DPDP Act: Firms in disarray, seek more time, clarity for implementation

Companies feel that the "timelines are too short," as the new DPDP Act will require a complete overhaul of their entire internal systems

As the government has passed the new Digital Personal Data Protection (DPDP) Act, several companies are gearing up to submit formal representations to the government. They are seeking clarification on the new Data Act and an extension of its implementation deadline, according to a report by The Economic Times (ET), which cited individuals familiar with the matter.

Experts have noted a "sense of panic" among companies concerning the timelines stipulated by the legislation. According to the government, large companies will need to implement the law within six months, while smaller firms have been given a 12-month window, with only a few exceptions, the newspaper reported.

Companies argue that these "timelines are too short," given that the new DPDP Act necessitates a comprehensive revamp of their entire internal systems. The law was officially notified on August 11.

Akshayy S Nanda, a partner at law firm Saraf & Partners, told The Economic Times, "The timeline of six months for the Act's implementation to commence and for companies to complete their compliance efforts is quite short and could prove challenging." Nanda added that the sheer number of compliances required by the law constitutes a time-consuming exercise, making a six-month timeframe potentially inadequate.

Another industry expert echoed the sentiment that the transition period is too brief. While large technology firms may have the resources to adapt to the new law, smaller Indian enterprises like banks and telecom companies with nationwide operations could find it exceedingly difficult to overhaul their internal structures, according to the ET report.

When compared with the European Union General Data Protection Regulation (EU GDPR), the DPDP Act's compliance timeline seems notably shorter. More recent data protection laws introduced in the Asia Pacific (Apac) and Asia, Middle East and Africa (AMEA) regions have also allowed more time for compliance. For instance, Saudi Arabia's data protection law permitted 720 days from the date of its official publication, plus an additional one-year grace period for compliance, the ET report highlighted.