Draft DPDP Rules 2025:

Guidance to DPDP act

implementation

January 2025

kpmg.com/in

KPMG. Make the Difference.

2 Draft DPDP Rules 2025: Guidance to DPDP act implementation

Target Areas for

DPDP Rules 2025
The Digital Personal Data Protection Rules, 2025*
released by the Ministry of Electronics and
Information Technology, India (MeITY) on
3 January 2025 serves as a crucial extension to
the Digital Personal Data Protection Act 2023,
providing operational clarity that complement the
foundational principles of the act. By outlining
specific compliance requirements, these rules
facilitate a smoother transition for businesses
aiming to align with the act. These rules act as a
stepping-stone by offering directives on data
protection practices, thereby enabling businesses
to implement robust data governance framework
which would not only ensure legal compliance but
also foster trust and transparency with data
principals, ultimately contributing to a more secure
and privacy-conscious business environment.

* Please note that Digital Personal Data Protection Rules 2025 are draft Rules released by the MeITY for public consultation.

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
 Below are the Target Areas for DPDP Rules 2025
01 Intimation of personal data breach 5

Notice, consent overview and 5

02
verifiable consent
03 Obligations of consent manager 6

04 Reasonable security safegaurds 7

05 Empowering data principals 7

06 Cross border data transfer 8

07 Retention period 8

08 Obligations of significant data fiduciary 9

09 Exemptions 9

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
4 Draft DPDP Rules 2025: Guidance to DPDP act implementation

Key timelines in the rules

DPDP Rules Obligation Timeline(s)

Breach intimation to the Data First Intimation: Without delay

7(1) and 7(2)
Protection Board (DPB) Second Intimation: Within 72 hours

Personal data erasure and intimation

Retention Period: Three years
8(2) -Third Schedule of such erasure by Ecommerce/social
Intimation: 48 hours prior to deletion
media/gaming entities

Yearly from:
12(1) Periodicity of DPIA and Data Audit • Rules coming into force (or)
• Fiduciary becomes SDF.

First Schedule – Maintenance of consent records by

Seven years
Part B - 4(c) consent manager

Publishing contact details

Data fiduciary (DPO, in case of SDF) should publish business contact details of designated person on its
website or application

Data fiduciary should mention the contact information of designated person (DPO, in case of SDF) in every
response to the communication from data principal exercising their rights

Designated person should be able to answer questions about personal data processing on behalf of the data
fiduciary.

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
5 Draft DPDP Rules 2025: Guidance to DPDP act implementation

1. Intimation of personal data breach

1. Primary intimation (to DPB) 3. Intimation to data principal

To be intimated without delay upon becoming aware Data principals should be intimated without delay, to
of the breach. the best of its knowledge upon becoming aware of
the personal data breach:
Details to be included:
Description of the breach including nature, extent, Details to be included:
likely impact, timing, location of the occurrence • Description of the breach (nature, extent, timing
and location)
• Measures implemented or being implanted for
2. Secondary intimation (to DPB) mitigation
To be intimated within 72 hours upon becoming • Safety measures to protect their interest
aware or a longer period approved by DPB. • Contact information of person who can respond
Details to be included: for Data fiduciary.
• Updated information from first intimation Mode of communication:
• Broad facts relating to events, circumstances and • User account (includes any profiles, pages,
cause of breach handles, email address, mobile number and other
similar means); or
• Implemented or proposed measures to mitigate risk
• Any mode registered with the data fiduciary.
• Findings regarding person who caused the breach
• Remedial measures taken to prevent recurrence
• Report of notification to data principals.

2. Privacy notice

Independent Notice needs to be understandable without any other information that is

information made available by the data fiduciary

Provides a fair account of details necessary, in clear and plain language for
Format providing specific and informed consent

A notice, at a minimum should contain:

• Itemised description of personal data
Minimum • Details of the specific purpose and provide an itemised description of the goods
contents or services to be provided or the uses to be enabled by such processing.

