The government will start putting in place rules for compliance in the next few days and most of the rules for the Data Protection Board will be ready in 30 days, Rajeev Chandrasekhar said
MSMEs and early stage startups may be granted exemption and will not come under the purview of the DPDP Act immediately, the minister said
Under the Digital Personal Data Protection Act, the Digital Protection Board will monitor compliance with the Act and impose penalties for violations
The Data Protection Board, to be set up under the new Digital Personal Data Protection (DPDP) Act, 2023, will be in place within 30 days, said Minister of State for Electronics and IT Rajeev Chandrasekhar.
“We will start putting in place most of the rules for compliance in the next 5-6 days. Most of the rules will be placed within 30 days. The Data Protection Board will also be in place in 30 days,” Chandrasekhar said.
Guidelines for the eight rules, including consent management, will be put in place within a month.
The minister was speaking on the sidelines of a consultation held with various stakeholders on Wednesday (September 20) regarding the implementation of the DPDP Act. Industry associations, tech giants and some prominent startups participated in the discussion.
Chandrasekhar said that some government entities like those at panchayat level, micro, small, and medium enterprises (MSMEs), and early stage startups may be granted exemption and will not come under the purview of the DPDP Act immediately.
The ministry may also come up with necessary rules under the Act within this period. While all rules under the data protection code will not be immediately notified, essential ones will be prioritised for initial implementation.
In response to demand from the stakeholders, the ministry expressed willingness to engage in consultations regarding the rules before finalising them by releasing a draft, a source said.
The government, during the consultation, also clarified that the period between notification of the rules and the establishment of the data protection code would not provide immunity from data protection regulations. Complaints received during this transitional phase will be considered retroactively once the code is in place.
The government also hinted at section-based transition periods, as certain sections of the code related to age verification, processing children’s data, and Know Your Customer (KYC) obligations may require more time for compliance.
The government also asked stakeholders to provide insights on identifying data fiduciaries deserving of exemptions, defining the reasons for these exemptions, and explaining them in detail.
“We welcome the government engaging with multi-stakeholders through consultation as we inch towards implementing the Digital Personal Data Protection Act 2023. Indication of establishing a Data Protection Board and notifying some of the necessary rules in the next 30 days is a welcome move, as this would bring certainty in terms of compliance and next steps,” said Kamesh Shekar, Senior Programme Manager- Data Governance & Privacy at think tank The Dialogue, told Inc42.
“Besides, the government’s consideration towards having different transition periods based on the class of fiduciaries and sections is a step in the right direction as it considers the status quo of organisations, technical dependence, economic constraints, etc,” Shekar added.
After several years of waiting, India got its data protection law last month. The DPDP Bill was passed in the Lok Sabha on August 7 and in the Rajya Sabha two days later. On August 11, President Droupadi Murmu finally granted her assent to the Bill to become an Act.
The DPDP Act directs setting up a Data Protection Board of India to ensure its implementation. In case of any personal data breach, the board will be responsible for looking into the matter, inquiring into the breach, and imposing penalties.
The DPDP Act seeks to protect the privacy of Indian citizens. In case of any breach for misusing citizens’ data or failing to protect the digital data of individuals, the Act proposes a penalty of up to INR 250 Cr on entities.