The government will set up the Data Protection Board (DPB), the appellate authority for grievance redressal under the Digital Personal Data Protection Act, within the next 30 days, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology said yesterday.

The first set of ‘necessary rules’ under the Act will also be issued within the same time frame, according to an exclusive report in Mint newspaper yesterday.

“The DPB will be notified in the next 30 days and all the relevant rules will also be notified in the next 30 days. The time between August 11 when the Act was notified and when the DPB is constituted, should not be considered a safe harbor or immunity period for companies. If there’s a data breach during this time, the DPB will take it up once it is operational,” the minister clarified.

Speaking at the consultation for timeframes needed by the industry to transition to the DPDPA, the Minister said that there are likely to be three categories of data fiduciaries that will be given a graded timeline for transition for compliance to the provisions in the Act.

The first category comprising government entities at the Centre or State, panchayats, or MSMEs that do not have the digital readiness for storing or processing data, are likely to get the most time for transition, followed by smaller private entities and start-ups.

However, big tech companies like Google, Meta, Apple, and others that would already be complying with global data protection or privacy laws such as the GDPR, would be expected to comply at the earliest, the Mint report added.