DPDP Rules call for stringent data protection, consent management

The Ministry of Electronics and Information Technology has released the draft Digital Personal Data Protection Rules 2025 (Rules) for public consultation and stakeholder feedback. These Rules aim to support the implementation of the Digital Personal Data Protection Act 2023 (DPDPA) which received presidential assent on August 11, 2023. The window for feedback closes on February 18, 2025.

Commenting on on how the Indian Digital Personal Data Protection Act (DPDP Act), are set to impact the biopharma/life sciences and healthcare sectors, Tisha Bhambry, Director Analyst at Gartner says, “These sectors, which rely heavily on data for clinical trials, drug discovery, genetic research, and patient care, must navigate stringent data protection and consent management requirements. The Act mandates that personal data be used strictly for the purposes for which it was collected unless explicit consent is obtained for additional uses. This requires clear communication with data principals about personal data usage and consent processes.”

She points out that, “Special attention is required when handling data related to children and minors, ensuring that verifiable consent is obtained from guardians and that consent management is robust and well-documented. While the Act provides certain exemptions for research, these activities must adhere to specific standards to ensure lawful and secure data processing with purpose limitation. This exemption facilitates research while maintaining essential data protection principles.”

Continuing her analysis, Bhambry says the DPDP Act also introduces complexities around cross-border data transfers, which could affect international collaborations if certain countries are restricted for data transfer by the government. Organisations must assess and adapt their data management strategies to comply with these requirements, ensuring that data flows align with both domestic and international regulations.

Despite these challenges, Bhambry believes the Act presents opportunities for innovation in data management and can enhance trust with stakeholders by prioritising privacy and security. Looking ahead, she suggests that as these sectors increasingly adopt AI and cloud-based platforms, aligning data practices with the Act’s requirements will be crucial for leveraging these technologies effectively and maintaining compliance with evolving regulatory standards. “Establishing a comprehensive privacy programme that integrates governance, risk management, and compliance across all data processing activities is important. By doing so, organisations can not only meet regulatory demands but also position themselves as leaders in data protection and privacy, ultimately fostering greater trust and engagement with patients, research participants, and other stakeholders,” she concludes.