Data fiduciaries need to provide a link to a website or application or both and

Means of description of other means which enables a data principal to:
communication • Withdraw their consent*
• Exercise their data principal rights
• Make a complaint to the Board.

*Note: The ease through which consent can be withdrawn should be comparable to the ease through which consent is collected.

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
6 Draft DPDP Rules 2025: Guidance to DPDP act implementation

Consent manager Consent manager Verifiable

Consent overview registration obligations consent

Verifiable Consent

Ensure verifiable consent is Data fiduciary must verify that the

obtained from parent/guardian for parent/guardian is an adult by using
processing personal data of a reliable identity details or through a
child or a person with disability virtual token mapped to such details.
Ensure appointment of
guardian is valid and such
guardianship extends to the Consent needs to be
consent provided reliable if identification is
required in certain cases

Who can Company incorporated in India

register as Net worth > INR2 Crores

consent manager? Technical, operational and financial capacity

3. Obligations of consent manager

• Services need to be primarily provided through an application/website
• Disclosures about certain company information on the application/website
• Implement reasonable security safeguards to prevent data breach
• Ensure personal data access or sharing is done in a manner where the contents are not readable
• Prohibit sub-contracting or assigning performance of any of its obligations
• Avoid conflict of interest with data fiduciaries and take measures for the same
• Independent certification for the interoperable platform
• Consent management platform digitally accessible by data subject to manage, review and withdraw their
consent
• Retain data principal records for seven years or longer if agreed with data principal or as required by law
• Establish effective audit mechanism to periodically report the outcomes to the Board.

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
7 Draft DPDP Rules 2025: Guidance to DPDP act implementation

4. Reasonable security safeguards

Organisations also need to ensure effective observance of the below security safeguards

Securing Access
Contract Governance
personal data control

Appropriate measures Control the access to Contract between data Implement suitable
may include but not computer resources fiduciary and data technical and
limited to: (used by data fiduciaries processor should include organisational measures
• Encryption and their respective data a provision to implement to ensure monitoring of
• Obfuscation processors). reasonable security effective enforcement of
• Masking safeguards. security safeguards.
• Virtual tokens mapped
to that personal data.

Business Detection and

Access review
resilience prevention

Reasonable measures Measures for review of access to Organisations need to enable

including data backups personal data: measures for:
to: • Maintaining appropriate access logs • Detecting unauthorised access
• Ensure continued • Monitoring and review. • Investigation of the same; and
processing when The above measures are to • Ensuring continued processing in
integrity or availability • detect unauthorised access; and such events.
of personal data is Technical measures include retaining
• investigate and remediate a logs and personal data for one year
being compromised. recurrence of unauthorised access. only unless required by law.

5. Empowering Data Principals

Data fiduciary and consent managers’ role

Clearly publish on their website or application (or both):

• The process by which data principals can exercise their rights, including particulars such as
usernames or identifiers*
• Provide clear timelines for responding to grievances of the data principals and implement
appropriate technical and organisational measures under their grievance redressal system.
*Note: identifier here, refers to sequence of characters issued by the data fiduciary to identify the data principal and includes a customer identification file
number, customer acquisition form number, application reference number, enrolment ID or license number that enables such identification.

Data principal’s role

• To exercise her rights under the act, the data principal can request to access and erase their
personal data by contacting the data fiduciary
• Data principals may nominate one or more individuals to exercise their rights under the
DPDP act, in accordance with the terms of service of the fiduciary and any applicable law
using the data fiduciary’s mechanism.

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
8 Draft DPDP Rules 2025: Guidance to DPDP act implementation

6. Cross border data transfer

Transfers outside India by data fiduciaries are subject to requirements set by the central government for making
personal data available to any foreign state

7. Retention period as per third schedule

Erasure of personal data Notification before erasure

Data fiduciary must erase personal data • Data fiduciary must inform the data
if data principal does not approach – principal at least 48 hours before the
erasure of personal data
• For specified time period or;
• Exercise rights within the specified • Upon completion of aforementioned
time mentioned in third schedule of the period, data fiduciary shall erase the
rules. data unless data principal logs into
their user account or contact the data
fiduciary to prevent erasure.

