MeitY have finally published the DPDPA Rules and India is abuzz with data protection lawyers carefully parsing the final wording. While others may focus their attention on ‘specific’ v ‘itemized’ or the length of time the Data Protection Board of India will have to respond to complaints (six months or more), at Securys our long experience leads us to focus on the practical implications of these milestones in the implementation of data protection legislation.  

MeitY has finally given everyone a defined timeline for implementation, with three dates standing out, and in doing so has removed any remaining excuses for not starting a full privacy programme.

13th November 2025 

With immediate effect, the Data Protection Board of India is to be established with four members. We still do not know who will be on the Board – rumours swirl like so much Delhi smog and with just as much clarity —and it will be fascinating to see where the fickle finger of fate points in the end. 

13th November 2026 

Consent managers need to be registered and ready to go one year from now. This makes a lot of sense in the context of the following milestone, as these consent managers will have to be up and running well ahead of… 

13th May 2027 

Six months later comes the deadline for the operational provisions of the Act, which means the ultimate deadline for all organisations which process personal data to be demonstrably compliant. 

What does this all mean for Indian organisations? First and foremost, the time to get your house in order is now. As Securys has repeatedly learned working with multinational enterprise clients around the world, getting a privacy programme up to speed in eighteen months is no small task, even if one has already had exposure to other legislation such as GDPR. And yes, even if the organisation is already ISO27001 certified. Data protection is not cyber security, and DPDPA is not the GDPR; there will be much to do, including changing business processes, in order to comply.  

What does a successful digital personal data protection programme look like? Start at the beginning: it is essential to lay sound foundations as soon as possible by conducting a mapping, comprehensive data and processing audit and gap analysis exercise to understand what you know and what you do not know about what goes on in your organisation and – crucially – in your supply chain. This exercise can be daunting in the detail and the complexity within but also illuminating in terms of illustrating opportunities not only to establish compliance but also to improve the ways in which you operate as an organisation.  

There are many important nuances to be considered in the now-notified Rules but for those of us committed to positive, pragmatic privacy, there are a couple of striking inclusions in the most recent pronouncements and, perhaps even more pertinently, a few marked absences.  

For seasoned data protection professionals, perhaps the most striking aspects of the notification of the Rules are the glaring absences, which are most likely to be left in the hands of the newly-constituted (but still to be appointed) Data Protection Board of India: 

• The guidance around international data transfers remains opaque: the Rules seem to have left the door ajar for further data localisation measures to be introduced, while lists of preferred (and proscribed) countries for data transfers are also still to be published. 

• While the notified Rules confirm the additional burden on SDFs is clear – annual audit, DPOs, data localisation and the welcome requirement for due diligence on algorithmic processing – the actual identity of the Significant Data Fiduciaries (SDFs) is still to be clarified. 

• Sensitive data remains undefined although the continued application of the existing applicable legislation (the 2000 IT Act and 2011 IT Rules) seems to give a clear hint that one should expect little change on this front. 

These known unknowns illustrate the need for organisations to identify a robust privacy operating model as a pre-requisite to be able to respond to the evolving landscape. The real challenge is to establish a vigorous and healthy culture of data protection as well as the numerous organisational and technical controls. To be successful, the data protection infrastructure and internal privacy programme need to be aligned and evangelised throughout the organisation. 

This will likely also involve the implementation of appropriate tools: not only for data discovery and consent management but also for risk assessment and third-party risk management. While the nature and scale of tooling required may vary, anyone – whether or not a SDF needs to be able to manage their obligations as a data fiduciary effectively and efficiently. 

Perhaps most significantly, for any organisation that is likely to be classed as a SDF the timeline is the same, meaning that the largest enterprises and those handling sensitive data at scale will have to review their resource commitment to data protection to make sure they have access to sufficient expertise and experience to deliver to this deadline. 

If you’ve been waiting for clarity before beginning your privacy programme, now is the time to fire your starting gun. More clarity will still come, but eighteen months is shorter than you think. Securys can take the uncertainty and strain away – we’ve been doing this for more than a decade, for some of the world’s largest companies, and we’ve been through the evolutionary process of countless new privacy regimes in the 70+ countries where we do business. Get in touch now to book a call and start your journey to compliance.  

Interested in staying in touch for future DPDPA updates?

It is our intention to publish further articles and resources as details regarding the DPDPA are clarified. If you would welcome being added to our email list so you are advised when new material is published, please subscribe by clicking here and typing yes into the email subject line.