New rules for data protection, known as the DPDP Rules, have been introduced. They set specific timelines for companies to follow. These include notifying users and the Data Protection Board about data breaches and keeping traffic data for at least a year. Companies must also inform users 48 hours before deleting personal data.

Firms like e-commerce sites, online gaming companies, and social media platforms must delete personal data after three years of user inactivity. However, there are two exceptions to this rule. The rules also require consent managers to keep records of consents for a minimum of seven years or longer if needed.

Data Protection Board and Compliance Timelines

The Data Protection Board must complete inquiries within six months of receiving a complaint or intimation. This period can be extended by three months at a time, with reasons documented. The DPDP Rules take effect in stages, allowing an 18-month transition for companies handling personal data.

The establishment of the Data Protection Board is immediate, while the consent manager framework will be active after 12 months. Other obligations, such as user consent notices and security measures, will be enforced after 18 months.

Security Measures and Breach Notifications

Companies must retain personal data and logs for at least one year from processing. They are required to implement security measures like encryption and monitoring access to prevent unauthorized access. In case of a data breach, firms must inform affected individuals clearly about the incident and provide contact information for queries.

Additionally, companies need to notify the Data Protection Board immediately with initial breach details. Within 72 hours, they must submit a detailed report on causes, impact, mitigation efforts, and measures to prevent future incidents.

Parental Consent and Significant Data Fiduciaries

Before processing a child's personal data, companies must obtain verifiable parental consent. This involves confirming the parent's identity through reliable means like government-issued tokens. A Significant Data Fiduciary is required to conduct annual Data Protection Impact Assessments and audits, reporting findings to the Board.

Such fiduciaries must ensure their technical measures do not compromise data principals' rights. They should process personal data specified by the Central Government without transferring it outside India. A committee formed by the government will oversee these processes.

Government Oversight and Information Requests

The government can ask data fiduciaries or intermediaries to provide requested information but may restrict its disclosure to protect India's sovereignty or state security. This oversight includes digital and social media platforms.

Data Fiduciary firms must prominently display contact details of their Data Protection Officer on their website or app. This ensures that individuals can easily reach out with questions about their personal data processing under the Act.

With inputs from PTI