12-month compliance window under consideration for DPDP Rules

The government is considering a significant reduction in the implementation timeline for the Digital Personal Data Protection (DPDP) Rules. According to sources familiar with the matter, companies across sectors are likely to be required to achieve compliance within 12 months of notification, instead of the earlier 18-month window.

If implemented, the revised timeline would require full compliance with the DPDP framework by November 2026, one year after the rules were notified in November 2025.

The Ministry of Electronics and Information Technology (MeitY) has invited stakeholder feedback on the proposed change by February 4, indicating that the shortened compliance period is under active consideration for industry-wide adoption.

When the draft rules were released last year, the government had clarified that the 12-month timeline would apply only to consent managers for registration, while entities handling personal data would be granted up to 18 months to align their systems and processes.

After the rules were notified, MeitY had also indicated informally that large firms already compliant with global standards such as the EU’s General Data Protection Regulation (GDPR) could be asked to transition faster.

Sources familiar with the latest discussions, however, said the ministry is now considering extending the 12-month compliance timeline uniformly across all entities, without differentiating between large and smaller organizations. The proposal was deliberated during a meeting chaired by MeitY Secretary S. Krishnan on Thursday, which was attended by industry representatives.

If adopted, the change would considerably compress compliance timelines for companies still in the process of developing internal frameworks for consent management, data retention, breach reporting, and grievance redressal.

The industry had earlier viewed the 18-month window as essential, given the scale and complexity of operational changes mandated under the law.

Uncertainty also persists around the treatment of significant data fiduciaries (SDF). Although the DPDP Rules provide for enhanced compliance obligations for entities designated as SDFs, the government has not yet notified the criteria or the list of such entities.

This has left companies in a difficult position, as they must decide whether to make investments upfront to prepare for a possible designation or wait for formal clarity at the risk of missing deadlines.