Home
DPDP Rules

DPDP Compliance Guide 2026: What Indian Enterprises Must Do Before May 2027

Date Published

dpdp compliance checklist

India's DPDP Act has moved past the draft stage. MeitY notified the Digital Personal Data Protection Rules 2025 on 13 November 2025, and the Gazette carried them the next day, which converted the January 2025 draft into binding law and set an 18-month clock running. That clock ends on 13 May 2027, the date by which full substantive compliance is due. The Data Protection Board of India already exists and functions, so a data principal can file a complaint today. There is no distant switch-on moment to wait for.

This guide is written for the DPO, CISO, or compliance lead who has to turn that timeline into a working programme. It sets out what the DPDPA and the DPDP Rules 2025 actually require, the phased dates that matter, the penalties that make the deadline real, and a practical sequence for getting an enterprise ready. Every figure and date here comes from the notified Rules and the Act itself, not from projection.

What Changed, and What Is Already In Force

Presidential assent came on 11 August 2023, but the Act was written to commence in stages set by government notification. The November 2025 Rules activated the first of those stages. The institutional machinery is now live: the Data Protection Board of India is established as the digital, quasi-judicial authority that investigates complaints and imposes penalties, and the core definitions and rule-making provisions are in force.

The operational obligations sit ahead: the parts that force enterprises to change how they collect, store, and delete personal data. Most businesses have not built these yet, and the readiness gap is wide. An EY survey of more than 150 professionals across sectors found that close to 70% were not very familiar with the Act and Rules. More than 81% had not updated or drafted DPDP-aligned privacy policies. Over 83% had not begun comprehensive implementation. The law is operative. Most organisations are behind it.

The Phased Timeline That Governs Your Programme

The Rules follow a three-phase, gated rollout. Knowing which obligations bite when is what separates a calm programme from a last-minute scramble.

Phase 1, from November 2025, brought the Data Protection Board, the statutory definitions, and the rule-making framework into force. This phase imposes no direct compliance burden on most enterprises, but it means the enforcement structure exists.

Phase 2, at the 12-month mark around 13 November 2026, opens the consent manager registration framework. A consent manager under the DPDPA is a specific regulated entity, an Indian-incorporated company with a minimum net worth of ₹2 crore, that acts as a single interface for a data principal to give, manage, review, and withdraw consent across multiple fiduciaries.

Phase 3, at the 18-month mark on 13 May 2027, is when full substantive compliance becomes enforceable. Compliant notice and consent, security safeguards, breach reporting, data principal rights, retention limits, and significant data fiduciary duties all have to be operational by this date. There is no indication of an extended grace period, because the Board is already functioning.

 DPDP compliance guide 2026

The Core Concepts You Have To Get Right

The DPDPA uses its own terminology, and using it correctly is the first sign of a serious programme. A data fiduciary is the entity that decides the purpose and means of processing personal data. A data principal is the individual the data relates to; for children under 18 and persons with disabilities who have a lawful guardian, rights are exercised by the parent or guardian. A data processor handles data on the fiduciary's behalf, and the fiduciary stays accountable for what the processor does. A significant data fiduciary is a fiduciary the Central Government designates based on the volume and sensitivity of data processed and the risk it poses, and it carries added duties.

The DPDPA is consent-centric and, unlike the GDPR, it does not recognise "legitimate interest" as a lawful basis. Consent has to be free, specific, informed, unconditional, and unambiguous, given through clear affirmative action. The Act does define a category of legitimate uses, covering specific circumstances such as certain government functions, legal compliance, employment-related purposes, and medical emergencies, but these are narrow and defined, not a general-purpose alternative to consent. For a fuller comparison of where the two regimes diverge, the guide to DPDP versus GDPR for Indian businesses is a useful reference, and the core principles of data privacy under DPDP set out the foundations the rest of the programme rests on.

