DPDP Act Compliance Timeline For Major Data Fiduciaries May Be Cut From 18 To 12 Months

New Delhi, Jan 24 (KNN) The Ministry of Electronics and Information Technology (MeitY) is reportedly considering reducing the compliance timeline for key obligations under the Digital Personal Data Protection (DPDP) Act for significant data fiduciaries (SDFs) from 18 months to 12 months, reported Business Standard citing sources.

The proposal, discussed in a recent stakeholder consultation, reflects a stricter regulatory stance for companies handling large volumes of personal data in India. 

Major tech and social media firms such as Meta, Google, Amazon, Microsoft, along with leading banks, financial services, and insurance companies, are expected to be classified as SDFs.

Key Proposed Accelerations

Under the proposed rules, government powers to request data from fiduciaries or intermediaries could take effect immediately rather than after 18 months. 

Similarly, safeguards for cross-border personal data transfers may become operational right away, and requirements to retain personal data, logs, or processing records for at least one year could be enforced within 90 days of the Gazette notification instead of waiting 18 months.

Industry Concerns

Executives have flagged challenges in meeting the compressed timeline, citing legacy systems, extensive data localisation requirements, and operational scale. Immediate adoption could require significant internal adjustments.

SDF Designation

Under the DPDP Act, entities are designated as SDFs based on the volume and sensitivity of data processed, risks to data principals, and potential impacts on national security, public order, and elections.

The proposed changes underline the government’s intent to strengthen data governance, increase oversight on major players, and speed up compliance under India’s evolving data protection framework.

(KNN Bureau)