The government is set to significantly compress the implementation timeline of the Digital Personal Data Protection (DPDP) Rules, with companies across sectors likely to be required to comply within 12 months of notification, instead of the earlier 18-month window, according to people familiar with the discussions.
The shift would mean that full compliance with the DPDP framework would be expected by November 2026, a year after the rules were notified in November 2025.
The ministry of electronics and information technology (MeitY) has sought stakeholder feedback on the proposed change by February 4, signalling that the shorter timeline is now being actively considered for industry-wide adoption.
When the draft rules were issued last year, the government had indicated that the 12-month compliance period would apply only to consent managers for registration purposes, while companies processing personal data would have up to 18 months to align systems and processes.
What happened after the rules were notified?
After the rules were notified, MeitY had also indicated informally that large firms already compliant with global standards such as the EU’s General Data Protection Regulation (GDPR) could be asked to transition faster.
However, people aware of the latest deliberations said the ministry is now considering applying the 12-month timeline across the board, without distinguishing between large and smaller entities. The proposal was discussed at a meeting chaired by MeitY secretary S Krishnan on Thursday, which was attended by industry representatives.
If implemented, the move would significantly tighten the compliance calendar for companies that are still building internal systems for consent management, data retention, breach reporting and grievance redressal. The original 18-month window had been seen by industry as necessary given the scale of operational changes required under the law.
Plans to fast-track certain provisions
Alongside the compressed timeline, the government also plans to fast-track certain provisions of the rules. Among them is Rule 8(3), which deals with the retention of personal data for lawful purposes without user consent.
The provision requires companies to maintain detailed records of data usage, deletion requests and related technical logs for at least one year after the purpose of processing has been served. Officials indicated that this rule could be operationalised within three months of the revised notification.
Industry executives told Fe that such a move would leave limited time to build the technical and compliance infrastructure needed to meet audit and record-keeping requirements, particularly for firms that currently lack mature data governance systems.
Uncertainty also persists around the treatment of significant data fiduciaries (SDF). Although the DPDP Rules provide for enhanced compliance obligations for entities designated as SDFs, the government has not yet notified the criteria or the list of such entities.
This has left companies in a difficult position, as they must decide whether to make investments upfront to prepare for a possible designation or wait for formal clarity at the risk of missing deadlines.
Separately, the government intends to bring into force provisions relating to cross-border data transfers, furnishing of information to authorities, and data retention for investigative purposes.
These are seen as requiring relatively limited operational changes compared to broader consent and governance obligations. Section 17(2) of the Act, which allows the government to notify exemptions for certain agencies on grounds such as national security and public order, is also expected to be operationalised alongside these rules.