New Delhi has officially implemented India's landmark data privacy legislation, the Digital Personal Data Protection (DPDP) Act, 2023, more than two years after it was first passed in Parliament. The Ministry of Electronics and IT (Meity) notified the rules and established a four-member data protection board on Friday, marking a significant milestone in India's digital governance framework.
Implementation Timeline and Key Deadlines
The government has provided companies with a generous compliance window of 12 to 18 months to implement the new data protection requirements. Businesses have until 14 November 2026 to appoint consent managers who will serve as the nodal authority accountable for obtaining user consent on social media platforms and other digital services.
For other critical provisions, organizations have 18 months to establish mechanisms that require explicit user permission before utilizing personal data for business purposes, including targeted advertising campaigns. This extended timeline acknowledges the operational challenges companies face in restructuring their data handling processes.
Data Breach Protocols and Child Protection
The new regulations introduce strict data breach reporting requirements. Companies must notify the newly established data protection board within 72 hours of discovering any data breach and inform affected users without delay. This rapid response mechanism aims to enhance transparency and accountability in data security incidents.
Special provisions have been made for protecting minors' data. Companies must obtain verifiable parental consent before processing personal data belonging to users under 18 years old. However, the rules include exemptions for using real-time location data of children when necessary for their safety, addressing concerns raised by industry stakeholders during the draft consultation phase.
Cross-Border Data Transfer and Industry Response
The DPDP Act adopts a blacklisting approach for international data transfers, permitting data storage in foreign countries by default unless specific nations are officially blacklisted by the Central government. This contrasts with the previously considered whitelisting approach that would have required explicit approval for each country.
Industry experts have largely welcomed the implementation framework. Aparajita Bharti, founding partner at policy consultancy firm The Quantum Hub, noted that the DPDP rules offer much-needed clarity to companies regarding implementation timelines. She emphasized that the blacklisting approach for cross-border data transfers will be operationally easier to implement compared to the alternative whitelisting method.
The newly constituted data protection board becomes operational immediately, with the chairperson receiving a monthly remuneration of ₹4.5 lakh and the three other members earning ₹4 lakh per month as per the official gazette notification. This establishes India's formal regulatory infrastructure for data protection enforcement.
