← Back to all briefings

Policy · Credibility 90/100 · · 2 min read

Policy Briefing — India Publishes Draft DPDP Rules for Consultation

India’s Ministry of Electronics and Information Technology released draft Digital Personal Data Protection Rules on 7 March 2024, outlining consent, notice, and cross-border transfer obligations ahead of the DPDP Act’s staged enforcement.

Executive briefing: On 7 March 2024 the Ministry of Electronics and Information Technology (MeitY) opened consultation on the Digital Personal Data Protection Rules, 2024. The draft subordinate legislation operationalises India’s Digital Personal Data Protection Act, 2023 by detailing consent notices, data principal rights workflows, significant data fiduciary designations, and restrictions on cross-border transfers. Comments are due by 15 March 2024 before MeitY finalises the rules.

Key obligations

  • Granular consent notices. Draft Rule 3 requires clear, itemised notices in English and at least one regional language that explain processing purposes, rights, and withdrawal mechanisms.
  • Significant data fiduciaries. Draft Rule 7 empowers MeitY to classify entities based on volume, sensitivity, and risk, triggering obligations for data protection officers resident in India, independent audits, and privacy impact assessments.
  • Cross-border transfers. Draft Rule 8 restricts personal data exports to whitelisted jurisdictions that provide adequate protection and obliges controllers to maintain transfer registers.
  • Children and persons with disability. Draft Rule 5 mandates verifiable parental consent flows and accommodations for disability access to rights portals.

Implementation timeline

  • Consultation window. Stakeholders must submit feedback by 15 March 2024 through the MeitY consultation portal.
  • Final rules expected 2024. MeitY indicated it will fast-track final rules to support phased enforcement of the DPDP Act beginning later in 2024.
  • Grace periods. Draft transitional provisions allow MeitY to grant staged compliance periods for legacy systems, particularly for small entities.

Program actions

  • Gap analysis. Map draft rule requirements to existing privacy notices, consent logs, and rights operations to identify remediation items before the rules are finalised.
  • Cross-border inventory. Catalogue data transfers to non-Indian jurisdictions and prepare adequacy assessments or contractual safeguards aligned with the upcoming whitelist.
  • Designate leadership. Determine potential significant data fiduciary status and line up India-based data protection officers and audit partners.
  • Child data safeguards. Validate age verification, parental consent, and accessibility features across consumer applications.

Sources

Zeph Tech is preparing DPDP compliance playbooks that align Indian consent, transfer governance, and audit readiness with global privacy operations.

  • India DPDP Rules
  • Data protection
  • Cross-border transfers
  • Significant data fiduciary
Back to curated briefings