Government Eyes Tighter DPDP Act Timelines to Improve Data Security in India
India may shorten DPDP Act compliance timelines for big tech and banks, pushing faster cybersecurity, data protection, cross-border data transfer rules, and stricter obligations for significant data fiduciaries.
Tech Author
The Indian government intends to speed up the implementation of key regulations under the Digital Personal Data Protection (DPDP) Act, a move that could have a substantial impact on major tech companies and financial institutions. According to sources, the Ministry of Electronics and Information Technology (MeitY) has proposed shortening the compliance period for certain regulations from 18 months to 12 months for organizations categorized as Significant Data Fiduciaries (SDFs).
The proposal was considered in a recent stakeholder meeting. SDF companies include global technology giants such as Meta, Google, Amazon, and Microsoft, as well as major banks, insurance companies, and financial service providers. These businesses handle massive amounts of sensitive personal data, putting them under increased regulatory scrutiny.
Industry participants are anticipated to rise up against the shortened deadline. Many corporations had already expressed reservations about the original 18-month deadline, claiming that India's complicated data systems make compliance challenging. Cutting the deadline further may put more pressure on organizations to improve systems, processes, and internal controls much faster.
According to the Digital Personal Data Protection Act, the government can classify any organization as an SDF depending on factors such as the amount of personal data processed, risks to user rights, national security concerns, and potential impact on public order or elections. The government has also urged that some authorities under the Act be implemented immediately. This includes the government's ability to request information directly from data fiduciaries and internet intermediaries.
Another major change relates to cross-border data transfer rules. Earlier, restrictions were to be decided later by a government committee, but now MeitY may push for immediate implementation. In addition, companies will be required to store personal data, traffic data, or processing logs for at least one year. This rule, earlier planned for an 18-month rollout, may now become effective within 90 days of the updated rules being notified.
The DPDP Rules, notified in November last year, marked India’s first full digital privacy law after years of discussion. Union IT Minister Ashwini Vaishnaw has previously said that companies already follow similar privacy rules in other countries and should be able to adapt faster in India.
Overall, the proposed changes show the government’s strong focus on data protection, cybersecurity, and faster compliance, signaling stricter oversight of how personal data is handled in India’s growing digital economy.
Information referenced in this article is from Communication Today