Erasure and retention period for certain data fiduciaries

Class of data
Purpose Time period
fiduciaries

E-commerce entity All purposes except - Three years from the date Data Principal
with not less than two • Access to user account last approached for the performance of the
crore registered users • Access to virtual tokens for specified purpose or exercise of their rights
in India money, goods or services. or commencement of the Rules, whichever
is earlier.

Online gaming All purposes except - Three years from the date Data Principal
intermediary • Access to user account last approached for the performance of the
with not less than 50 • Access to virtual tokens for specified purpose or exercise of their rights
lakhs registered users money, goods or services. or commencement of the Rules, whichever
in India is earlier.

Social Media All purposes except - Three years from the date Data Principal
Intermediary • Access to user account last approached for the performance of the
with not less than • Access to virtual tokens specified purpose or exercise of their rights
two crore registered for money, goods or or commencement of the Rules, whichever
users in India services. is earlier.

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
9 Draft DPDP Rules 2025: Guidance to DPDP act implementation

8. Obligations of significant data fiduciary

Observe due diligence to Data Protection Impact Adopt measures to ensure

verify that any algorithmic Assessment and Periodic personal data and its
software for processing Audit shall be conducted related traffic data identified
personal data are not likely once every 12 months and by the Central Government
pose a risk to the rights of results should be furnished are processed in
data principals. to the Board by the person compliance with specific
carrying out the same. restrictions and not
transferred outside of India.

9. Exemptions
• Clinical establishments
• Mental health establishments or healthcare professionals,
• Allied healthcare professionals
• Educational institutions
Exemptions are available
• Individuals (fiduciary) to whose care infants and children in a crèche or child
with conditions from
day care centers are entrusted
processing personal data
of children for: • Fiduciaries engaged by an educational institution, crèche or child care center
for transport of children enrolled with such institution, crèche or center.

• Processing is for certain exemptions under the act

• Processing personal data only to the extent necessary for the purposes
• Implementing mechanisms to ensure personal data accuracy
• Retention of personal data to the extent it is necessary
• Implement reasonable security safeguards for preventing personal data beaches
Exemption from • Processing is for the state and any of its instrumentalities to provide or issue to the
research, archiving and data principal such subsidy, benefit, service, certificate, license or permit. During
statistical purposes if such processing, the same is undertaken while providing intimation to data
processing is carried on principal
in accordance with these • Ensuring accountability of person(s) determining the means and purposes of
standards: processing to comply with the above standards.

• Performance of any function or discharge of any duties in the interests of a

child under law
• Providing or issuing of any subsidy, benefit, service, certificate, licence or
permit, by whatever name called, under law or policy or using public funds, in
the interests of a child
• Creation of a user account for communicating by email
Exemptions available
• Ensuring that information likely to cause any detrimental effect on the well
from processing of
being of a child is not accessible to her
the personal data of
children for: • Data fiduciary to confirm that the data principal is not a child and observance
of due diligence of verifiable consent.

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
10 Draft DPDP Rules 2025: Guidance to DPDP act implementation

KPMG in India has got you covered . . .

The privacy compliance landscape is undergoing a substantial transformation with draft Digital Personal Data
Protection Rules, 2025.
This landmark legislation is set to introduce a comprehensive and rigorous framework for data protection,
fundamentally changing how the industry manages consumer information. Companies will be required to overhaul
their data management practices to ensure enhanced security and transparency.
Companies must implement advanced data governance measures including robust data protection strategies and
adhere to principles such as data minimisation and secure processing. They will also need to facilitate data subject
rights related to data access, correction etc. By adhering to these, organisations are set to bolster consumer trust and
ensuring more rigorous stewardship of personal data.

