NEW DIGITAL PERSONAL DATA PROTECTION REGIME

 

NEW DIGITAL PERSONAL DATA PROTECTION REGIME

 

The Digital Personal Data Protection Rules, 2025 (DPDP Rules), published on November 13, 2025, together with the phased launch of the Digital Personal Data Protection Act , 2023 (DPDP Act).

 

A Small write up on it:

 

1.     Scope & Applicability

 

DPDP Act – What It Covers

   (a)         Applies to digital personal data: that is, personal data, which is collected in digital form, or collected in non-digital form and subsequently digitised.

  (b)         Also applies extraterritorially: If an entity outside India processes digital personal data in connection with offering goods or services to individuals in India (data principals) or monitoring their behaviour, the Act applies.

   (c)         Exemptions: The Act does not apply to (i) personal data processed by an individual for purely personal or domestic purposes; (ii) personal data made publicly available by the data principal (or any other person legally obliged to publish it).

  (d)         While the Act was passed in 2023, many provisions will be brought into force in phases via notifications.

 

Rules – What They Establish

   (a)         The DPDP Rules, 2025 (notified 13/14 November 2025) set out the detailed operational compliance framework: procedures, timelines, governance, breach-reporting, cross-border flows etc.

  (b)         These Rules mark the full operationalization of the Act (i.e., moving from legislative framework to implementation requirements) for many entities.

 

2.     Key Obligations on Organizations (“Data Fiduciaries”)

 

Under the Act and Rules, organizations processing personal data must comply with several obligations. Some of the main ones:

 

Lawful Processing & Consent

   (a)         Processing of personal data must be for a specified purpose (which must be informed to the data principal) and cannot be broader than necessary.

  (b)         Consent must be free, specific, informed, unambiguous, given by a clear affirmative act.

   (c)         Data principals have the right to withdraw consent at any time, and the withdrawal should be as easy as giving consent.

  (d)         The notice to the data principal must be in clear language, and in one of the languages in the Eighth Schedule of the Constitution (per the Act).

 

Minimisation, Purpose Limitation, Accuracy & Retention

   (a)         Only data that is necessary for the specified purpose may be collected.

  (b)         Data must be processed fairly and transparently.

   (c)         Organisations must ensure data is accurate, kept up-to-date, and should not be kept longer than required for the purpose (storage limitation implied in the Rules).

 

Governance, Security Measures & Accountability

   (a)         Data fiduciaries must implement reasonable security safeguards (both technical and organisational) to protect against unauthorised access, loss, disclosure, etc.

  (b)         Entities designated as “Significant Data Fiduciaries” (SDFs) carry stricter obligations: e.g., appointing a Data Protection Officer (DPO), conducting Data-Protection Impact Assessments (DPIAs), independent audits.

   (c)         There is a requirement for governance structures (including internal policies, training, compliance mechanisms) to ensure accountability.

 

Breach Notification & Enforcement

• In the Rules, entities must notify the competent authority / data protection board and the data principals of data breaches within prescribed timelines.
• The Act provides for a Data Protection Board of India (DPB) to adjudicate non-compliance, receive complaints, impose penalties.

 

Cross-Border Data Transfers

• The Rules set out conditions for transfer of personal data outside India – these may include adequacy / assurance of similar protection or prescribed safeguards.

 

Special Categories / Children / Consent Managers

• The Rules also address processing of children’s data (e.g., verifiable parental consent) in more detail.
• The concept of a “Consent Manager” (on behalf of data principals) is present in the Act – enabling nomination of a person to manage rights on behalf of the principal.

 

3. Rights Of Individuals (Data Principals)

 

Under the Act and Rules, individuals whose data is processed have certain rights:

   (a)         Right to access information: About what personal data is processed, the purpose, categories, etc.

  (b)         Right to correct or erase their personal data (subject to certain limits of law).

   (c)         Right to withdraw consent at any time.

  (d)         Right to lodge a complaint with the Data Protection Board for non-compliance by the fiduciary.

 

3.     Exemptions & Balancing with Public Interest

 

   (a)         The Act provides that certain processing by State (government) or its instrumentalities may be exempt if necessary for tasks like prevention of offence, detection, investigation, for regulatory/judicial functions, national security, public order etc.

