The Indian government has published a draft version of the Digital Personal Data Protection (DPDP) Rules for public consultation. Companies operating in India are further required to implement security measures, such as encryption, access control, and data backups, to safeguard personal data, and ensure its confidentiality, integrity, and availability.

Some of the other notable provisions of the DPDP Act that data fiduciaries are expected to comply are listed below -

Implement mechanisms for detecting and addressing breaches and maintenance of logs In the event of a data breach, provide detailed information about the sequence of events that led to the incident, actions taken to mitigate the threat, and the identity of the individual(s), if known, within 72 hours (or more, if permitted) to the Data Protection Board (DPB)

Delete personal data no longer needed after a three-year period and notify individuals 48 hours before erasing such information Clearly display on their websites/apps the contact details of a designated Data Protection Officer (DPO) who is responsible for addressing any questions regarding users' processing of personal data Obtain verifiable consent from parents or legal guardians prior to processing the personal data of children under 18 or persons with disabilities.

‍