Key Points of the DPDP Data Protection Framework

India Notifies the Digital Personal Data Protection Rules, 2025 — Key Highlights With these Rules, the DPDP Act,2023 shifts from broad principles to an enforceable, audit-ready regime. Here is a concise summary before reading the attached Rules PDF. 1. Staggered Rollout: Rules 1, 2 and 17–21 apply immediately. Rule 4 starts after one year. Rules 3, 5–16, 22 and 23 take effect after eighteen months. This gives organisations a phased compliance window. 2. Verifiable Consent: Consent must now be clear, specific, informed, and tied to a valid user account as per Rules 10 and 11. This moves India toward audit-ready consent standards. 3. Stricter Notice Requirements: Notices must be in plain language, independently understandable, itemised (what data, for what purpose), and include a direct link to exercise rights. This aligns with global layered-notice formats. 4. Standards for Lawful Processing: Processing must stop once purpose is achieved. Reasonable security safeguards are mandatory. Clear contact details must be provided. Compliance with law and accountability of the controller are explicitly required. 5. Retention Limits for Large Platforms: E-commerce (≥2 crore users), social media (≥2 crore users), and gaming intermediaries (≥50 lakh users) must delete most personal data after three years of last user activity, except for account access or virtual-token use. This creates mandatory deletion cycles. 6. Child Data Processing Exemptions: Healthcare, mental health, and allied professionals get narrow exemptions strictly for health services. Other child data processing remains restricted, limiting profiling and behavioural targeting. 7. Obligations for Significant Data Fiduciaries: SDFs must conduct annual DPIAs and audits, submit key findings to the Data Protection Board, verify that algorithms and technical measures do not pose rights risks, and ensure notified categories of personal and traffic data are not transferred outside India. 8. Conditional Data Localisation: Rule 13(4) allows the government to notify categories of data that must remain within India. This introduces targeted, risk-based localisation. Overall, compliance will now depend on evidence, logs, audits, and governance—not policy statements. #DPDPAct #DPDPRules #DataProtection #PrivacyLaw #DataGovernance #DigitalIndia #Compliance #AIandLaw #PrivacyByDesign #IndiaTechPolicy

🔐 #DPDPA 2023 & #DPDPR 2025 — #Ready #Reckoner for #Data #Fiduciaries A CISO & DPO’s Practical Guide to India’s New Data Protection Regime As India moves toward full enforcement of the Digital Personal Data Protection Act (DPDPA) and the Digital Personal Data Protection Rules (DPDPR), the compliance journey for organisations has become both urgent and strategic. Over the past weeks, I consolidated the core requirements of the law into a single Ready Reckoner designed specifically for CISOs, DPOs, Privacy Leaders, and Data Fiduciaries. This document captures: ✅ Enforcement timelines (18-month rollout) ✅ Key definitions and applicability ✅ Legal bases for processing ✅ Data Principal rights ✅ DF obligations, SDF requirements & penalties ✅ Breach notification rules ✅ Consent lifecycle ✅ Processor obligations ✅ Governance controls, breach readiness, and DPO checklist … and much more. With penalties up to ₹2.5 Billion, mandatory 72-hour breach reporting, and heightened expectations around consent, security, retention, DPIAs, audits, and grievance processes, this law marks a turning point in India’s data governance maturity. As security and privacy leaders, our role now shifts from “reactive compliance” to structured, risk-based, and leadership-driven implementation. This Ready Reckoner aims to simplify that journey. I hope this helps fellow professionals accelerate their compliance roadmap and strengthen India’s privacy-first digital future. #DPDPA #DPDPR #DataProtection #Privacy #CyberSecurity #DPO #CISO #IndiaDigital #Governance #Compliance #DataFiduciary #RiskManagement #Leadership