  (b)         The Rules emphasise the need to balance individual privacy with innovation-friendly, digital economy goals, and national interest.

 

4.     Implementation Timeline & Compliance Strategy

 

   (a)         The Act was passed in August 2023. The notification of the Rules on 13/14 Nov 2025 triggers many of the operational obligations.

  (b)         Now is the time to assess current data-processing-practices, gap-analyse consent/notice/security frameworks, map cross-border flows, define whether they are a “Significant Data Fiduciary”, and begin aligning policies, systems, and contracts.

   (c)         The expectation will be that businesses move from legacy compliance (IT Act structures) into this regime.

POSH Act & Requirement of filing Annual report

 

POSH Act & Requirement of filing Annual report for 2023 by 31st January, 2024

The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act was passed in 2013 and it got amended in 2023 with certain important stipulations. As an employer, it is very important for you to be aware of the provisions, the compliance requirements and the penalties for non-compliance.

 

As gender equality and women’s rights are in the forefront of the social and governance attention, any lapse in the compliance may have far-reaching implications.

 

Let us see a gist of the POSH Act compliance.

 

The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act was passed in 2013, laying down the procedures for a complaint and inquiry, and the action to be taken.

 

1.    POSH Act is applicable on every Company, workspace, establishment or organization employing 10 or more employees whether full time, part time, interns or on contract, irrespective of its nature of industry of location.

 

It is applicable to all including proprietary, firms, companies or any other entity.

 

2. Internal Committee: Internal Complaints Committee has to be mandatory set up in each establishment with 1 Presiding Member, 2 Employee Members and  & 1 external members in case of bigger entities.

 

Presiding Officer who shall be a woman employed at a senior level at workplace from amongst the employees and at least one-half of the total Members so shall be women.

 

3.     Formulation of Internal POSH Policy.

 

Entity should formulate a POSH Policy and circulate it amongst its employees.

 

4.  Workshops, Awareness and Orientation Programs has to be Organized by the employer to the employees.

 

5.   Submitting Reports under the Act: The Internal Complaints Committee or the Local Committee, in every calendar year, shall prepare and submit an annual report to employer and district officer.

 

There is a specific format for this Annual Report.

 

The due date to file the report with the District Officer is 31st of January for every year for the preceding calendar year.

 

6.     Penalties: When the employer fails to constitute an Internal Committee or breaches provisions of this Act or any rules made thereunder, they shall be punishable with fine of fifty thousand rupees.

Extended penalties shall be:

·       Cancellation or withdrawal of his license.

·       Non-renewal, or cancellation of the registration.

·    The employer shall be punishable with fine which may extend to Rs. 50,000/- for the first offence.

 

7.     Disclosure regarding the POSH act compliances must be reported every year in Board report of the Company.

Very important amendment in Income Tax relating to MSME

You buy goods or services from an MSME:

You have to pay the amount _within 45 days from the date of acceptance of goods of services_ (or within such shorter time as agreed between the parties)

But If you fail to pay the amount due to an MSME within 45 days, then what is the consequence?

1.  You have to pay interest @ 20.25% from the 45^th day till the date of payment.

(This interest is not deductible as an expenses under Income Tax Act)

2. But most importantly, there is an amendment in the Income Tax Act from FY 2023-24 which says “YOU CANNOT CLAIM THAT PURCHASE OF GOODS OR SERVICES AS AN EXPENSE”. But you can claim the expense in the year in which you have paid the MSME.

 For example, if you buy Rs. 10 lakhs worth of goods from an MSME which is overdue for more than 45 days and is outstanding as on 31^st March,  then you will have to pay about Rs. 3.40 lakhs plus interest additionally, as Income Tax.

You have to identify, out of your creditors,  who all are MSMEs and ensure that their dues are settled in time.

So please take care that you pay all your MSME creditors within 45 days and clear the all dues to MSME outstanding for more than 45 days before March 31^st.

To MSME suppliers : Do not forget to mention your MSME registration number in your quotes, contracts, invoice and other communications with your customers.