This could happen “well before” the Maharashtra assembly elections to be held on November 20, the person added.
The Digital Personal Data Protection (DPDP) Act was enacted in August 2023 but it is yet to become operational.
“The approvals take time. There is nothing to worry about. Only the home ministry’s approval is pending. The regulations will be notified soon, well before the Maharashtra elections,” said the government official cited above.
The Act aims to regulate the storage, processing and transfer of personal data by users as well as organisations.
Discover the stories of your interest
It seeks to mandate a consent-based framework along the principles of data minimisation. The new law also lays out strong rules for parental consent for data pertaining to children below the age of 18 years, which has been met with some concerns by social media platforms.
At a meeting held earlier this month with several industry stakeholders, the Ministry of Electronics and Information Technology (MeitY) sought to allay fears of business disruption with the introduction of the proposed rules, another senior official told ET.
“There is also an assurance that there will be enough time for implementation of these rules. Any stakeholder, including companies and startups, (requiring) guidance on how to implement (these rules) will be given appropriate handholding to help them understand the regulations,” the official said.
To be sure, the European Union (EU) had provided two years to its member states to implement the General Data Protection Regulation (GDPR). While the EU approved the GDPR in April 2016, it came into effect on May 25, 2018.
Further, companies and consulting firms — that understand the DPDP rules and have provided feedback during their drafting — are also expected to be asked to help the industry understand the nuances of implementation and compliance better, another official said.
Policy experts are of the view that the industry must prepare adequately to deal with the proposed regulation.
Akshayy Nanda, a partner at legal firm Saraf and Partners, said organisations can begin with data mapping, inventory audits, reviewing agreements with data processors, drafting, and examining requisite privacy related policies.
Companies can also put in place security safeguards to protect personal data against breaches, train employees and analyse current data processing activities to determine whether they conform to the principles of purpose limitation, data minimisation, fairness and transparency, he added.
Pointing out that substantive legal requirements are required by the DPDP Act, Arun Prabhu, partner and head of technology practice at law firm Cyril Amarchand Mangaldas, said, “Several entities have commenced data discovery, mapping and work on consent and contracting to improve their posture in preparation for the law.”
No one-time exercise
Compliance with the DPDP Act is not a one-time exercise and will require a continuous effort to manage the obligations of the law, according to Nanda.
“Businesses that have not commenced their journey of compliance and are waiting for the rules to be published, will face a significant shock and substantial challenges in the foreseeable future,” he said.