🔐 Digital Personal Data Protection Act, 2023 (India) – Explained Simply 🇮🇳 India has taken a major step toward strengthening data privacy with the Digital Personal Data Protection Act, 2023 (DPDP Act). This law empowers individuals and holds organizations accountable for how personal data is handled. Let’s break it down 👇 --- 🎯 Purpose of the Act ✔ Protect individuals’ personal data ✔ Ensure responsible and transparent data usage ✔ Give citizens control over their own data --- 📌 What is Personal Data? Personal data includes any information that can identify an individual: Name, phone number, email Aadhaar, PAN details Location, photos, IP address, and more --- ⚖️ Key Principles of the DPDP Act ✔ Consent First – Clear, informed, and revocable consent is mandatory ✔ Purpose Limitation – Data must be used only for the intended purpose ✔ Data Minimization – Collect only what is necessary ✔ Data Security – Protect data from breaches and misuse --- 👤 Rights of Individuals (Data Principals) ✔ Access & Correction – View and update your personal data ✔ Right to Erasure – Request deletion of your data ✔ Withdraw Consent – Opt out anytime ✔ File Complaints – Report misuse or mishandling --- 🏢 Duties of Organizations (Data Fiduciaries) ✔ Ensure lawful data processing ✔ Implement strong security safeguards ✔ Maintain transparency in data usage ✔ Respond to user requests promptly --- ⚠️ Penalties for Non-Compliance 💰 Fines up to ₹250 crore (or more) for serious violations --- 👶 Special Protection for Children ✔ Parental consent is mandatory ✔ Restrictions on targeted advertising for children --- 💡 Why This Matters? The DPDP Act marks a shift toward privacy-first digital governance, aligning India with global standards and building trust in the digital ecosystem. --- 📌 Key Takeaway: 👉 Your data, your rights 👉 Organizations must be accountable 👉 Privacy is now a legal priority in India --- #DPDPAct #DataProtection #Privacy #CyberSecurity #GRC #Compliance #IndiaTech #InformationSecurity #DataPrivacy #DigitalIndia

DPDP Act, 2023 | Data Retention Is Not a Storage Policy—It Is a Purpose Policy One common misconception under India’s DPDP regime is that organisations can define retention periods freely. The law is clear: retention flows from purpose, not convenience. Key takeaways practitioners should note: • Erase when purpose ends Personal data must be erased on withdrawal of consent or when the specified purpose is no longer served—whichever occurs earlier (Section 8(7)). • Inactivity triggers deemed purpose expiry For large digital platforms, the law deems purpose to be over after inactivity: – E-commerce (≥2 crore users): 3 years – Social media (≥2 crore users): 3 years – Online gaming (≥50 lakh users): 3 years • 48-hour user notice before deletion Before erasure due to inactivity, users must be informed at least 48 hours in advance—an operational control many systems currently lack. • Security logs are not optional Traffic data and processing logs must be retained for minimum 1 year to support breach detection and investigations. • Consent Managers have extended retention Consent records must be preserved for at least 7 years. • Legal retention overrides DPDP erasure Where another law mandates retention (banking, taxation, AML, employment), DPDP permits continued storage. Bottom line: DPDP forces organisations to engineer retention into system design, not bury it in policy documents. If your data inventory, log architecture, and erasure workflows are not aligned, compliance remains theoretical. This is where privacy governance meets IT controls—and where you should focus.

🚀 India’s Digital Personal Data Protection Regime Goes Live As of today, 14 November 2025, the Ministry of Electronics & Information Technology (MeitY) has officially notified the rules under the DPDP Act, marking a major milestone in India’s data-privacy landscape. 🔍 Why this matters The DPDP Act was passed in August 2023 to govern how digital personal data is processed in India: collecting, storing, using, sharing, deleting, etc. With today’s rules, this framework becomes operational — meaning businesses, tech platforms, service providers must now align to it. The Act applies not only within India, but also to entities outside India offering goods/services to Indian data-subjects and processing their digital personal data. 🧭 Key organizational implications Data fiduciaries (the organizations deciding on the purpose & means of processing) need to overhaul their privacy governance: consent-mechanisms, purpose-limitation, retention policies, data-audits. Special protections for children’s data and persons with disabilities: processing must be cautious, no behavioral tracking or profiling targeted at minors. Cross-border data flows, registration of consent-managers, creation of grievance redressal mechanisms: all now on the table. A transition period: many stakeholders can take up to 12-18 months to comply with all requirements. 💡 What every business leader should ask today Are we fully aware of what “digital personal data” we collect? Do we map the life-cycle of that data? Have we reviewed our consent-workflow: is it free, specific, informed, unambiguous and revocable? (As required under the Act) MeitY Do we have mechanisms for erasure, correction, updating of data when requested by data-principals? Are we ready for audit, and named fiduciary responsibilities that may come under scrutiny? How does this change our risk-profile: reputational, regulatory, operational? 🤝 My view This is a landmark moment: a welcome shift towards building a stronger trust-ecosystem for digital interactions in India. For businesses it means more work — but also an opportunity: to differentiate through transparent, respectful data usage, and to build customer trust. For individuals: greater clarity, better rights, more control. Let’s use this pivot to review our data-practices, upgrade our governance, and treat data not just as a compliance chore, but as a place to build trust and value. ✨ Call to action : If you’re working in tech, legal, compliance, product or operations, I’d love to hear how your organization is preparing for DPDP. What are the biggest gaps you’re seeing? What’s your approach to enable compliance while staying agile? Drop a comment or DM — let’s exchange insights.

