Allows for adaptable implementation approach

• Final rules may have modifications, but no major changes anticipated.

• Effective Implementation of the Act has to be done in accordance with these rules

• Rules are appendix to the Act henceforth definition given in the Act shall be followed.

• Context-specific interpretations allowed

To establish fundamental requirements for privacy notifications:

• Must be independent and easily understandable to ensure transparency and accountability
• Requires itemized description and clear purpose
• Must cover both website and app platforms
• Withdrawal of consent mechanism to be updated in the Privacy Notice.

• Privacy Notice cannot be clubbed as part of terms and conditions.
• Itemized description of personal data with a clear purpose in a tabular form along with list of goods and services should be considered while formation of Privacy notice.
• Update website and application with communication link for exercising data principal rights along with withdrawal mechanism and grievance redressal.

Mandatory requirement of Consent Manager

• Minimum financial requirement of 2 crores
• Must obtain independent registration.
• Must be interoperable between CM and Data Principal
• Required to maintain consent records for 7 years
• Must develop website/app for service access
• Regular audits as per Board requirements

• Establish framework for consent management
• Define interoperable requirements for CMs
• Consent managers to act as registered intermediaries to data fiduciaries.
• Consent manager will be dealing independently with consent and withdrawal of consent for an organisation.
• Consent manager to manage and document, the records of consent.

• Guidelines for data processing by government and its entities.
• Limited to legal purposes and public fund usage
• Must maintain data accuracy
• Requires transparency in data usage
• Mandatory security measures

• Only government and its instrumentalities are exempted and dealing with government does not perse exempt an organisation from its compliance obligations under the DPDPA.

• Advanced encryption protocols required
• Access control systems shall be in place
• Comprehensive monitoring capabilities
• Regular backup procedures
• Detailed logging requirements

• Organisations to update and review existing privacy and security frameworks.
• Implementation of reasonable security measures for preventing data breach, the rules specify a list of minimum safeguards requiring Fiduciaries to contractually obligate processors to ensure Data Security

• Notify within 72-hour of the breach to the board and affected DPs
• Must provide: Breach description
• Must provide potential consequence
• Remedial measures taken
• Safety measures should be implemented
• Business contact information to be provided

• Organisations to develop and enforce DPDPA compliant data breach procedures.
• Organisations to establish mechanism to notify Data Principals and Data Protection Board in case of a Data Breach within the stipulated timeline.

• 48-hour advance notice required before data deletion
• Schedule 3 guidelines to be followed
• Clear data retention purpose documentation required
• Statutory requirements must be met

• • Data Fiduciary to ensure establishment of Data Retention and Data Deletion for active and inactive users’ as per the procedure notified in the draft rules.
• Establish procedure to ensure that Data Principal is served with the Privacy Notice at least 48 hours prior to the Data Deletion.

• DPO contact details to be made available on website/app
• For response mechanism either DPO or any person who is able to answer on behalf of Data Fiduciary should be appointed

• If applicable, Data Fiduciary to appoint Data Protection Officer (DPO)
• Data Fiduciary to publish the business contact information of the DPO on its website or application.
• Data Fiduciary to establish response mechanism and it shall also publish business contact information of the DPO.

• Verifiable parental consent mechanisms
• Digital authentication systems
• Guardian verification protocols

• Data Fiduciary to ensure that age gating and age verification is completed.
• Data Fiduciary to ensure due diligence is done by either using voluntary submission of data or government aggregators.

Exempted Sectors include:

• Educational institution
• Healthcare provider
• To follow Safety monitoring protocols

• Classes of Data Fiduciary specified under Schedule 4 do not enjoy blanket right to process any kind of Personal Data rather they can process data only for specified purpose as mentioned in the rules.

Obligations of Significant Data Fiduciaries:

• Annual impact assessment
• Algorithmic accountability
• Domestic data processing restrictions
• Regular audit requirements
• This requirement only applies to specific categories of Personal Data that will be designated by the Central Government

• Data Fiduciary to ensure annual impact assessment and audit reports to be submitted to Data Protection Board
• Organisations to further ensure additional due diligence with regards to algorithmic software.
• To safeguard data in transit and prevent tampering and eavesdropping, the organization will implement relevant mechanisms that adhere to industry standards.

This includes employing end-to-end encryption and utilizing network security protocols such as:

• Transport Layer Security (TLS)
• Secure File Transfer Protocol (SFTP)
• Secure Shell (SSH) File Transfer Protocol (SCP)
• Hypertext Transfer Protocol Secure (HTTPS)

Data Retention for Children:

• Clear identification protocols
• Structured grievance resolution
• Nomination rights
• Standardized mechanisms for execution of rights
• Details of the means and purpose to be notified on the website or application.

• Data Fiduciary to update their Privacy Notice using simple language to explain what data you collect and purpose of such collection.
• Create a dedicated Data Principal rights section on the website or application including step by step guide for making requests and providing multiple contact options (email, phone, form etc.)
• Maintain detailed records of all Data Principals’ request and to keep logs of all actions taken on such requests.

Cross-border data handling:

• Compliance to be done in accordance with Central Government
• Foreign state sharing protocols to be followed

• Data Fiduciary to map all international data flows and identify which transfers involve Indian customer data and document where the data is going and who receives it.
• Monitor Government notification and set up a process to verify compliance before each transfer.
• Regular review of international data sharing agreements
• Check for latest government order before initiating new international data transfers as requirements may vary according to transferee country.

• This section creates special rules for organizations that

process personal data for:

• Research purposes (like medical research or social studies)
• Archiving purposes(preserving information for historical value)
• Statistical analysis (analysing data patterns and trends)

• Create clear policies separating exempt vs non-exempt data processing

Board Composition:

• Search committee protocols
• Appointment procedures

Board framework:

• Remote Operations
• Meeting procedures
• Decision-making protocols
• Staff appointment conditions
• Digital filing requirement Fee payment protocols Tribunal operations

Appeal Procedure

• Appeals to be directed to TDSAT.

• N.A.

Government authority:

• Information request by Central Government for sovereignty, integrity and National security of the State

• Data Fiduciary to furnish such information with authorized signatory as may be called for.
• Data Fiduciaries to ensure not to disclose the information except with previous permission in writing of authorized person of the State.