wordpress blog stats
Connect with us

Hi, what are you looking for?

India’s data protection law will have different timelines for compliance for different types of entities

In India’s upcoming Digital Personal Data Protection Act, different industry entities will have different timelines to make necessary adjustments in order to ensure compliance with the law.

Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!

Six years after the Supreme Court ruled that privacy is a fundamental right of citizens, India’s data protection law, the Digital Personal Data Protection Bill, 2023, was passed in the Lok Sabha (lower house of the parliament) on August 7 and Rajya Sabha (upper house) on August 9. It will next be sent to the President of India for final assent.

Upon the President’s assent, the Bill will be enacted as the Digital Personal Data Protection (DPDP) Act, 2023, and will go into effect on the date that will be notified by the government in the Official Gazette.

Importantly, section 1(2) of the bill states that different dates may be appointed for different provisions of the Act to go into effect and section 17(5) states that the government can also declare that any provision of the Act shall not apply to a specific Data Fiduciary or classes of Data Fiduciaries for such period as may be specified by the government. In other words, different types of entities will have different timelines to comply with different provisions of the DPDP Act.

This approach was also confirmed by IT Minister of State Rajeev Chandrasekhar, who informed The Indian Express that the government will follow a graded approach with Big Tech companies expected to comply first and startups getting a longer transition period. The exact timelines will be decided post consultations with the industry, he added.

Article continues below ⬇, you might also want to read:

The data protection law requires companies to obtain consent before processing any personal data, safeguard data from data breaches, obtain parental consent when processing the personal data of anyone under the age of 18, implement a grievance redressal system, allow users to exercise their right to information, correction, and erasure, etc. For more on what the law entails and what happens in case of non-compliance, check out MediaNama’s summary of the DPDP Bill here.

A graded timeline is essential because startups and smaller companies should not be expected to comply with the law within the same time frame as Big Tech companies that have the resources, as well as experience from other jurisdictions like the EU, to comply faster.

Despite following a graded timeline, it might still be tight for companies in India. IT Minister Ashwini Vaishnav has indicated that the implementation will take around six to ten months. For context, the European Union approved its privacy law, the General Data Protection Regulation (GDPR), in 2016 and gave companies two years to comply with it.

“GDPR was designed when the world’s knowledge about privacy laws was low, but that is not the case today. So, it is unlikely that we will allow the industry a two-year transition window,” Rajeev Chandrasekhar told The Indian Express.

Apart from a graded approach to implementation, the government also has the power to exempt certain classes of Data Fiduciaries, such as start-ups, from some of the provisions of the law. This type of exemption will be based on the volume and nature of personal data these entities process.

STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!


Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