While Goel said the Data Protection Board will soon be announced pending manpower, the government has still not taken any decision in terms of the shortening of the compliance timeframe.
Shortening of the data protection compliance timeline will not significantly affect MSMEs, said Deepak Goel, Scientist G & Group Coordinator, Cyber Law and Data Governance, MeitY, during an event of Data Security Council of India (DSCI) in Mumbai.
While Goel said the Data Protection Board will soon be announced pending manpower, the government has still not taken any decision in terms of the shortening of the compliance timeframe.
“We have received feedback from many associations. There is no final decision yet but whatever is done will be in the interest of everybody. Our implementation is going to affect company products, architecture, cloud architecture and most importantly, vendor management, and AI,” said Goel.
At the same time, when speaking to businessline on the sidelines, Goel added that small businesses like startups and MSMEs will not feel the repurcussions of this development. Section 17 of the Digital Personal Data Protection (DPDP) Act, exempts such small entities from provisions of notice, obligations of impact assessment reports, data retention limits and even mandates for informing users on the kind of data processed.
Huge challenge
Meanwhile, large companies, banks and similar entities in India will face a huge challenge in case of a shortened timeline as it leaves them with a smaller window to prove compliance in case of audits and in impact assessment reports.
“When such a law which impacts millions of organisations is implemented, your legitimacy or legality of collecting, processing information depends on it being procedurally correct,” said Vinayak Godse, CEO of Data Security Council of India (DSCI) advising companies to focus on privacy management (consent management, record of processing), enhance privacy governance capability and use privacy-enhancing technology like cryptography, anonymization to prepare for DPDP.
Despite the mammoth task ahead, Godse still believed that most big companies will be prepared for the compliance norms even within a shorter timeline. However, data security intelligence organisations like Seclore voiced their doubts.
“They do not even know what to protect. They do not have visibility into where data is stored. It is very difficult to track this because they have collected data for 20 years, put it in any file server, folder,” said Vishal Gauri, CEO, Seclore.
With the advent of AI during compliance pressure, Gauri described the compliance burden as a perfect storm for many companies and released its own Automated Risk Management, Orchestration, and Resilience (ARMOR)intelligence platform to help organisations maintain trust, control and accountability over their data. Gauri argued that such tools will become crucial for companies considering the alternative is to block all access.
“If you block everything, then the business goes down. It is a much bigger cost than the fine,” said Gauri.
Published on February 12, 2026
aniltikotekar4sme.com 