After a long wait, the DPDPA 2023 rules have been finally notified.
Links to the documents are here:
The rules appear to be similar to the draft rules except that the rule for data of minors and data of persons with disability has been separated.
The time line of implementation consists of three dates.
- Date of Notification (13th November 2025)
- One year from the date of notification
- 18 months from the date of notification.
Rules 1, 2, 17,18,19,20 and 21 will be effective immediately. These relate to the name, definitions and rules 17-21 relates to the formation and functioning of DPB.
Rule 4 will come into effect after one year (13th November 2026) and this relates to registration of the consent manager.
Rules 3,5 to 16 , 22 and 23 will come into force 18 months (13th May 2027) from the date of publication.
The sections of the Act which will become immediately effective are
Sec : 1(2), Sec 2, Sec 18 to 26, Sec 35, 38 to43 and Section 44(1) and 44(3)
The sections of the Act which will become effective after one year are
Section 6(9) (Related to the Consent Manager) and and 27(1)d) (Related to breach notification by a Consent Manager)
The sections of the Act which will become effective after 18 months are
Sections 3 to 5, Section 6 (1) to 6(8), Section 6(9), Sections 7 to 10, Sections 11 to 17 and Section 27 other than 27(1)d) and Sections 28 to 34, 36,37, and 44(2)
Section 44(2) is related to the scrapping of Section 43A of ITA 2000. Section 33 is related to penalties under DPDPA both of which will be effective after 18 months. The obligations of Data Fiduciary, the Rights of the Data Principal will all become effective at the same time (13th May 2027).
Now that the uncertainty about the time line of implementation is over, the industry can plan to start implementation starting with the Gap analysis. Those who have already started compliance activity are slightly at an advantage.
Naavi
