MeitY May Cut DPDP Compliance Window to 12 Months for Significant Data Fiduciaries

The Ministry of Electronics and Information Technology (MeitY) has proposed compressing the compliance window under the Digital Personal Data Protection (DPDP) Rules from 18 months to 12 months for Significant Data Fiduciaries (SDFs). The proposal, discussed at a stakeholder meeting on 22 January 2026, would primarily affect big tech platforms such as Meta, Google, Amazon and Microsoft, as well as major banks, financial services and insurance companies, and large social media intermediaries.

Under the DPDP Act, SDF classification depends on factors such as the volume and sensitivity of data processed, risks to data principal rights, and potential implications for sovereignty, electoral democracy, national security and public order. Once designated, SDFs must comply with enhanced obligations, including appointing a Data Protection Officer, conducting Data Protection Impact Assessments and undergoing periodic audits. The proposed change would give these entities roughly a year from notification to demonstrate full compliance with all SDF‑specific requirements.

MeitY has also suggested that cross‑border data transfer restrictions and the government’s power to seek information from data fiduciaries should take effect immediately, instead of after the original 18‑month transition. This reflects the government’s view that the earlier window was overly generous for large organisations already subject to comparable regimes such as the EU’s GDPR. Union IT Minister Ashwini Vaishnaw had previously indicated that global benchmarks would guide India’s implementation timelines.

Industry reaction has been cautious, with some executives warning that a 12‑month window will be challenging given India’s complex data environment. That concern may be more acute for mid‑tier fiduciaries, but the largest SDFs have had the DPDP Act since August 2023 and draft rules since early 2025. The proposal effectively penalises those that treated compliance as a distant obligation: organisations that began implementation early are likely to cope, while late movers may now face a compressed and resource‑intensive compliance scramble.