Digital Personal Data Protection Act, 2023 and Rules 2025 and the Modern SOC: From Detection to Documentation

1. Understanding Personal Data Processing Under DPDPA and Why Security Operations Centers (SOC) & Platforms Must Care

Under the DPDP Act 2023, ‘personal data’ refers to any information about an identifiable individual, whether directly or indirectly referring to them. This broad definition covers details such as name, age, address, occupation, or email, and any other information that can identify a person. Under the IT/SPDI Rules 2011, certain categories of information are classified as ‘sensitive personal data’ and these demand extra protection. SPDI specifically includes passwords, financial information like bank or card details, biometric data, medical history and health conditions, sexual orientation, and any information relating to these categories that is provided for a service. 

SOCs are centralized technical and organizational units within a data fiduciary or data processor that are responsible for continuous monitoring, detection, logging, analysis, and response to security incidents affecting personal data. SOCs, digital platforms and sectoral industries are now directly accountable under the DPDPA and the 2025 Rules because their routine telemetry, logs and operational datasets inherently contain personal data, including identifiers and sensitive information. Platforms also collect large volumes of demographic, behavioural and transactional information, bringing all such processing squarely within the Act’s consent and purpose-limitation framework (rules 3, 6 and Part B of the First Schedule obligations for Consent Managers). Any use of such data must now be preceded by verifiable consent, demonstrable necessity and retention-limitation requirements being fulfilled, and the Consent Managers providing traceability, withdrawal and enforceable user rights. This moves organisations away from thinking only about security and pushes them toward a model where security steps, logs, and monitoring also have to meet privacy rules, valid legal grounds for processing, and clear accountability requirements. 

2. Legal & Regulatory

a. DPDP Rules / DPDP Act
Mandatory lawful basis:  

Under the DPDP Act and Rules, consent is the default lawful basis for processing personal data. Consent must be “free, specific, informed, unconditional and unambiguous,” given by a clear affirmative action. The consent notice must be standalone, transparent, articulate exactly what categories of data are collected and for what specified purposes, and must inform the data principal how to withdraw consent easily. Pre-ticked boxes or bundled consents are not valid. 

Duties of Data Fiduciaries:  

The Act further imposes some duties on Data Fiduciaries, including purpose limitation (processing only for the purpose stated in the notice), data minimisation (collecting only data necessary for that purpose), accuracy (ensuring data is correct and updated), and storage limitation (retaining data only for as long as necessary to fulfil the purpose or comply with law), as reflected in Sections 4, 5, and 8 of the statute. Once the purpose is fulfilled or consent withdrawn, data must be erased or anonymised. However, retention is still lawful where required by another statute, regulatory mandate, court order, government direction, or law-enforcement request. Data may also be retained for establishing or defending legal claims, fulfilling tax and audit obligations, maintaining security and fraud-prevention logs, completing grievance redressal processes, or meeting sector-specific minimum retention periods (such as telecom, financial, or significant-data-fiduciary requirements). In all such cases, data can be kept only for the legally necessary duration. 

Role & accountability of Consent Managers: 

A Consent Manager operates a neutral platform that allows individuals to give, manage, review and withdraw consent for processing of their personal data, including routing consents through other data fiduciaries when needed, while ensuring it cannot read the underlying data. It must maintain detailed records of all consents, notices and data-sharing actions for at least seven years (this applies to every Consent Manager uniformly, regardless of whether they serve private-sector data fiduciaries, government entities or both), provide individuals access to these records in machine-readable form, run its services through a website or app, and cannot subcontract any of its statutory functions. The Consent Manager must take security safeguards, act in a fiduciary capacity toward users, avoid conflicts of interest with data fiduciaries (including ensuring that promoters, directors and key managerial personnel have no conflicting interests), and publicly disclose information about its ownership and management. 

b. IT Act, 2000

Section 43A of the Information Technology Act, 2000 imposes liability on a body corporate that, while possessing, dealing with, or handling sensitive personal data or information in a computer resource, fails to implement and maintain reasonable security practices and procedures. If such negligence results in wrongful loss or wrongful gain, the affected person is entitled to claim compensation from the body corporate. The provision is civil in nature and is directly tied to the obligation to protect Sensitive Personal Data or Information as defined under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. 

Section 72A makes it a criminal offence for any person, including an intermediary or service provider, to disclose personal information to a third party without the consent of the person concerned, in breach of a lawful contract, and with the intent to cause, or with knowledge that such disclosure is likely to cause, wrongful loss or wrongful gain. The section prescribes penal consequences in the form of imprisonment of up to three years, or a fine up to five lakh rupees, or both. This provision focuses on the unauthorised, intentional misuse of personal information and operates independently of civil compensation under Section 43A. 

c. SPDI Rules (IT Rules, 2011)

Under the SPDI Rules (IT Rules, 2011), entities handling sensitive personal data were already required to implement “reasonable security practices”, mapped to ISO-aligned controls, documented policies and periodic audits. The framework also imposed mandatory publication of a privacy policy, clear disclosure of data-collection purposes and third-party sharing, and opt-out mechanisms for withdrawal of consent. While narrower in scope and centred on security plus transparency, these rules created the baseline compliance layer that organisations must now elevate under the DPDPA by shifting from voluntary notices and opt-outs to verifiable consent, purpose limitation and full lifecycle accountability. 

d. TRAI & Telecom Regulations

TRAI and DoT regulations have laid out the obligations for telecom operators and all entities using telecom networks for messaging. DoT licence conditions require mandatory retention of Call Detail Records for two years, IP detail records for one year, and subscriber usage logs for two years, alongside preservation of KYC documents and customer application forms for ten years after deactivation. Subscriber verification through approved KYC modes is compulsory before SIM activation, with periodic re-verification where directed by the Department of Telecommunications. Under TRAI’s TCCCPR 2018 anti-spam regime, all senders, telemarketers and principal entities must register on the DLT system, use pre-approved headers and message templates, and maintain timestamped consent artefacts for every promotional communication. Promotional SMS may only be sent if consent exists on the DLT, while DND preferences must be strictly honoured. OTPs and service messages must use authorised transactional templates and cannot contain promotional content, with mandatory scrubbing against DND and consent records. These legal requirements collectively impose rigorous retention, identity verification, consent governance and traceability duties on telecom operators and messaging platforms. 

