SDG 9: Industry, Innovation and Infrastructure | SDG 16: Peace, Justice and Strong Institutions
Institutions: NASSCOM | Data Security Council of India (DSCI) | Ministry of Electronics and Information Technology

Following the notification of the Digital Personal Data Protection Rules, 2025 (DPDP Rules) under the Digital Personal Data Protection Act, 2023, NASSCOM and DSCI issued a joint statement welcoming the framework, while emphasising the need for practical, proportionate and innovation-friendly implementation. The industry bodies acknowledge that the final Rules preserve most structural policy choices from the draft and introduce a phased commencement schedule to provide transition time.

They highlight several priorities and concerns:

• The need for verifiable consent mechanisms, clearer definitions of children’s data and persons with disabilities, and improved readability in the Rules.

• The importance of cross-border data-flow rules and data-transfer interoperability to support India’s IT-ITES, global capability centres and start-ups operating globally.

• Recognition that certain issues stem from the Architecture of the Act (e.g., age threshold for children, full breach-notification requirements) and cannot be addressed by subordinate legislation alone.

• A clear signal that industry will shift focus from “consent + rules” to operationalising compliance: building privacy programmes, infrastructure, controls and audits.

The statement by NASSCOM and DSCI is important because it reflects how the industry interprets and adapts to one of India’s most critical regulatory frameworks shaping the digital economy. The call for balance ensures that while citizens’ rights (to consent, erasure, correction, breach notification) are strengthened, the regulatory regime remains compatible with growth, innovation and competitive global positioning. For policy students, this bridges normative law (DPDP Act + Rules) and system-level implementation challenges (compliance architecture, start-up impact, cross-border flows).

What are DPDP Rules? → The DPDP Rules, 2025 operationalise the Digital Personal Data Protection Act by specifying rights, obligations, duties and timelines for data-fiduciaries (entities that process personal data) and data-principals (individuals) in India, including provisions on consent, purpose limitation, breach reporting, children’s data, significant fiduciaries and transfers.

Relevant Question for Policy Stakeholders: How can the MEITY, DPBI and industry co-design an implementation roadmap that ensures key user-rights become operational (consent, breach notification, children’s data safeguards) while supporting innovation in data-intensive sectors?

Follow full note here: Industry Statement – NASSCOM-DSCI on DPDP Rules