India has taken a significant step toward strengthening data privacy.
After the introduction of the Digital Personal Data Protection Act, 2023, the release of its draft rules by the Ministry of Electronics and Information Technology marks an important move from legislation to implementation.
These draft rules provide clarity on how the law will function in practice, covering consent, governance, children’s data protection, and regulatory enforcement.
For businesses, this is not just an update. It signals the beginning of stricter accountability and operational changes.
Why the Draft Rules Matter
The DPDP Act laid the foundation for data protection in India. The draft rules now define how organizations must apply that framework in real-world scenarios.
This includes:
- Clear compliance expectations
- Defined operational processes
- Stronger enforcement mechanisms
In short, the draft rules turn policy into action.
Key Highlights of the Draft Rules
1. Stronger Protection for Children’s Data
One of the most critical areas addressed is the handling of children’s personal data.
Organizations must now:
- Obtain verifiable parental consent
- Use identity-backed verification methods such as government-issued IDs or trusted digital systems like
DigiLocker
At the same time, certain exemptions are proposed for:
- Educational institutions
- Child welfare organizations
This balance aims to protect children while allowing essential services to function effectively.
2. Introduction of Consent Managers
The draft rules formally introduce the concept of Consent Managers.
These entities will:
- Act as intermediaries between users and businesses
- Help manage user consent in a transparent manner
- Be required to register with the
Data Protection Board of India
To ensure credibility, consent managers must meet eligibility criteria, including a minimum financial threshold.
This move is designed to standardize how consent is collected, tracked, and managed.
3. Establishment of the Data Protection Board
The draft rules provide operational clarity for the
Data Protection Board of India.
Key responsibilities include:
- Investigating data breaches
- Enforcing penalties
- Monitoring compliance
The Board will function as a digital-first authority, enabling:
- Online complaint filing
- Remote hearings
- Faster resolution of cases
This approach improves accessibility and efficiency.
What These Rules Mean for Businesses
The draft rules bring clear implications for organizations handling personal data.
Compliance Becomes Non-Negotiable
Businesses must evaluate their current data practices and align them with the new requirements.
Increased Responsibility for Children’s Data
Organizations dealing with minors must implement stronger safeguards and consent mechanisms.
Shift Toward Structured Consent Management
Companies may need to integrate with registered consent managers or upgrade internal systems.
Greater Regulatory Oversight
With the operationalization of the
Data Protection Board of India, businesses should expect:
- Increased scrutiny
- Faster enforcement actions
- Higher accountability
What Should Businesses Do Next?
With the draft rules now available, organizations should act early rather than wait for final enforcement.
Key Steps:
- Conduct a DPDP readiness assessment
- Review data collection and consent practices
- Strengthen data protection controls
- Update internal policies and procedures
- Train employees on compliance requirements
Public Consultation Opportunity
The draft rules are open for public feedback, giving stakeholders a chance to shape the final framework.
This is a valuable opportunity for:
- Businesses
- Legal experts
- Industry professionals
to provide input before the rules are finalized.
How Securis360 Inc. Can Help
At Securis360 Inc., we support organizations in navigating the evolving data privacy landscape.
Our services include:
- DPDP gap assessment
- Data privacy audits
- Policy design and implementation
- Consent and governance frameworks
- Employee training and awareness programs
We focus on practical, scalable solutions that align with regulatory expectations.
The release of the draft rules under the Digital Personal Data Protection Act, 2023 is a major step toward building a structured and enforceable data protection ecosystem in India.
For businesses, this is a clear signal to prepare, adapt, and strengthen their data governance practices.
Those who act early will not only reduce compliance risks but also build stronger trust with their customers.