India has officially notified the DPDP Rules 2025, triggering the operational rollout of the DPDP Act. For the banking sector, this is a defining moment. The rules now make data governance, breach reporting, consent, and security controls a regulatory obligation — not a best practice. Banks handle the most sensitive personal data in the country. With the new rules, they must strengthen security (encryption, access controls, audit logs), redesign customer consent journeys, and notify customers and the government quickly in case of a breach. Retention and deletion rules also tighten — data can’t be kept beyond its purpose without legal basis. Most large banks will now fall under the category of Significant Data Fiduciaries, bringing additional responsibilities like annual data-protection audits, DPIAs, and tighter oversight on data flows, especially cross-border. This will force banks to rethink their data architecture, vendor ecosystem, and operating model over the next 12–18 months. My view: this is not just a compliance change — it’s a trust opportunity. Banks that act early and communicate transparently will earn customer confidence and stand out in an increasingly digital financial ecosystem. The DPDP era has begun. Are we ready to lead it?

Does the DPDP Act apply to your business? This is one of the most common questions I get, and I understand why. The Digital Personal Data Protection Act can seem overwhelming, especially when you're focused on building and growing your business. Here's a straightforward way to assess if it applies to you. If you're collecting digital personal data, you're likely covered This includes names, email addresses, phone numbers, whether through your website, app, CRM system, or even spreadsheets. The Act also covers offline data that you later digitize, like physical forms that get entered and transferred into your systems. Geography doesn't provide an exemption Many businesses assume that being incorporated outside India means they're not covered. That's not the case. If you're providing goods or services to customers in India, the Act applies to you regardless of where your company is registered. Larger organizations face additional requirements Banks, telecommunications companies, Social Media Platforms and significant e-commerce platforms will likely be designated as Significant Data Fiduciaries. This classification comes with enhanced obligations: appointing a Data Protection Officer, conducting regular audits, and performing Data Protection Impact Assessments. The startup question Many Ask this >?: "We're a small startup, surely this doesn't apply to us?" Here's what you need to know. There's currently no minimum revenue threshold specified. While the government has provisions to offer procedural relief to startups and MSMEs, the core requirements remain universal: obtaining proper consent, implementing security safeguards, and understanding that penalties are applicable. Few exemptions exist Personal data processing for purely domestic purposes (like your personal contact list) is exempt. Data that's already publicly available, such as information you've published on professional or social platforms, is also outside the scope. The reality is: Data protection compliance is now a business fundamental, not optional. The DPDP Rules were finalized in November 2025, with full enforcement approaching in May 2027. If you're uncertain about your compliance status or need guidance on next steps, We are here to help. Feel free to reach out. #DPDPAct #DataProtection #Compliance #BusinessIndia #PrivacyLaw #Security #CyberSecurity Santhana Krishna (SK) SekurZen

DPDP Rules 2025: From Notification to Implementation. The Digital Personal Data Protection Rules notified on November 13, 2025, mark India's transition from data protection principles to operational reality. For financial services professionals navigating this shift, I've prepared a practitioner-focused analysis breaking down: → Staggered enforcement timelines (immediate to 18 months)  → Sector-specific implications for banks, NBFCs, fintech’s, and insurers → Operational mandates: consent management, breach protocols, data retention  → Strategic opportunities: trust premium, Open Finance enablement  → 18-month implementation roadmap Key takeaways:  → 72-hour breach reporting to Data Protection Board  → 3-year dormancy deletion triggers for large platforms  → Consent Manager ecosystem activation (Q4 2026)  → Child data processing exemptions & safeguards  → Significant Data Fiduciary obligations This isn't a compliance checkbox—it's a governance transformation. Document attached. Would value perspectives from fellow practitioners on implementation challenges you're anticipating. #DPDP #DataProtection #FinancialServices #RegulatoryCompliance #Privacy #India #FinTech #Banking #Insurance