KPMG in India’s privacy portfolio boasts

a variety of services that can help businesses
manage regulatory obligations and leverage data
to create value and increase revenue while
meeting the expectations of customers, employees
and vendors. With KPMG in India’s extensive
privacy and data protection experience, businesses
can evolve and develop a tailored, structured and
flexible approach – helping unlock economic
potential while also helping to ensure data privacy.

KPMG in India’s data privacy offerings

Privacy regulatory Privacy strategy and Personal data Privacy by design:

landscape operations protection: Build privacy-enhancing
assessment: governance: Obtain visibility over technology stack and
Determine your Design and advise personal data and digital approaches to
on the implementation establish controls to
regulatory obligations of privacy program, manage regulatory
and assess the current secure the personal expectations.
governance
privacy risk posture accountability model, data lifecycle.
and building privacy
first culture.

Third-party privacy Privacy training Privacy managed Platform approach to

risk management: program and services: privacy:
Governance over e-learning: Provide ongoing support Internalise privacy
personal data sharing Create targeted to run privacy and data program by automating
with third parties to awareness at the protection office and privacy operations and
manage data privacy enterprise level. assist you in managing establishing governance
risks. your strategic and over personal data use
operational data privacy across the enterprise.
control environment.

KPMG in India can offer a global, multidisciplinary view of risk, helping you address your privacy challenges. KPMG in
India is committed to offer precision, quality and objectivity, which can help you embed protection and trust into your
activities, not just your technology, to create a security and privacy culture for an organisation.
© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
11 Draft DPDP Rules 2025: Guidance to DPDP act implementation

Acknowledgements
We are extremely grateful to subject matter experts, and KPMG in India team members for extending
their knowledge and insights to develop this document.

Authors
• Amrita
• Ayushi Dasgupta
• Mala Lahoti
• Shubhankar Mathur
• Tanishka Prasad
• Aswinisri Narayanan
• Shubhra Murali

Design and compliance

• Karthika Prabasankar
• Nidhi Agarwal

© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organization of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
 KPMG in India contacts:
Akhilesh Tuteja Atul Gupta Nitin Shah
Global Head – Cyber Security Partner, HoF - Digital Trust Partner, Digital Trust
E: [email protected] E: [email protected] Head, Cyber and Privacy
Strategy and Governance
E: [email protected]

Shikha Kamboj Kanika Jain Vipul Ubale

Partner, Digital Trust Associate Partner, Digital Trust Associate Partner, Digital Trust
National Lead, Data Privacy and Ethics Data Privacy and Ethics
Data Privacy and Ethics E: [email protected] E: [email protected]
E: [email protected]

Rupak Nagarajan Nakuleesh Sharma Amrita

Director, Digital Trust Director, Digital Trust Director, Digital Trust
Data Privacy and Ethics Data Privacy and Ethics Data Privacy and Ethics
E: [email protected] E: [email protected] E: [email protected]

kpmg.com/in

Access our latest insights

on KPMG Insights Edge

Follow us on:
Questions to consider:
kpmg.com/in/socialmedia

?
How can the NRC support in designing a
roadmap for ensuring pay disparities are
lowered in the coming years?

?
What are considerations for the NRC to
understand
The information theherein
contained marketis of adrivers
general for talent
nature and is not intended to address the circumstances of any particular individual or entity. Although
we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that
attraction?
it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
KPMG Assurance and Consulting Services LLP, Lodha Excelus, Apollo Mills Compound, NM Joshi Marg, Mahalaxmi, Mumbai - 400 011
Phone: +91 22 3989 6000, Fax: +91 22 3983 6000.
© 2025 KPMG Assurance and Consulting Services LLP, an Indian Limited Liability Partnership and a member firm of the KPMG global organisation of
independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
This document is for e-communication only (022_THL1224_KP)