DPDPA Rules: Which provisions will become effective now

While the DPDPA 2023 was gazetted on 11th August 2023, the notification of the date of its effectiveness has been awaited. Presently the draft rule is ready for public comments and the industry is eagerly waiting to know which provisions of the Act will become effective immediately and which will take time.

The current thinking in the Meity seems to be a two stage implementation with about 6 rules to be notified for effect immediately and the remaining around 14+ rules to be effective at some point of time later.

The six rules that may be notified for immediate effect could be

Short Title and Commencement
Appointment of Chairperson and other Members
Salary, allowances and other terms and conditions of service of Chairperson and other members
Proceedings of Board and authentication of its ordders, directions and instruments
Terms and conditions of appointment and service of officers and employees of Board

The other rules to be notified on a later date are as follows:

Notice to seek consent fo data principal
Notice to inform of processing done where data principal has given consent before commencement of Act
Registration, accountability and obligations of a Consent Manager
Processing of Personal data for provision of subsidy, benefit, service, certificate, license or permit
Intimation of personal data breach
Time period for specified purpose to be deemed as no longer being served
Publishing of contact information of person who is able to answer questions about processing
Verifiable Consent for processing personal data of child or person with disability who has lawful guardian
Exemptions from processing of personal data of child
Measures to be undertaken by Significant Data Fiduciary
Rights of Data Principal
Exemption from Act for Research, Archiving and Statistical purposes
Techno Legal measures to be adopted by Board

It is expected that the setting up of the DPB may take about 3 months and the remaining rules may come into effect subsequently.

There are a few more rules that are yet to be finalized and perhaps they may come up in the third set.

The exact time schedule for implementation is yet unclear and we may have to wait for the Government to complete the constitution of the DPB before a more specific time schedule can be expected.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.