The Indian government is considering shortening the 18-month transition period for large companies under the new Digital Personal Data Protection (DPDP) rules, citing their existing compliance with global standards like GDPR.
Key Takeaways
- Large firms may face faster DPDP rule implementation than the standard 18-month timeline
- Government argues companies already comply with similar international standards
- Industry discussions ongoing to “compress” compliance timelines
- Staggered implementation already planned with specific deadlines
Government Pushes for Faster Compliance
IT Minister Ashwini Vaishnaw confirmed ongoing discussions with industry stakeholders about accelerating the DPDP implementation for major corporations. “We have been discussing with industry… this gives a reasonable timeframe,” Vaishnaw stated, while emphasizing the government’s push for quicker adoption.
The minister directly challenged large companies: “You already have a compliance framework which is existing in other geographies… why can’t you replicate [it]?” He noted the industry response has been “quite positive” in these negotiations.
Phased Implementation Timeline
The DPDP rules operationalize the primary legislation through a staggered approach:
- Immediate Effect: Data Protection Board rules take effect immediately
- 12 Months: Consent manager framework becomes active
- 18 Months: Full compliance obligations including security safeguards and breach notifications
Broader Digital Protection Framework
Vaishnaw emphasized that India is building a comprehensive legal framework for the digital era, crucial for protecting society from emerging threats like disinformation and deepfakes.
“The way digital technologies and new opportunities are coming up, protecting the interest of citizens and the coming generations is of utmost importance,” the minister concluded, highlighting the long-term vision behind the data protection rules.