The Obligations, Broken Down

Every fiduciary has to give a data principal a clear, standalone notice before or at the point of collection, itemising what data is collected, for what purpose, and how to withdraw consent and raise a grievance. Bundled, blanket consent no longer works. Each purpose needs its own consent. Legacy data adds a wrinkle. Under the transitional framework, data collected before the Act can continue to be processed if a compliant notice is issued to those data principals. But historical consent that fails today's standard of being free, specific, informed, and unambiguous should be treated as a risk to remediate, and it will not hold up as a permanent basis. The different types of consent under DPDP rules explain how these categories work in practice.

Data Principal Rights

The Act gives individuals the right to access a summary of their data and its processing, the right to correction and erasure, the right to grievance redressal, the right to nominate someone to exercise their rights, and the right to withdraw consent at any time. Withdrawal does not undo prior lawful processing, but from that point processing must stop unless another lawful basis applies. Rights requests have to be actioned within the timelines set in the Rules, with grievance redressal completed within 90 days. Servicing these reliably is real operational work, because it depends on knowing where a person's data lives across every system. That is why handling data principal requests belongs in the engineering roadmap, not just the legal one.

Security Safeguards And Breach Notification

Fiduciaries must implement reasonable security safeguards. Failure to do so carries the highest penalty in the schedule. On discovering a personal data breach, the fiduciary follows a two-stage notification under Rule 7: notify the Data Protection Board, then notify affected data principals within 72 hours, describing the breach, the data involved, the likely consequences, the mitigation taken, and the steps individuals can take. There is no materiality threshold, so the obligation applies broadly. Build the 72-hour breach notification workflow before an incident, because improvising it during one is how the notification penalty gets triggered. The guide to incident management under DPDP sets out how that response is structured.

Retention And Deletion

The Rules lock in a minimum retention obligation: personal data, traffic data, and processing logs must be kept for at least one year. Certain large platforms named in the schedules, including significant e-commerce, gaming, and social media entities, must retain user data for three years after the last interaction. Sectoral regulators such as the RBI, SEBI, and authorities under anti-money-laundering law often impose longer retention periods, and where they do, the longer timeline prevails. Past those floors, data has to be deleted once its purpose is served. Meeting that at scale needs automated deletion tied to a live data map, since a manual annual clean-up cannot keep pace.

Children's Data

Processing the data of anyone under 18 requires verifiable parental consent, and the Rules specify approved verification methods, including integration with DigiLocker to confirm a parent's identity. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited. The children's-data obligation carries a penalty of up to ₹200 crore, the same tier as breach-notification failure.

The Penalties That Make The Deadline Real

Maximum penalties are set by category in the Schedule to the DPDP Act. Failure to implement reasonable security safeguards under Section 8(5) attracts up to ₹250 crore. Failure to notify the Board or affected data principals of a breach attracts up to ₹200 crore, as does non-compliance with the children's-data provisions. Failure to meet the additional obligations of a significant data fiduciary attracts up to ₹150 crore. General non-compliance attracts up to ₹50 crore, and breach of a data principal's own duties is capped at ₹10,000.

The structural point that changes the risk calculus is that penalties are assessed per violation and can stack. A single mishandled breach can trigger both the security-safeguard penalty and the notification penalty at once, so combined exposure from one incident can run well above the headline ₹250 crore figure. This is why the true cost of a compliance breach is rarely a single line item.

A Practical DPDP Implementation Sequence

The order of work decides whether a programme holds together. A workable 18-month sequence, consistent with how experienced practitioners phase these projects, runs as follows.

First, in the assessment stage, discover and map personal data across every system, application, database, and vendor, then classify it by sensitivity. You cannot write an accurate notice, service a rights request, scope a breach, or enforce retention on data you have not located. This is why data discovery, mapping, and governance are treated as the foundation of DPDP compliance, and why building a record of processing activities is usually the first concrete deliverable.

Second, in the core implementation stage, rebuild consent notices to be standalone, purpose-specific, and versioned, stand up data principal rights workflows, implement security safeguards and access controls, and bind processors contractually. Third, in the validation stage, automate deletion and retention, conduct impact assessments where processing is high risk, and test the breach response end to end. A structured view of this is set out in the 90-day implementation guide for Indian enterprises, which is a useful accelerant for the first phase.

