/newsdrum-in/media/agency_attachments/2025/01/29/2025-01-29t072616888z-nd_logo_white-200-niraj-sharma.jpg){kind=logo}
/newsdrum-in/media/member_avatars/9Rj3p38eDEeibqzKtTLR.jpg )
Follow UsNew Delhi, Nov 14 (PTI) From promptly alerting users and Data Protection Board about data breaches, to retaining all traffic data and logs for a minimum of one year, and from providing users with a 48-hour heads-up before personal data erasure, to requiring large companies to conduct impact assessments and audits every 12 months, the DPDP Rules set clear and distinct timelines that firms must rigorously follow.
E-commerce entities, online gaming companies, and social media platforms will be required to erase personal data after three years of user inactivity or dormancy, except in two cases specified.
The DPDP rules also require 'consent manager' to maintain records of consents for at least seven years or longer where necessary.
The freshly minted DPDP Rule says that inquiry by the Data Protection Board must be completed within six months from the date of receipt of the intimation or complaint unless extended for up to three-month periods at a time, with reasons to be recorded.
There are timelines even for DPDP rule provisions to come into effect - it does so in a staggered manner, giving transition time of 18 months to companies collecting and processing personal data.
The constitution of the Data Protection Board takes effect immediately, and the consent manager framework will become operative after 12 months.
However, the remaining obligations and compliances for companies, say, notices seeking user consent, security safeguards, data principle rights, and breach notification clauses, will come into force after 18 months.
Irrespective of the category, companies will have to retain personal data and associated logs for a minimum period of one year from the date of data processing.
The rules require companies (those collecting/ seeking the personal data and termed as data fiduciaries) to undertake reasonable security safeguards to protect personal data, including use of appropriate measures like encryption, obfuscation, masking, or virtual tokens to secure data, and monitoring and logging access to detect, investigate, and remediate unauthorised access.
In event of a personal data breach, companies must promptly inform affected individuals in clear terms about the details, potential consequences, mitigation efforts, recommended safety actions, and provide contact info for queries.
In addition, such companies must immediately notify the Data Protection Board with initial breach details, and then within 72 hours provide an updated comprehensive report detailing causes, impact, mitigation, any finding about perpetrators, and the remedial measures to prevent recurrence of such incidents.
Companies must notify the users at least 48 hours before personal data erasure, alerting them about deletion of data unless the user logs in, contacts the firm, or exercises their rights regarding the data.
"Every Data Fiduciary (firm) shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal (individual) under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data," the Digital Personal Data Protection (DPDP) rules said.
Companies must obtain verifiable parental consent before processing a child's personal data, ensuring the parent is an identifiable adult through use of reliable identity, age details, or authorised digital tokens issued by government or trusted entities.
The rules say: "A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child..." A Significant Data Fiduciary must annually conduct a Data Protection Impact Assessment and audit, and report findings to the Board; it is required to ensure their technical measures don’t risk data principals’ rights.
"A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government, on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India," the rules say.
Here 'committee' means a panel constituted by the Central Government, which will include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.
Government can require data fiduciaries or intermediaries (digital and social media platforms) to furnish requested information but may prohibit its disclosure to concerned individual (data principal) in the interest of sovereignty and integrity of India or security of the State. PTI MBI NB NB