Comparison between DPDP Act, 2023, and DPDP Draft Rules, 2025 for Healthcare Sector

 

The Digital Personal Data Protection (DPDP) Act, 2023, provides the foundational legal framework for data privacy in India, whereas the DPDP Draft Rules, 2025, outline the specific procedures and implementation guidelines for operationalizing the Act. Below is a detailed comparison of the two, using healthcare as a primary example to illustrate the differences:

1. Scope and Focus

  • DPDP Act, 2023: The Act defines the overarching principles of personal data protection, focusing on transparency, accountability, and individual rights. It applies broadly across all sectors, including healthcare, finance, and education.

Example: A hospital must process patient data transparently and ensure accountability for its use.

  • DPDP Rules, 2025: The Rules provide detailed procedures for implementing the Act. They specify the exact mechanisms for obtaining consent, managing data breaches, ensuring cross-border data transfers, and setting up grievance redressal systems.

Example: A pathology lab must now establish a step-by-step consent management system, as outlined in the Rules.

2. Consent Management

  • DPDP Act, 2023: Emphasizes that consent must be free, informed, specific, and easily revocable. It lays down the principle that organizations must process data only with explicit consent unless exceptions apply.

Example: A digital health platform must inform users about how their tele-consultation data will be used and seek explicit consent before processing it.

  • DPDP Rules, 2025: Introduces granular procedures for consent collection and revocation. The Rules also specify formats for consent notices, mechanisms for Data Principals to withdraw consent, and timelines for action.

Example: A health insurer must provide a standardized digital interface where users can revoke consent for sharing their medical histories with third-party underwriters.

3. Data Localization and Cross-Border Data Transfer

  • DPDP Act, 2023: States that data can be transferred outside India only to government-notified countries and territories. However, it does not detail the process for such transfers.

Example: A pharmaceutical company conducting clinical trials must store data in India unless the government allows transfer to an approved country.

  • DPDP Rules, 2025: Provides clear guidelines for cross-border data transfer, including the conditions and safeguards organizations must adhere to. It also requires documentation of transfer purposes and approval records.

Example: A hospital sharing anonymized patient data with a global research partner must document the data transfer's compliance with the Rules and ensure the receiving country offers comparable protections.

4. Data Breach Management

  • DPDP Act, 2023: Requires organizations to report data breaches to the Data Protection Board of India (DPBI) and affected individuals. However, it does not specify timelines or reporting formats.

Example: If a health insurance company experiences a ransomware attack, it must inform the DPBI but lacks clarity on immediate steps.

  • DPDP Rules, 2025: Establishes detailed breach management protocols, including a 72-hour reporting window, templates for breach notifications, and guidelines for informing affected individuals.

Example: A diagnostic lab experiencing unauthorized access to patient records must use the specified format to notify both the DPBI and impacted patients within the stipulated time.

5. Children's Data

  • DPDP Act, 2023: Prohibits processing of children's data without parental consent and bans practices that harm children or exploit their data.

Example: A pediatric hospital must obtain verifiable parental consent before processing a child's health records.

  • DPDP Rules, 2025: Healthcare service providers are exempted from complying with section 9(1) and section 9(3) (prohibiting tracking, behavioral monitoring or targeted advertising to children).

Example: A healthcare app offering child nutrition tracking may not use robust parental verification methods like government IDs to comply with the Rules.

6. Significant Data Fiduciaries (SDFs)

  • DPDP Act, 2023: Introduces the concept of SDFs, requiring them to adhere to stricter compliance measures, such as periodic audits and Data Protection Officer (DPO) appointments.

Example: A large hospital chain handling millions of patient records is likely to be classified as an SDF.

  • DPDP Rules, 2025: Defines the criteria for SDF classification, including thresholds for data volume, processing risks, and geographic reach. It also specifies audit requirements and DPO qualifications.

Example: A digital health platform with operations across India and significant data processing volumes may need to conduct annual compliance audits, data protection impact assessment, ensure rights of Data Principals from algorithmic software as per the Rules.

7. Grievance Redressal Mechanisms

  • DPDP Act, 2023: Mandates organizations to establish systems for addressing Data Principal grievances but does not provide specific guidelines.

Example: A patient dissatisfied with how their data is handled by a hospital can lodge a complaint under the Act.

  • DPDP Rules, 2025: Outlines the structure for grievance mechanisms, timelines for redressal, and escalation procedures to the DPBI.

Example: A health insurer must resolve a data-related complaint within 30 days or provide escalation details to the DPBI.

8. Consequences of Non-Compliance

  • DPDP Act, 2023: Specifies penalties for non-compliance, ranging up to ₹250 crore for severe violations. However, it leaves procedural enforcement details to the Rules.

