India’s IT Ministry set to notify rules for Digital Personal Data Protection (DPDP) Act

The Indian government is preparing to announce the long-awaited administrative rules that will guide the implementation of the Digital Personal Data Protection (DPDP) Act, which was passed in August 2023.

According to a report from the Economic Times, these rules are likely to be released soon, possibly before the Maharashtra assembly elections scheduled for 20 November. A senior government official suggested that only final approval from the Ministry of Home Affairs is pending, but the process is expected to wrap up well before the polls.

A framework for handling data
The DPDP Act is designed to regulate how personal data is stored, processed, and transferred, setting clear guidelines for both users and organisations. It introduces a consent-based framework, ensuring that personal information is only used with explicit permission and in accordance with principles such as data minimisation. Additionally, the law requires strict parental consent when handling data related to children under 18, a clause that has raised concerns among social media platforms.

More from Tech

How ChatGPT is becoming everyone’s BFF and why that’s dangerous America ready for self-driving cars, but it has a legal problem

In discussions with industry representatives earlier this month, the Ministry of Electronics and Information Technology (MeitY) assured stakeholders that the rollout of the new rules would not cause major disruptions to business operations. Officials emphasised that companies will be given sufficient time to adapt to the new framework. The ministry also promised to assist startups and other stakeholders by offering guidance and support throughout the implementation process.

Learning from global experiences
The Indian government’s approach to the DPDP rollout mirrors lessons from international data protection frameworks like the European Union’s General Data Protection Regulation (GDPR). The GDPR, which was approved in 2016, gave EU member states two years to comply, with enforcement beginning in 2018. Similarly, MeitY intends to give businesses a reasonable timeline to align with the new rules while ensuring smooth implementation.

Impact Shorts

More Shorts

America ready for self-driving cars, but it has a legal problem

Alibaba, Baidu begin using own AI chips as China shifts away from US tech amid Nvidia row

Companies and consulting firms that participated in drafting the DPDP rules are expected to play a key role in helping businesses understand and comply with the new requirements. These experts will assist industries in navigating the complexities of data protection and ensuring compliance with the law.

Preparing for continuous compliance
Legal experts stress that compliance with the DPDP Act is not a one-time task but requires ongoing efforts. Organisations, in such a scenario will have to start preparations by conducting data mapping, reviewing agreements with data processors, and implementing privacy policies. Businesses will also need to put up security measures in place, train employees, and assess existing data processing practices to ensure they align with the principles of fairness, transparency, and purpose limitation.

Many companies have already started the process of data discovery and consent management in anticipation of the law’s implementation. However, experts warn that companies delaying compliance efforts may face significant challenges once the rules are notified. With the final guidelines expected shortly, businesses that have yet to act could find themselves scrambling to meet regulatory requirements.

As the notification of the new rules draws near, industry players are gearing up for a new era in data management, ensuring that their operations comply with India’s evolving regulatory landscape.