Some, however, felt that the final rules had left many of the operational burdens intact, even after discussions

PTI New Delhi

The Digital Personal Data Protection rules lay out a clear roadmap for enterprises on collecting, processing, securing personal data, many experts said Friday, adding that the transition period and phased roll-out will give companies time to recalibrate data architectures and implement consent mechanisms and other necessary frameworks.

Some, however, felt that the final rules had left many of the operational burdens intact, even after discussions. They flagged the "uncertainty" and lack of clarity around criteria and process for designating an entity as a 'significant data fiduciaries'. As per Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India, the rules set fixed obligations, which lead to increase in the cost of compliance, apart from increase in the legal and operational costs.

"With the DPDP Rules now notified, Indian enterprises have a clear roadmap on how they collect, process, secure and govern personal data," Rao said. Terming the phased roll-out as crucial, Rao explained that it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly.

Enterprises, Rao said, must immediately prioritise data discovery, classification and data-mapping exercises, implement consent and retention workflows, strengthen breach-response mechanisms, and deploy technology-led governance tools that provide real-time visibility across the data lifecycle," Rao added. Rao described the latest move as a "regulator-driven opportunity for enterprises" to enforce 'Privacy by Design', 'Security by Design' and hence 'Trust by Design'.