The Data Protection and Digital Privacy (DPDP) Rules aim to establish a more robust consent framework and enhance the rights of data subjects, placing individuals at the forefront of data governance. The regulations include clearer requirements for individuals to withdraw, rectify, and erase their data, enhancing user control while ensuring that enterprises are accountable for the lawful and transparent processing of personal information.
The DPDP Rules introduce a stronger consent framework and expanded user rights
The DPDP Rules elevate the standards for consent and data subject rights. Notifications to individuals must be clear, standalone, and easy to understand. They need to specify what data is being collected, the reasons for its collection, and potential uses. Moreover, accessible methods must be provided for data subjects to withdraw consent, correct inaccuracies, and file complaints with the Data Protection Board (DPB).
The establishment of consent managers has been formalized; these entities are responsible for obtaining, recording, and managing consent. Consent managers must register with the DPB and adhere to specific criteria. Special guidelines apply to children’s data, requiring verifiable parental consent for the processing of minors’ information.
However, some cybersecurity experts offer a different viewpoint. “Little has been clearly defined so far, apart from the salaries of the Data Protection Board’s chairperson and members. Key aspects such as the role and structure of the SDF remain unclear, and greater clarity around data subject rights and consent will only emerge once the Board is operational,” commented Dr. Durga Prasad Dube, Ph.D., Global Chief Information Security Officer and Executive Vice-President at Reliance Industries Ltd. He noted that the immediate obligation for organizations is to issue privacy notices to all data subjects within an 18-month timeframe—a significant challenge, albeit a reasonable timeline.
The new DPDP Rules will significantly impact enterprises
Businesses must redesign their processes for seeking consent. This shift will necessitate more user-friendly and transparent interfaces that allow for the withdrawal of consent. Contractual models may also evolve. Organizations might need to use third-party consent managers or develop their own capabilities. The new requirements are expected to have substantial implications for consumer-facing enterprises, including applications, social media platforms, and e-commerce sites. This may result in significant adjustments to user experience (UX) and data flow design.
Industry analysts suggest that the DPDP framework will continue to evolve, becoming increasingly refined as real-world incidents, breaches, and legal challenges arise. Each enforcement action and compliance issue will potentially clarify ambiguous areas, prompting updates in regulations, guidance, and industry best practices. Consequently, the law is unlikely to remain static; it will develop through ongoing interpretation and adjustments based on experience.
Enterprises should anticipate periodic updates and more detailed expectations as regulators respond to practical scenarios and industry-specific challenges.
“We support enterprises in establishing these foundations through automated data lifecycle governance, consent and rights management workflows, enhanced security measures, cross-border governance, and SDF readiness,” said Abhay Johorey, Managing Director of Protiviti India.
The strengthened data subject rights and consent provisions introduced by the DPDP Rules indicate a significant shift towards user-centric data governance. By insisting on clearer transparency and increased individual control, the framework encourages organizations to prioritize responsible management of personal data, ultimately fostering a more trustworthy and accountable digital ecosystem.