Example: A pathology lab failing to secure patient data may face penalties under the Act.

  • DPDP Rules, 2025: Elaborates on penalty calculation, mitigation factors, and the role of the DPBI in enforcement.

Example: A pharmaceutical company found negligent in handling trial data may face reduced penalties if it demonstrates proactive remedial actions as per the Rules.

How Fourteenth Degree Azimuth (India) Advisory can help?

Fourteenth Degree Azimuth (India) Advisory specializes in helping healthcare organizations achieve compliance with the Digital Personal Data Protection (DPDP) Act, 2023, through a structured and comprehensive approach. Here’s a snapshot of our 10 key services:

  1. Initial Assessment & Gap Analysis Evaluate current data protection practices to identify gaps and provide a roadmap for compliance.

  2. Data Mapping & Inventory Map personal data processing activities to ensure visibility and accountability across the organization.

  3. Data Protection Impact Assessment (DPIA) Assess risks in high-risk data processing activities and recommend mitigation strategies.

  4. Policy & Procedure Development Create tailored policies and procedures for consistent compliance in data handling and retention.

  5. Security Measures Implementation Deploy technical safeguards like encryption, firewalls, and access controls to protect sensitive data.

  6. Data Subject Rights Management Establish mechanisms to handle requests for data access, correction, deletion, and portability.

  7. Training & Awareness Programs Conduct employee training sessions on DPDP Act principles to minimize human errors and foster compliance.

  8. Data Breach Response Plan Develop an incident response plan to detect, report, and mitigate the impact of data breaches.

  9. Regular Audits & Compliance Reviews Perform periodic audits to ensure ongoing compliance and address evolving risks.

  10. Appointment of a Data Protection Officer (DPO) Assist in appointing or designating a qualified DPO to oversee compliance efforts.

With our expertise, healthcare organizations can protect personal data, meet regulatory requirements, and turn compliance into a competitive advantage.


Comments

Post a Comment

Popular posts from this blog

Comprehensive Guide to Conducting a Detailed Data Audit for GDPR Compliance

Image
  Conducting a data audit is a crucial step in implementing GDPR or any other data privacy law like Digital Personal Data Protection Act, 2023. A thorough audit helps organizations understand what personal data they hold, how it is processed, and ensures compliance with relevant regulations. Here’s a step-by-step guide to conducting a detailed data audit: Step-by-Step Guide to Conducting a Detailed Data Audit 1. Establish the Scope and Objectives Objective: Define the scope of the audit and its goals. Actions: Identify the departments, systems, and processes that will be included in the audit. Determine the objectives, such as compliance with GDPR, identifying data flows, and assessing data protection measures. Outcome: A clear and defined scope and objective for the data audit. 2. Assemble an Audit Team Objective: Create a cross-functional team to conduct the audit. Actions: Include members from IT, legal, compliance, HR, marketing, and any other relevant departments. Assign roles...
Read more

Understanding Record of Processing Activities (ROPA) and Its Role in Global Privacy Compliance and DPDP Act 2023 Implementation

Image
  A Record of Processing Activities (ROPA) is a detailed documentation that organizations are required to maintain under various privacy regulations, most notably the European Union’s General Data Protection Regulation (GDPR). It serves as a comprehensive record of all personal data processing activities carried out by an organization. Key Elements of ROPA under GDPR Data Controller Details: Name and contact details of the organization and its representatives. Purposes of Processing: Clear description of the purposes for which the data is processed. Categories of Data Subjects and Personal Data: Types of data subjects (e.g., employees, customers) and categories of personal data (e.g., contact details, purchase history). Recipients of Personal Data: Any third parties with whom the data is shared, including contractors and service providers. Transfers to Third Countries: Information on data transfers to countries outside the EU, including documentation of appropriate safeguards....
Read more

Data Protection Officer: Roles and Responsibilities under DPDPA & GDPR

Image
With the recent enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) in India, there's a heightened emphasis on ensuring the privacy and security of personal data. This has propelled organizations to align their operations with the new legal framework. Central to this adaptation is the consideration of appointing Data Protection Officers (DPOs) to oversee and ensure compliance. The Data Protection Officer (DPO) is pivotal in ensuring that an organization adheres to its data protection obligations. Their responsibilities span across compliance with the data protection mandates and reporting directly to the organization's apex leadership. The appointment and role of a DPO are entrenched in Section 10(2) of the DPDPA. The GDPR leans towards ensuring the DPO's independence from the organization's executive board. However, under India's DPDPA, the DPO must report to the highest echelons of management and represent significant data fiduciaries. This raises...
Read more