INTRODUCTION

The enactment of the Digital Personal Data Protection Act (DPDPA), 2023, and the publication of the draft Digital Personal Data Protection Rules, 2025 (DPDP Rules), marks a significant development in India’s data privacy framework.

On one hand, the proposed legislative framework is aimed at safeguarding personal data, at the same time, the legislation also introduces stringent obligations for data fiduciaries as regards observing compliances, reporting breaches, etc. This article explores the emerging challenges businesses face under the DPDPA, 2023, and the draft DPDP Rules, 2025, while offering strategic insights for businesses to navigate these requirements effectively.

KEY CHALLENGES AND COMPLIANCE BURDENS

With comprehensive measures to ensure transparency and accountability, the DPDPA and the draft Rules aim to balance individual rights with compliance obligations on businesses to ensure that appropriate emphasis is given to privacy and data security (while providing opportunities for fostering innovation as well). However, businesses face several critical compliance challenges, including:

  1. Enhanced Consent Management and Tracking Mechanisms

While Section 6 of the DPDPA places a strong emphasis on obtaining free, specific, informed, and unconditional consent for processing personal data, its practical implementation poses significant challenges. Businesses will now be required to move beyond generic consent forms and adopt granular, purpose-driven consent mechanisms. Further, implementation of these requirements will require businesses to establish robust consent-tracking mechanisms and maintain audit trails to ensure compliance.

Further, Rule 4 of the draft DPDP Rules outlines specific requirements for Consent Managers which will enable users to provide, manage, review, and revoke their consent for the processing of their personal data. While the usage of consent managers is optional under the statute, it would lessen the administrative burden if businesses opt for the services of consent managers. However, this also comes with added costs for engaging these consent managers (which might not be finally feasible for smaller entities, MSMEs, etc.).

  1. Manner of Displaying Notice for Consent

Section 5 of the DPDPA states that every request regarding consent for processing of data made to a Data Principal under Section 6 must be accompanied or preceded by a notice. Further, Rule 3 of the Draft Rules provides specific requirements to be incorporated in such notice. The notices are required to be presented in clear and plain language and must include details necessary to enable the Data Principal to give specific and informed consent for the processing of their personal data.

It’s interesting to note that while there are standards prescribed under Rule 3 for the notice, the DPDP Rules do not prescribe any standardized format for the Consent Notice. Consequently, a major concern amongst businesses is regarding the appropriate and legally compliant manner to display consent notices in a manner that is easily accessible and understandable to data principals. It remains to be seen whether a standard notice format will be prescribed in the final rules that would streamline compliance or if data fiduciaries will have the option to retain flexibility in adopting their own mechanisms and specifics of notice based on their business operations. This further cause concerns that Data Fiduciaries might give notice in a manner that does not adequately inform the Data Principals about the particulars of the data to be shared.

  1. Ensuring Reasonable Security Safeguards

Section 8(5) of the DPDPA mandates that Data Fiduciaries will protect the personal data (in its possession) and implement ‘reasonable security safeguards’ to prevent any data breach. Accordingly, Rule 6 of the Draft Rules expands on this requirement of ‘reasonable security safeguards’ and specify that Data Fiduciaries must adopt robust data security measures such as encryption, intrusion detection systems, data loss prevention tools, etc. Accordingly, the challenge lies not only in implementing these technologies but also requires businesses to adopt a risk-based approach to data security, conducting regular vulnerability assessments and implementing appropriate technical and organizational measures.

  1. Personal Data Breach Notification

Section 8(6) of the DPDPA states that in the event of a personal data breach, it is the duty of the Data Fiduciary to promptly notify the Data Protection Board of India (‘Board’) and each affected individual about such breach. Since Data Fiduciaries are required to intimate Data Principals every time for each and every data breach because of no specific data threshold, it may eventually lead to significant compliance burdens for Data Fiduciaries.

Further, these data breach notification requirements will add another layer of complexity as it would be difficult for the businesses to report each data breach promptly within 72 hours to both the Data Protection Board and all the affected Data Principals (especially with the elaborate information to be provided to the Board). In light of this, it would be ideal if the businesses implement automated threat detection systems and develop a data breach notification template for swift reporting (to the Board and Data Principals) to ensure timely compliance.

  1. Cross-Border Data Transfers

Under the DPDPA, cross-border transfers of personal data is permitted unless explicitly prohibited by the government through a ‘negative list’ of jurisdictions (which could be prescribed by the Government in the future). Further, the draft DPDP Rules do not define a clear policy framework for the countries which could be designated under the ‘negative list’. Consequently, businesses will remain uncertain about future government decisions, necessitating careful risk assessments and contingency plans for cross-border data flows.

