India Looks to Fast-Track Data Protection Compliance

India’s Digital Personal Data Protection Act, 2023 (DPDP Act), is being implemented in phases, and regulators are considering proposals to accelerate compliance. Under discussion is a 12-month timeline for Significant Data Fiduciaries (SDFs), with the Ministry of Electronics and Information Technology (MeitY) awaiting industry inputs to ensure any adjustments strike a balance between expedited adoption and practical regulatory readiness.

The rationale appears to be that large entities are already aligned with stringent global data protection standards and may be better positioned to implement the framework within a shorter timeframe. The move is also understood to be driven by concerns over the growing sophistication of cyberattacks.

Under the DPDP Act, the Central Government may notify any data fiduciary or class of data fiduciaries as SDFs based on factors such as the volume and sensitivity of personal data processed, risks to the rights of Data Principals, potential impact on India’s sovereignty and integrity, risks to electoral democracy, security of the State and public order.

Enacted on August 11, 2023, the DPDP Act establishes a comprehensive framework for digital personal data protection, setting out obligations of Data Fiduciaries and rights and duties of Data Principals. On November 13, 2025, MeitY notified a staggered three-phase implementation timeline for the Act and the Rules, and announced the constitution of the Data Protection Board of India.

Phased rollout:

• Phase 1 (Effective November 13, 2025): Provisions relating, inter alia, to the constitution of the Data Protection Board, the overriding effect of the Act, and restrictions on civil court jurisdiction.
• Phase 2 (Effective November 13, 2026): Provisions governing Consent Managers, including mandatory registration and compliance requirements.
• Phase 3 (Effective May 13, 2027): Core framework, including the rights of Data Principals and obligations of Data Fiduciaries, along with the repeal of Sections 43A and 87(2)(ob) of the IT Act, 2000.

Plans to compress the compliance timeline surfaced shortly after this phased rollout was notified.

Earlier this year, MeitY also proposed amendments to accelerate implementation, including immediate enforcement of key provisions such as Rule 15 (transfer of personal data outside India) and Rule 23 (calling for information from data fiduciaries and intermediaries), while reducing the implementation timeline for Rule 13 (additional obligations of Significant Data Fiduciaries) to 12 months.

The Ministry also proposed early enforcement of Rule 8(3) (mandatory one-year retention of personal data, traffic data, and processing logs for specified government and regulatory purposes), potentially within three months. Section 17(2) of the Act (exemptions for processing by State instrumentalities notified in the interests of sovereignty, security, public order, etc.) was also expected to be operationalised immediately.

Currently, these provisions are scheduled to come into effect after an 18-month period. However, proposals to accelerate enforcement have introduced a degree of uncertainty around the implementation roadmap, leaving stakeholders awaiting clarity on the final compliance landscape.