In an exclusive interview with CSO Forum, Sajai Singh—a renowned transactional lawyer and current Council Member of IBA’s Legal Practice Division—discussed the unveiling of the intricate draft of Digital Personal Data Protection Rules, 2025, which provides deeper insight into the forthcoming framework under the DPDP Act, 2023. Singh explained how the draft guidelines offer essential clarity for businesses and avoid overly burdensome compliance measures. He also compared the rules with global standards like the GDPR, highlighting strengths and improvement areas. The conversation further explored practical challenges for organizations, such as revamped consent processes and enhanced security measures, urging enterprises to adapt strategically in the evolving digital landscape and foster proactive change.
CISO Forum: Could you provide an overview of the draft guidelines under the DPDP Act and explain its potential impact on businesses and enterprises?
Sajai Singh: The draft Digital Personal Data Protection Rules, 2025 (Draft Rules) seeks to operationalize the Digital Personal Data Protection Act, 2023 (DPDP Act), aligning with India’s commitment to create a robust framework for protecting digital personal data. After the long wait, the Draft Rules provide enough detail to give businesses the clarity they need, but not so much that compliance becomes cumbersome.
The Draft Rules offer valuable and much-awaited clarity on how data fiduciaries can comply with key requirements under the DPDP Act, such as publishing contact information, implementing grievance redressal mechanisms, and defining personal data retention periods for certain fiduciaries. Additionally, they introduce new guidelines to enhance data security, including prescribing a minimum set of safeguards that data fiduciaries should observe.
Businesses and enterprises may want to focus on essential aspects such as (i) introduction of a standalone notice for consent-based processing, which enhances user awareness and control; (ii) potentially cumbersome cross-border transfer restrictions, including a data localization requirement for significant data fiduciaries (SDF); (iii) consumer internet businesses catering to minor may require changing existing consent mechanisms to ensure verifiable parental consent; and (iv) broad data breach reporting requirements for reporting to the Data Protection Board and affected data subjects within prescribed timelines. Such aspects may necessitate operational changes, increased compliance costs, and strategic adjustments for enterprises.
CISO Forum: How does the DPDP Act compare to global data protection regulations like GDPR? Are there specific areas where the Act may require revisions or improvements?
Sajai Singh: Similar to data protection regulations such as GDPR, the DPDP Act also builds on principles such as fairness, lawful processing, and accountability – which set the foundation for defining rights and obligations for data fiduciaries, processors, and principals. While there are instances of vagueness in the DPDP Act and Draft Rules that may be improved, the larger objective when drafting the Act has been to ensure simplicity, especially for a country such as ours where the public’s awareness of their digital rights is still growing and is in its nascent stages.
However, certain aspects could be revised/improved by the government upon receiving feedback/comments from the public, such as allowing flexibility to businesses to implement reasonable security safeguards based on the processing they undertake rather than prescribing minimum security safeguards that all companies have to adopt or simplifying the reporting requirements to data subjects (for data breach and data retention) to avoid over-reporting.
CISO Forum: What challenges might organizations face when implementing the DPDP Act’s requirements, and what steps can they take to address these challenges effectively?
Sajai Singh: While we wait for the Draft Rules to be finalized and the Data Protection Board to be set up to understand the full extent of these challenges, organizations may face a few complaints when implementing them. These challenges include:
- Businesses must update data processing policies, implement consent mechanisms, and establish governance frameworks, which can be resource-intensive;
- Broad reporting requirements, unclear timelines, and over-reporting risks may increase compliance burdens and regulatory scrutiny;
- Businesses catering to minors must re-engineer age verification and parental consent processes, adding operational challenges and
- Businesses must redesign user interfaces to ensure transparent and user-friendly consent notices.
To overcome these challenges, businesses could take appropriate mitigatory measures, such as,
- conducting data audits to identify compliance gaps;
- implementing strong data governance by appointing data protection officers (where required);
- upgrading IT systems to implement the required security safeguards and
- enhancing transparency by simplifying consent flows and ensuring clear communication with data subjects.
