/newsdrum-in/media/agency_attachments/2025/01/29/2025-01-29t072616888z-nd_logo_white-200-niraj-sharma.jpg){kind=logo}
/newsdrum-in/media/member_avatars/9Rj3p38eDEeibqzKtTLR.jpg )
Follow UsNew Delhi, Nov 14 (PTI) The freshly-minted data protection rules will require companies to give clear notice seeking consent for processing personal data of individuals, mandate prompt 72-hour data breach notification, and allow for erasure of data after its purpose has been served.
Notably, it requires companies to obtain verifiable parental consent before processing any child's personal data using identity checks and defined age verification methods.
When a data fiduciary (a company that needs to collect data) becomes aware of a personal data breach, it must notify the affected users promptly and also report the breach to the Data Protection Board within 72 hours.
Here is a look at how the industry and experts have reacted to the much-awaited provisions that power the principal legislation (DPDP Act) and shape the enforcement of a powerful data privacy regime in India.
"With the notification of the Rules and the Act, the government has finally put all uncertainty to rest. India Inc. now has an 18-month runway to gear up for full compliance," said Nikhil Narendran, Partner - TMT, Trilegal.
While the rules give a transition period and a staggered implementation roadmap, experts believe that the countdown has begun for companies to start the overhaul of consent architecture, strengthen breach response mechanisms, and introduce training programmes to ensure compliance.
The constitution of the Data Protection Board takes effect immediately, and the consent manager framework will become operative after 12 months.
Remaining obligations and compliances for data fiduciaries, including notice, consent, security safeguards, data principle rights, and breach notification requirements, will come into force after 18 months.
The phased approach provides companies with a structured and predictable compliance runway, Prashant Phillips, Executive Partner, Lakshmikumaran & Sridharan Attorneys, said.
Dhruv Garg, Founding Partner of Indian Governance and Policy Project (IGAP), noted that the rules mark the end of India's longstanding privacy debate. He flagged the burden on smaller firms under tight compliance deadlines and noted some operational complexities. Yet, Garg acknowledged that the rules bring "long-awaited clarity, stronger user protections and a predictable governance structure" with the real test now being effective on-ground execution.
Probir Roy Chowdhury, Partner, JSA Advocates & Solicitors, described the rules as a major step in operationalising India's privacy framework. He called on businesses to move from high-level planning to practical implementation over the next 18 months to balance user rights with regulatory certainty and business needs.
Akshay Garkel, Partner & Leader, Cyber at Grant Thornton Bharat, termed the phased compliance timeline and the establishment of the Data Protection Board as clear signals of regulatory seriousness.
"Data protection is no longer a future checkbox; it's today's competitive differentiator," he said.
Harsh Walia, Partner at Khaitan & Co, said the notification of the rules officially starts the compliance clock for all stakeholders.
"Organisations may need to reassess their consent frameworks to ensure that consent is specific, informed, and clearly distinguishable from the standard terms of use that users typically auto-accept. While the Rules provide some commercial flexibility by allowing stakeholders to adopt reasonable security safeguards, they also mandate certain minimum measures, including encryption and obfuscation," Walia said.
Mayuran Palanisamy, Partner, Deloitte India, described the establishment of a definitive enforcement timeline as a "critical juncture" for organisations. It is essential that organisations take proactive steps to comply with these regulations, ensuring not only legal adherence but also the responsible handling of personal data, Palanisamy said.
Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, said the DPDP Rules offer Indian enterprises a clear pathway for managing how personal data is collected, processed, secured and governed.
"The phased roll-out is crucial; it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly. The rules set fixed obligations, which leads to an increase in the cost of compliance, apart from an increase in the legal and operational costs," Rao noted.
Sanjay Katkar, Joint MD of Quick Heal Technologies, observed that the rules impose renewed responsibilities on enterprises, bringing transparency, meaningful consent, timely breach notifications, and disciplined data retention and erasure into their operations.
Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co, said, "...MeitY has not only provided the much-needed clarity, it has been judicious in allowing for an adequate transition period with substantive provisions of the Act coming into effect 18 months from now." She highlighted that the industry will need to focus on aligning data practices with new requirements, while MeitY (ministry of electronics and information technology) must ensure continued regulatory and interpretational clarity.
Rishi Agrawal, CEO and Co-founder of TeamLease Regtech, pointed out that many organisations, especially those with legacy systems, will need to overhaul their IT infrastructure to meet the mandates of the DPDP rules.
Shreya Suri, Partner, CMS IndusLaw, said India has moved from broad policy signalling to a concrete, enforcement-ready data protection regime.
Several high-impact obligations, including verifiable parental consent for children, a fully formalised consent-manager ecosystem, cross-border transfer restrictions, and tight breach-notification timelines, have now been crystallised, largely mirroring the January draft.
A notable point of uncertainty, she said, is the classification of Significant Data Fiduciaries.
"While the Act prescribes the factors, the government has not yet notified which entities will fall into this category - meaning businesses do not know whether they must prepare for heightened obligations such as data localisation, mandatory audits, DPIAs, and algorithmic risk assessments.
Unless this classification emerges soon, this uncertainty compresses the compliance runway for SDF's at a time when the regulator is already in place," she added. PTI ANK MBI HVA