  1. Data Retention Requirements

DPDPA provides strict data retention requirements mandating Data Fiduciaries to retain the personal data of Data Principals only as long as necessary to fulfill the purpose for which it was collected. Accordingly, in order to avoid any potential misuse, Data Fiduciaries must erase the personal data once it has served its purpose or is no longer required. Further, the DPDPA mandates Data Fiduciaries to promptly erase personal data upon the withdrawal of consent by the Data Principal.

However, the DPDP Rules provide specific data retention timelines for three specific business sectors. Accordingly, all e-commerce entities and social media intermediaries (which have more than twenty million registered users in India) and all online gaming intermediaries (which have more than five million registered users in India) are required to ensure that they’ve deleted personal data of Users/ Data Principals provided the Data Principals do not approach such Data Fiduciaries for any specified purpose or for exercising their rights under the DPDPA for a continuous period of three years, or three years from the commencement of the DPDP Rules (whichever is earlier). In light of these compliance requirements, it will be challenging for the Data Fiduciaries to notify Data Principals each time prior to the permanent deletion of their data (after completion of the specified timelines).

  1. Challenges with Implementing Verifiable Parental Consent

The DPDPA and its draft DPDP Rules require verifiable parental consent for processing personal data of children (who are below the age of 18 years) or people with disabilities. The purpose of this requirement is to shield children from negative consequences such as exposure to inappropriate content or targeted advertising (which could negatively impact their well-being and development). Furter, Rule 10 of the draft DPDP Rules provides how Data Fiduciaries should handle personal data when it comes to children or people with disabilities. Consequently, the main focus is on ensuring that the parent or legal guardian gives their consent prior to the processing of children data or person with a disability’s data by businesses.

Although the businesses are required to implement robust age verification mechanisms and maintain detailed records of consent to ensure compliance with legal obligations, however, given that India’s data protection framework lacks clarity on permissible mechanisms/verification methods, it’ll be challenging for the Data Fiduciaries to ensure that they get clear and verifiable consent from a parent before they process or use the personal data of children or people with disabilities.

  1. Addressing the Rights of Data Principals

Section 11 and 12 of the DPDPA grants Data Principals a range of rights, including the right to access, request corrections, updates and erasure of their personal data. Further, Rule 13 of the Draft DPDP Rules provides guidelines concerning the rights of Data Principal and their implementation. In light of this, it’ll be essential for the businesses to establish efficient and effective mechanisms for responding to Data Principal requests within the stipulated timelines and hence, the challenge lies in balancing the need to protect data privacy along with the need to maintain business operations. To streamline this process, it would be critical to deploy automated data rectification and deletion tools in the system and maintain an efficient grievance redressal mechanism.

  1. Obligations of Data Fiduciaries

The DPDPA requires Data Fiduciaries to demonstrate accountability and transparency in their data processing activities. This requires businesses to maintain detailed records of their data processing activities, conduct data protection impact assessments (DPIAs) for high-risk processing businesses (which are supposed to be classified as Significant Data Fiduciaries) and appoint data protection officers (DPOs) where required. While maintaining records of data processing activities and conducting Data Protection Impact Assessments are welcome steps, however, the lack of clarity on DPIA requirements and assessment formats poses implementation challenges, which could eventually lead to weak assessments.

  1. Establishing a Grievance Redressal Mechanism

The DPDPA mandates that Data Fiduciaries establish a grievance redressal mechanism for addressing Data Principal complaints. This requires businesses to develop clear and accessible procedures for receiving, investigating and resolving complaints as and when received from the Data Principals. However, the ultimate challenge lies in ensuring that the grievance redressal mechanism is fair, transparent, and effective, and that each complaint is resolved in a timely manner as mandated under the DPDPA.

CONCLUSION

The DPDPA, 2023, and the forthcoming DPDPR, 2025 signify a paradigm shift in India’s data privacy landscape. As the draft DPDP Rules were open for public consultation for a reasonable period of time, it remains to be seen whether the above inadequacies and challenges have undergone further scrutiny and refinement (to ensure robust data protection regime which upholds privacy rights while balancing compliance obligations of businesses) in the final version of the Rules which are supposed to be published in 2025.

Meanwhile, to ensure effective compliance with the data protection laws, businesses should start adopting proactive compliance strategies by investing in privacy-enhancing technologies, conducting regulatory risk assessments, and implementing user-centric data governance models. By addressing these emerging challenges, businesses can not only ensure compliance with the legislation but will also build trust with their customers and stakeholders (thereby establishing a competitive advantage in the evolving digital ecosystem).

Authors:

Mr. Gaurav Bhalla (Partner)

Mr. Parag Singhal (Associate)

More from Ahlawat & Associates