Advertisement|Remove ads.
Government notifies DPDP rules, sets 18-month roadmap for data protection regime
Digital Personal Data Protection (DPDP) rules mandate that large data fiduciaries store certain categories of personal data — as specified by the government — within India. At the same time, the rules permit the transfer of personal data outside India, subject to additional requirements that may be prescribed by the Centre.
The government on Friday (November 14) notified the much-awaited rules under the Digital Personal Data Protection (DPDP) Act, laying out a staggered implementation roadmap of up to 18 months for India’s new data protection regime.
A key provision of the notified rules relates to data localisation, a move being watched closely by global technology companies.
The rules mandate that large data fiduciaries store certain categories of personal data — as specified by the government — within India. At the same time, the rules permit the transfer of personal data outside India, subject to additional requirements that may be prescribed by the Centre.
Implementation timeline
The rules provide a phased rollout:
Consent requirements
Entities collecting personal data must provide clear, plain-language notices detailing the data being collected and the purpose of collection. They must also offer a dedicated link for users to withdraw consent.
Consent managers
Individuals or organisations seeking to act as Consent Managers can apply for registration with the Data Protection Board and will be subject to specific obligations under the rules.
Data breaches
Users must be informed of any data breach without delay, with details on the nature of the breach, likely consequences, and recommended safety measures. A detailed breach notification — covering cause, impact and mitigation steps — must be filed with the Data Protection Board within 72 hours.
Data erasure
If a user remains inactive, the data-collecting entity is required to erase the personal data held, after issuing a notice to the user 48 hours prior to deletion.
Children’s data
Entities collecting children’s data must obtain verifiable parental consent. Exemptions from parental consent apply to healthcare establishments, educational institutions and childcare facilities.
Additional compliance for entities handling significant user data
Such entities must conduct a Data Protection Impact Assessment and a compliance audit. They are obliged to ensure that algorithmic software used does not pose risks to users’ rights and must prevent the overseas transfer of personal data categories that the government may prescribe.
Exemptions
The Act does not apply to the processing of personal data necessary for research, archiving or statistical purposes — a move expected to benefit AI development and related research activity.
National security and government powers
For national security purposes, the government may seek personal data from any intermediary or entity and may also prohibit them from informing users about such requests.
A key provision of the notified rules relates to data localisation, a move being watched closely by global technology companies.
The rules mandate that large data fiduciaries store certain categories of personal data — as specified by the government — within India. At the same time, the rules permit the transfer of personal data outside India, subject to additional requirements that may be prescribed by the Centre.
Implementation timeline
The rules provide a phased rollout:
- Immediate effect: Rules governing the setting up and appointment of the Chairperson and members of the Data Protection Board come into force immediately.
- 12 months: Rules related to the registration and functioning of Consent Managers will take effect after 12 months.
- 18 months: Core compliance requirements for companies and government entities that collect personal data — including consent notices and operational processes — will become effective after 18 months.
Consent requirements
Entities collecting personal data must provide clear, plain-language notices detailing the data being collected and the purpose of collection. They must also offer a dedicated link for users to withdraw consent.
Consent managers
Individuals or organisations seeking to act as Consent Managers can apply for registration with the Data Protection Board and will be subject to specific obligations under the rules.
Data breaches
Users must be informed of any data breach without delay, with details on the nature of the breach, likely consequences, and recommended safety measures. A detailed breach notification — covering cause, impact and mitigation steps — must be filed with the Data Protection Board within 72 hours.
Data erasure
If a user remains inactive, the data-collecting entity is required to erase the personal data held, after issuing a notice to the user 48 hours prior to deletion.
Children’s data
Entities collecting children’s data must obtain verifiable parental consent. Exemptions from parental consent apply to healthcare establishments, educational institutions and childcare facilities.
Additional compliance for entities handling significant user data
Such entities must conduct a Data Protection Impact Assessment and a compliance audit. They are obliged to ensure that algorithmic software used does not pose risks to users’ rights and must prevent the overseas transfer of personal data categories that the government may prescribe.
Exemptions
The Act does not apply to the processing of personal data necessary for research, archiving or statistical purposes — a move expected to benefit AI development and related research activity.
National security and government powers
For national security purposes, the government may seek personal data from any intermediary or entity and may also prohibit them from informing users about such requests.
Read about our editorial guidelines and ethics policy
Latest News
/filters:format(webp)https://news.stocktwits-cdn.com/large_home_depot_resized_jpg_41f1dc8f5a.webp)
Home Depot Stock Drops Premarket After Big Stifel Downgrade Ahead Of Q3 Report: Retail Holds Its Bullish Position/filters:format(webp)https://st-everywhere-cms-prod.s3.us-east-1.amazonaws.com/IMG_9209_1_d9c1acde92.jpeg)
Yuvraj Malik·12m ago
Yuvraj Malik·12m ago/filters:format(webp)https://news.stocktwits-cdn.com/large_Sound_Hound_jpg_7961ee756a.webp)
SoundHound Stock’s Recent Slump Tests Retail Traders’ Patience, But Analysts See Nearly 40% Upside From Here/filters:format(webp)https://st-everywhere-cms-prod.s3.us-east-1.amazonaws.com/shanthi_v2_compressed_98c13b83cf.png)
Shanthi M·27m ago
Shanthi M·27m ago/filters:format(webp)https://news.stocktwits-cdn.com/large_Getty_Images_2205716060_jpg_b54d4e2d13.webp)
Archer Aviation In Spotlight After Advancing UAE Commercialization Plan With Successful Midnight Flight Campaign/filters:format(webp)https://st-everywhere-cms-prod.s3.us-east-1.amazonaws.com/Sourasis_Bose_Author_Image_939f0c5061.jpg)
Sourasis Bose·27m ago
Sourasis Bose·27m ago/filters:format(webp)https://images.cnbctv18.com/uploads/2019/10/2019-10-17T090254Z_1_LYNXMPEF9G0NV_RTROPTP_4_BASF-DIVESTITURE.jpg)
BASF India Q2 Results | Net profit drops 16% to ₹107 crore on lower revenue and EBITDA/filters:format(webp)https://st-everywhere-cms-prod.s3.us-east-1.amazonaws.com/cnbctv18logo.png)
CNBCTV18·33m ago
CNBCTV18·33m ago/filters:format(webp)https://st-everywhere-cms-prod.s3.us-east-1.amazonaws.com/large_novo_nordisk_resized_ebdb16c103.jpg)
Novo Nordisk Stock Falls Premarket As Investors Brace For Contentious Vote To Reinstate Former CEO/filters:format(webp)https://news.stocktwits-cdn.com/IMG_8805_JPG_6768aaedc3.webp)
Deepti Sri·41m ago
Deepti Sri·41m ago/filters:format(webp)https://news.stocktwits-cdn.com/large_Nu_Holdings_resized_jpg_46611caf95.webp)
Why Is Digital Lender Nu Holdings Stock Rising Premarket Today?Sourasis Bose·44m ago
Sourasis Bose·44m ago