𝗗𝗣𝗗𝗣 𝗳𝗼𝗿 𝗕𝗙𝗦𝗜 — 𝗜𝗻𝗱𝗶𝗮’𝘀 𝗡𝗲𝘄 𝗦𝘁𝗮𝗻𝗱𝗮𝗿𝗱 𝗳𝗼𝗿 𝗙𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝗧𝗿𝘂𝘀𝘁 Every bank, NBFC, insurer, payment platform, fintech, and cooperative today runs on sensitive personal data. With DPDP now notified and the Data Protection Board operational, the transformation is clear: 𝗗𝗣𝗗𝗣 𝗶𝘀 𝗜𝗻𝗱𝗶𝗮’𝘀 𝗙𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝗧𝗿𝘂𝘀𝘁 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸. 𝗪𝗵𝘆 𝗕𝗙𝗦𝗜 𝗶𝘀 𝘂𝗻𝗶𝗾𝘂𝗲𝗹𝘆 𝗶𝗺𝗽𝗮𝗰𝘁𝗲𝗱: Massive KYC, CKYC, Aadhaar-linked data flows High-frequency transactions Multi-layer vendor ecosystems Fraud, risk, credit, underwriting models Cloud, API, UPI, and real-time payments Customer grievances and accountability Under DPDP, BFSI must shift from compliance to continuous, automated oversight: 𝗧𝗵𝗲 𝗡𝗲𝘄 𝗕𝗙𝗦𝗜 𝗣𝗹𝗮𝘆𝗯𝗼𝗼𝗸: Unified customer data lineage across core banking, LOS, LMS, CRM Automated DPIAs for lending, underwriting, claims, and collections Consent orchestration with audit-grade evidence Zero-trust access across branches, RM networks, call centers Automated retention & archival deletion Real-time breach readiness Responsible AI for credit scoring and fraud detection Compliance dashboards for Board & regulators 𝗗𝗣𝗗𝗣 𝗶𝘀 𝗕𝗙𝗦𝗜’𝘀 𝗺𝗼𝗺𝗲𝗻𝘁 𝘁𝗼 𝗿𝗲𝗯𝘂𝗶𝗹𝗱 𝘁𝗿𝘂𝘀𝘁 𝗮𝘁 𝘀𝗰𝗮𝗹𝗲. 𝗧𝗵𝗲 𝘄𝗶𝗻𝗻𝗶𝗻𝗴 𝗶𝗻𝘀𝘁𝗶𝘁𝘂𝘁𝗶𝗼𝗻𝘀 𝘄𝗶𝗹𝗹 𝗯𝗲 𝘁𝗵𝗲 𝗼𝗻𝗲𝘀 𝘁𝗵𝗮𝘁 𝘁𝘂𝗿𝗻 𝗽𝗿𝗶𝘃𝗮𝗰𝘆 𝗶𝗻𝘁𝗼 𝗮 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗱𝗶𝗳𝗳𝗲𝗿𝗲𝗻𝘁𝗶𝗮𝘁𝗼𝗿, 𝗻𝗼𝘁 𝗮 𝗰𝗵𝗲𝗰𝗸𝗯𝗼𝘅. #DPDP #BFSI #FinancialPrivacy #DigitalTrust

🔒 Digital Personal Data Protection Rules, 2025 — A New Era of Trust, Transparency & User Rights The Government of India has officially notified the Digital Personal Data Protection Rules, 2025, marking a major milestone in strengthening India’s digital governance framework under the DPDP Act, 2023. These rules bring clarity, accountability, and a citizen-first approach to how personal data is processed, protected, and preserved across digital platforms. Here are the key highlights shaping the future of data protection in India: 🔹 Clear, Transparent Notices Data Fiduciaries must issue simple, independent, easy-to-understand notices explaining what data is collected and why. 🔹 Stronger Security Safeguards Mandatory use of encryption, tokenisation, access control, monitoring logs, and 1-year minimum data retention for breach investigation. 🔹 Data Breach Reporting Quick communication to affected individuals and mandatory 72-hour reporting to the Data Protection Board. 🔹 Consent Managers Framework India introduces a unique interoperable consent ecosystem with stringent eligibility, transparency requirements, and conflict-of-interest checks. 🔹 Child & Disability Data Protection Strict verification of parental consent, lawful guardian validation, and exemptions only for health, education, and safety-related use cases. 🔹 Right to Erasure & Inactivity-Based Deletion Large platforms (e-commerce, social media, gaming) must erase data after 3 years of user inactivity, with mandatory 48-hour advance notice. 🔹 Significant Data Fiduciaries (SDFs) Annual DPIA, audits, algorithmic due diligence, and restrictions on offshore transfer of sensitive data. 🔹 Government Services & Public Funds For subsidies, benefits, certificates, and services, processing must follow strict standards under the Second Schedule. 🔹 Digital-First Governance Both the Data Protection Board and the Appellate Tribunal will function as digital offices, enabling swift, paperless, tech-enabled adjudication. The DPDP Rules, 2025 reinforce India’s commitment to a secure, trusted, accountable digital economy—empowering citizens while enabling innovation. As we move toward deeper digitalisation, these rules provide a robust foundation for responsible data handling and a safer digital future for all. #DPDP2025 #DigitalIndia #DataProtection #Governance #CyberSecurity #PrivacyByDesign #TechPolicy #DigitalTransformation