Done in this order, each step feeds the next. Done in reverse, starting with a policy rewrite and hoping the data plumbing catches up, the programme produces the evidence gaps a regulator looks for.

Where A Platform Fits

The obligations above share one dependency: continuous visibility into personal data, consent, and risk across the enterprise. Manual spreadsheets do not survive the scale or the audit expectations. Privy's DPDPA compliance platform brings consent management, data principal rights, breach response, and personal data discovery into one system, and its Data Compass discovery module builds the data map that notice, rights, retention, and breach scoping all depend on. For teams weighing whether to assemble this in-house or deploy a platform, the build versus buy analysis for DPDP compliance sets out the trade-offs, and the comparison of DPDP platforms and privacy automation tools covers the market.

Conclusion

By 2026, the DPDP question has shifted. It is not whether the law applies to you but whether you will be ready when enforcement begins on 13 May 2027. The Rules are notified. The Board is live. The penalties are large, and they stack. Enterprises that treat the 18-month runway as a real project plan will get there: discover and map data first, rebuild consent and rights on top of it, harden security and breach response, then automate retention. Wait too long, and you meet the first complaints already in remediation mode.

If you are building or auditing a DPDP programme and want to see how consent, data principal rights, breach response, and personal data discovery fit together in one platform, reach out at shivani@idfy.com to book a demo.

  • MeitY / PIB press release on the DPDP Rules 2025 notification (13 November 2025), for the phased timeline and penalty overview: PIB release
  • The DPDP Act commencement notification, Gazette G.S.R. 843(E) dated 13 November 2025, which sets out the immediate, 12-month, and 18-month commencement dates: MeitY Gazette notification (PDF)
  • The Digital Personal Data Protection Rules 2025, notified vide Gazette G.S.R. 846(E), for Rule 3 (notice), Rule 4 (consent manager registration at 12 months), Rules 3 and 5 to 16 (substantive obligations at 18 months), Rule 7 (breach notification), Rule 10 (children's data), and the retention schedules: DPDP Rules 2025 official text (English, PDF)
  • The MeitY landing page for the notified Rules, as the canonical government source: MeitY DPDP Rules 2025
  • EY India, "India's data privacy shift: steering the DPDP compliance and readiness" (June 2026), for the enterprise readiness survey figures: EY India report

FAQ's

When does the DPDPA become fully enforceable? 

The DPDP Rules 2025 were notified on 13 November 2025. Full substantive compliance is due by 13 May 2027, the 18-month mark. Consent manager registration opens around November 2026, and the Data Protection Board is already operational.

What are the maximum penalties under the DPDPA? 

Up to ₹250 crore for failing to maintain reasonable security safeguards, ₹200 crore each for breach-notification and children's-data failures, ₹150 crore for significant data fiduciary failures, and ₹50 crore for general non-compliance. Penalties are per violation and can stack.

Does the DPDPA recognise legitimate interest as a basis for processing?

 No. Unlike the GDPR, the DPDPA does not allow legitimate interest. Consent is the primary basis, and it must be free, specific, informed, unconditional, and unambiguous. A narrow set of defined "legitimate uses" exists for specific circumstances.

How long do we have to notify a data breach? 

On discovering a breach, notify the Data Protection Board, then notify affected data principals within 72 hours under Rule 7. There is no materiality threshold, so the obligation applies to breaches broadly.

Is prior consent from existing customers still valid? 

Data collected before the Act can continue to be processed if a compliant notice is issued to those data principals. Historical consent only remains a safe basis if it already meets the DPDPA standard, which older sign-up flows rarely do, so legacy consent should be remediated over time.

Who has to appoint a Data Protection Officer?

 A DPO is a mandatory requirement for significant data fiduciaries. Other fiduciaries are not strictly required to appoint one, though larger organisations typically designate a clear owner given the scale of the obligations.


DPDP board agenda framework for privacy readiness in India
DPDP Rules

DPDP readiness is no longer a legal exercise it’s board's responsibility. Governance, maturity, roadmap, full-stack privacy execution. Privy by IDfy