laws. The Rules were issued after 6,915 public inputs through nationwide consultations. Boards that treat this as an IT problem will face penalties and reputational damage. Those that embed data governance into strategic oversight will build customer trust and competitive advantage. The question for board directors: In your experience, is data privacy integrated into enterprise risk management, or siloed in technology committees? #DPDP #DataPrivacy #BoardGovernance #CorporateGovernance #RiskManagement #DigitalIndia #DataProtection #Compliance Data Sources: Ministry of Electronics and Information Technology (MeitY) DPDP Rules 2025 notification (November 14, 2025), Press Information Bureau, India Briefing DPDP Analysis (November 2025).

🔐 Digital Personal Data Protection Act, 2023 (India) – Explained Simply 🇮🇳 India has taken a major step toward strengthening data privacy with the Digital Personal Data Protection Act, 2023 (DPDP Act). This law empowers individuals and holds organizations accountable for how personal data is handled. Let’s break it down 👇 --- 🎯 Purpose of the Act ✔ Protect individuals’ personal data ✔ Ensure responsible and transparent data usage ✔ Give citizens control over their own data --- 📌 What is Personal Data? Personal data includes any information that can identify an individual: Name, phone number, email Aadhaar, PAN details Location, photos, IP address, and more --- ⚖️ Key Principles of the DPDP Act ✔ Consent First – Clear, informed, and revocable consent is mandatory ✔ Purpose Limitation – Data must be used only for the intended purpose ✔ Data Minimization – Collect only what is necessary ✔ Data Security – Protect data from breaches and misuse --- 👤 Rights of Individuals (Data Principals) ✔ Access & Correction – View and update your personal data ✔ Right to Erasure – Request deletion of your data ✔ Withdraw Consent – Opt out anytime ✔ File Complaints – Report misuse or mishandling --- 🏢 Duties of Organizations (Data Fiduciaries) ✔ Ensure lawful data processing ✔ Implement strong security safeguards ✔ Maintain transparency in data usage ✔ Respond to user requests promptly --- ⚠️ Penalties for Non-Compliance 💰 Fines up to ₹250 crore (or more) for serious violations --- 👶 Special Protection for Children ✔ Parental consent is mandatory ✔ Restrictions on targeted advertising for children --- 💡 Why This Matters? The DPDP Act marks a shift toward privacy-first digital governance, aligning India with global standards and building trust in the digital ecosystem. --- 📌 Key Takeaway: 👉 Your data, your rights 👉 Organizations must be accountable 👉 Privacy is now a legal priority in India --- #DPDPAct #DataProtection #Privacy #CyberSecurity #GRC #Compliance #IndiaTech #InformationSecurity #DataPrivacy #DigitalIndia

DPDP Rules 2025: From Notification to Implementation. The Digital Personal Data Protection Rules notified on November 13, 2025, mark India's transition from data protection principles to operational reality. For financial services professionals navigating this shift, I've prepared a practitioner-focused analysis breaking down: → Staggered enforcement timelines (immediate to 18 months)  → Sector-specific implications for banks, NBFCs, fintech’s, and insurers → Operational mandates: consent management, breach protocols, data retention  → Strategic opportunities: trust premium, Open Finance enablement  → 18-month implementation roadmap Key takeaways:  → 72-hour breach reporting to Data Protection Board  → 3-year dormancy deletion triggers for large platforms  → Consent Manager ecosystem activation (Q4 2026)  → Child data processing exemptions & safeguards  → Significant Data Fiduciary obligations This isn't a compliance checkbox—it's a governance transformation. Document attached. Would value perspectives from fellow practitioners on implementation challenges you're anticipating. #DPDP #DataProtection #FinancialServices #RegulatoryCompliance #Privacy #India #FinTech #Banking #Insurance