3. Duties of the Consent Manager

• The Digital Personal Data Protection Act, 2023 recognises Consent Managers as registered intermediaries that allow individuals to give, manage, review, and withdraw consent through a single, standardised interface. The Act and the 2025 Rules require Consent Managers to operate transparently, maintain verifiable electronic consent records, and offer interoperable dashboards for users to track and modify permissions. 

• Because all consent signals pass through these entities, platforms and Data Fiduciaries must respond programmatically to every grant or withdrawal communicated by a Consent Manager. The 2025 Rules mandate machine-readable consent artefacts and structured notices, making it necessary for platforms to redesign APIs and processing workflows so that data use always reflects the updated consent state. 

• For Security Operations Centres, consent affects how personal data within logs and telemetry can be processed. SOCs must incorporate consent-state checks, ensure that monitoring aligns with the Act’s purpose-limitation and minimisation duties, and verify that continued retention or access is justified under consent or another lawful basis allowed by the Act. 

• Consent Managers also act as the official audit trail for regulators. Their timestamped consent logs serve as primary evidence during inquiries by the Data Protection Board. In case of disputes or breaches, these records determine whether the Data Fiduciary had valid consent at the relevant time, directly influencing liability and penalties. 

• The transparency obligations in the Act are implemented through Consent Manager dashboards and logs. These interfaces allow individuals to view active consents, track withdrawals, and review permissions across services, strengthening user control and ensuring that data processing remains aligned with statutory requirements. 

4. Penalty Provisions

• Under the Digital Personal Data Protection Act, 2023, over-collection, invisible profiling, and any processing beyond the stated purpose expose organisations to penalties listed in the Act’s Schedule. Collecting more data than necessary or using it for undisclosed profiling violates the Act’s purpose-limitation and consent requirements and can lead to fines of up to INR 200 crore under Schedule Item 5 for breaches of Data Fiduciary obligations. Unauthorised processing, including ignoring consent withdrawals or continuing processing without a lawful basis, can lead to a higher penalty of up to INR 250 crore where the Board treats the violation as a serious or repeated breach. User complaints play a direct role in this. Repeated complaints about misuse, unclear notices, or profiling without consent may be treated by the Board as evidence of systemic non-compliance. In telecom-regulated activities, TRAI’s TCCCPR Regulations, 2018 and DoT directives add operational sanctions. Entities that send OTPs, service messages, or commercial communications without registered consent can be blacklisted by telecom access providers, resulting in suspension of messaging routes in addition to DPDPA penalties. 

5. Compliance Best Practices for Consent Managers, Platforms, and SOCs

The DPDPA requires Data Fiduciaries to prove lawful processing under Sections 5, 6, and 8, which makes documented consent and audit trails essential. Platforms must maintain consent receipts that show purpose, scope, and updates in the standard electronic format prescribed in the DPDP Rules 2025. Audit logs of all personal-data operations help demonstrate compliance with Section 8(3) during Board inquiries. Data Processors must be contractually bound to DPDPA duties under Section 8(2) and must also follow security and SPDI-handling obligations under the SPDI Rules 2011 and IT Act Section 43A. For SPDI-heavy or high-risk activities, Privacy Impact Assessments support the Act’s necessity, minimisation, and reasonable-security requirements in Sections 5, 7, and 8. Significant Data Fiduciaries under Section 10 must additionally appoint a DPO, conduct regular audits, and adopt formal governance structures. 

Consent Manager-Centric Compliance Checklist 

• Before Collection: Ensure the purpose is necessary under Section 7(1) and prepare the mandatory notice format required by the 2025 Rules for routing through the Consent Manager. 

• At Collection: Obtain valid, specific, and informed electronic consent as required by Section 6(1), and ensure the Consent Manager logs the consent artefact. 

• During Processing: Process data strictly within the notified purpose under Section 5(2) and honour withdrawal signals via Section 6(5). Enforce minimisation and processor controls under Section 8(1)-(2). 

• On Revocation: Stop processing and delete data unless another lawful basis in Section 7 applies. Notify processors to halt any linked processing. 

• Before Sharing/Transfer: Confirm consent covers third-party sharing or that an alternative ground under Section 7 applies. For cross-border transfers, comply with Section 16 and any restricted-country notifications. 

• During Incidents/Breaches: Comply with Section 9 and the breach-notification procedures in the 2025 Rules. Preserve logs and rely on Consent Manager records during Board inquiries under Section 28. 

6.  Conclusion

Consent Managers have become central to India’s privacy system because consent is no longer a simple on-screen option. Under the DPDPA and its Rules, consent must be tracked, stored, and updated in a clear and verifiable way. This makes it a live control system that governs when data can be used. Platforms must adjust their systems whenever consent is given or withdrawn. SOCs must check consent status during monitoring and while handling incidents. Organisations across industries must work with Consent Managers so they can show, at any time, that their data use is lawful and properly authorised. This creates a framework where privacy and security work together. Consent provides the legal basis for processing, security safeguards protect the data, and Consent Managers supply the proof that every step followed the law.