Standards, Regulations & Compliance
Draft Act Elevates Consent, Security and Accountability Expectations
The Ministry of Electronics and Information Technology on Friday released the rules that operationalize the country’s first dedicated law for processing personal data, two years after India passed the Digital Personal Data Protection Act. The administrative provisions of the DPDP Act take effect first, with the remaining obligations set to roll out in phases over the next 18 months.
The latest draft specifies how companies must collect, secure, retain and erase personal data under the DPDP Act by effectively raising the cost of non-compliance. The draft puts senior leadership directly on the hook, with new requirements for audits, assessments and breach reporting that make data protection a board-level responsibility rather than a back-office function.
The immediate organizational impact is that now all enterprises are required to provide clear notices specifying what data will be collected, for what purpose and how it will be used, while also offering Data Principals – or data subjects – simple mechanisms to withdraw consent.
This shift forces companies to embed consent life cycle management directly into applications, databases and user journeys.
For CISOs, this translates to deeper coordination between security, IT, legal and engineering teams to ensure that rights-related processes are both secure and technically feasible.
Security expectations are expressed clearly in the draft’s duties for those who collect the data, known as Data Fiduciaries. The draft calls for “reasonable security safeguards,” accuracy of processed data, deletion once the purpose is fulfilled and breach notifications to both authorities and individuals.
This will establish a compliance baseline that requires enterprises to maintain breach readiness, enforce strong internal controls and document their actions in the event of an incident. The emphasis on data accuracy and timely deletion also pressures organizations to adopt disciplined data retention policies, reducing unnecessary storage that increases attack surfaces.
The draft also outlines penalty-based enforcement for failures where companies can be punished if they don’t protect data properly. Even though this section doesn’t list the actual fine amounts, the government intends to use a deterrence-oriented approach that raises financial and reputational stakes for enterprises. CIOs and CISOs will need heightened oversight, audit trails and documented evidence of compliance to manage this risk exposure.
The government has spelled out exactly how consent managers are supposed to work, instead of leaving the concept vague, said Prashant Mali, a cyber law specialist. A consent manager is an intermediary authorized under the DPDP Act that helps individuals give, manage, review and withdraw their consent for how different organizations use their personal data. “The final rules operationalized the entire life cycle, including registration criteria, duties, suspension and revocation mechanisms. Compliance teams finally have actionable checklists.”
Children’s data receives heightened attention. Firms will have to confirm that a real parent or guardian has given permission before collecting a child’s data and they won’t be allowed to profile kids or target them with ads. Organizations in sectors such as ed-tech, consumer apps and online services will now need new verification processes and redesigned systems to ensure they comply – especially in how they onboard young users and move their data through internal systems.
Comparing Global Standards
For enterprises operating across multiple jurisdictions, the DPDP diverges from global norms in important ways. The DPDP differs from the GDPR in both scope and operational depth, creating a distinct compliance environment for Indian organizations.
GDPR covers all personal data, whether digital or on paper, and enables several legal justifications for processing. The DPDP, by contrast, applies only to digital personal data and relies far more heavily on consent, offering fewer alternative grounds. This places a heavier operational burden on organizations to secure, track and manage consent throughout the data lifecycle.
User rights diverge significantly as well. The GDPR provides a broader suite of rights such as portability and objection, whereas the DPDP focuses on access, correction, erasure, grievance redressal and nomination rights. Both frameworks require strong protections for children’s data, but the DPDP’s final rules introduce more prescriptive verification steps, including Digital Locker-based validation, token mapping and structured age checks, operational mechanisms the GDPR leaves to organizational discretion.
Security and breach obligations also differ in emphasis. The DPDP mandates specific safeguards, encryption, masking, pseudonymization and tokenization, along with compulsory log retention for one year, requirements not explicitly specified in the GDPR. Breach notification under both frameworks includes a 72-hour reporting window, but the DPDP additionally requires immediate, clear communication to affected users.
The DPDP Act also clarifies how government bodies may process data for benefits, services, expenditure flows and legal mandates – areas that were fuzzy in earlier drafts.
In essence, while GDPR is broader and principles-based, the DPDP is narrower but significantly more prescriptive. For CISOs and CIOs, this means India’s law demands more explicit operational controls, stricter security measures and firmer accountability for breaches and consent management.
Despite welcoming clearer guidance, Mali warned of practical challenges. “Compliance costs will spike. Encryption, logging, monitoring and one-year retention are heavy lifts, especially for SMEs. And ‘without delay’ may expose companies to litigation,” he said.
