Home/Resources/DPDP Rules 2025 Compliance Checklist: Every Deadline Between Now and May 2027
Digital & E-Commerce Legal Support7 MIN READLast updated: July 2026

DPDP Rules 2025 Compliance Checklist: Every Deadline Between Now and May 2027

There is a particular kind of email that lands in a founder’s inbox these days. It comes from an enterprise customer, it has a subject line like “Vendor compliance questionnaire,” and somewhere on page three it asks: “Please confirm your organisation’s compliance status under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.”

DPDP Rules 2025 Compliance Checklist: Every Deadline Between Now and May 2027 article image

Quick Answer

There is a particular kind of email that lands in a founder’s inbox these days. It comes from an enterprise customer, it has a subject line like “Vendor compliance questionnaire,” and somewhere on page three it asks: “Please confirm your organisation’s compliance status under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.” The honest answer for most Indian companies right now is “we are working on it.” This article turns that vague answer into a dated plan. We will walk through the phased timeline the government has set, what became applicable the moment the Rules were notified, what lands in November 2026, and the big bang of obligations arriving on 13 May 2027. Print the checklist at the end, stick it next to your OKRs, and you will be ahead of most of the market.

  • The DPDP Rules 2025 give you a dated, phased runway that ends on 13 May 2027. The regulator already exists, the penalties are large, and the work, from data census to consent plumbing to breach drills, takes quarters rather than weeks. Companies that start now will treat May 2027 as a formality. Companies that wait will meet the Data Protection Board under worse circumstances.
DPDP Rules 2025 Compliance Checklist: Every Deadline Between Now and May 2027 supporting image
Related documentation

The story so far, in three sentences

Parliament passed the DPDP Act in August 2023, but a law without rules is a car without keys. On 13 November 2025 the government notified the DPDP Rules, 2025, publishing them in the Gazette and starting a phased countdown. Some provisions took effect immediately, some arrive twelve months after notification, and the core operational obligations become enforceable eighteen months after notification, on 13 May 2027. That last date is the one to circle. It is not a suggestion. From that day, the Data Protection Board of India can receive complaints against your business and impose penalties that run up to 250 crore rupees for the most serious failures.

Phase one: in force now

The moment the Rules were notified, the machinery came alive. The Data Protection Board of India, the body that will hear complaints and impose penalties, was constituted and made operational as a digital first tribunal. The definitional and administrative provisions of the Act took effect alongside it. What this means for you today is simple but easy to miss: the regulator now exists. The grace period is for building your compliance program, not for pretending the law is theoretical. Enterprise customers, investors running due diligence, and insurers are already asking DPDPA questions precisely because the Board is real. Your phase one checklist looks like this. Map every category of personal data your business collects, where it sits, who touches it, and why you have it. Lawyers call this a data inventory or record of processing, but it is really just an honest census. Identify your role: are you a Data Fiduciary deciding the purpose of processing, or a processor acting on someone else’s instructions? Assign an internal owner for DPDPA compliance, even if it is a founder wearing one more hat. And start reviewing your privacy notice, because the notice requirements in the Rules are specific and most existing policies fail them.

Phase two: November 2026, consent managers arrive

Twelve months from notification, so from 13 November 2026, the provisions governing Consent Managers come into force. A Consent Manager is a new kind of registered platform that lets individuals give, review, and withdraw consent across many services from one dashboard, a bit like a UPI app but for permissions instead of payments. Unless your business plans to become a Consent Manager, you do not need to register. But you should watch this space for two reasons. First, once Consent Managers exist, users will have an easy, standardised way to withdraw consent, and your systems must be able to honour those withdrawals. Second, integrating with Consent Managers may become a market expectation in sectors like fintech and health tech well before it becomes a legal one. Your phase two checklist: confirm your consent records are structured well enough to interoperate with an external platform, and make sure withdrawal of consent actually switches off processing in your systems rather than just updating a database flag nobody reads.

Phase three: 13 May 2027, everything else

Eighteen months from notification, the heart of the law becomes enforceable. Here is what must be working on that day, described in plain language. Notice and consent. Every point where you collect personal data must present a clear notice, in plain language, itemising what data you collect and for what purpose, and consent must be free, specific, informed, and unambiguous. The Rules push for availability in English and the languages of the Eighth Schedule to the Constitution, so a Gujarati user should be able to read your notice in Gujarati. Data principal rights. Individuals get enforceable rights to access a summary of their data, correct it, erase it when the purpose is spent, nominate someone to exercise rights on their death or incapacity, and have grievances addressed. The Rules require you to respond to grievances within a defined window, and ninety days is the outer limit you should build around. Breach reporting. When a personal data breach happens, you must inform every affected individual without delay, in plain language, telling them what happened and what they can do. You must also notify the Data Protection Board promptly, with a detailed follow up report within seventy two hours. Notice the difference from older Indian rules: users must be told, not just the regulator. Retention and erasure. You cannot keep personal data forever on the theory that storage is cheap. When the purpose is served and no law requires retention, data must go. For large platforms meeting specified user thresholds, the Rules add specific timelines after which dormant user data must be erased, with an advance warning to the user before deletion. Children’s data. Processing a child’s data requires verifiable parental consent, and tracking, behavioural monitoring, and targeted advertising directed at children are off limits. If your product has any chance of attracting users under eighteen, this workstream is urgent and technical. Significant Data Fiduciaries. Companies designated as SDFs by the government must by this date have an India based Data Protection Officer reporting to the board, an independent data auditor, and periodic Data Protection Impact Assessments. If you suspect you are an SDF candidate, our article on the classification criteria explains the tests.

A worked example: how one company sequenced it

Consider a mid size D2C brand we will call Kesar Foods, selling across India through its own app. In early 2026 it ran a data census and found seventeen tools holding customer data, from its CRM to a forgotten survey platform. By mid 2026 it had cut that to nine, rewritten its privacy notice at a class eight reading level, and rebuilt its signup flow to collect purpose specific consent. In late 2026 it tested consent withdrawal end to end and discovered, usefully, that its email tool kept mailing people who had opted out. It fixed that, documented a breach response runbook, and walked into 2027 needing only rehearsals rather than surgery. Nothing in that story required heroics. It required starting eighteen months early.

Can AI help with DPDPA compliance?

Genuinely yes, in specific lanes. AI tools are very good at the census work: scanning systems to discover where personal data lives, classifying it, and flagging redundant copies. They can draft privacy notices in multiple Indian languages, monitor your consent logs for anomalies, and simulate breach scenarios. Used well, AI can compress months of compliance groundwork into weeks. But there are hard limits. Deciding whether your legal basis for a given processing activity holds up, whether a marketing use needs fresh consent, or how to respond when the Data Protection Board comes calling are judgment calls that carry legal liability, and the liability stays with you, not the software. AI also does not yet have reliable, settled interpretations of a law this young, so it can hallucinate obligations or, worse, invent safe harbours that do not exist. Let AI do the mapping and the drafting, and let a qualified human make the calls and sign off.

The checklist, all on one page

Now: complete a data inventory, appoint an internal compliance owner, publish a data queries contact, review vendor contracts for data protection clauses. By late 2026: rewrite notices and consent flows, implement working consent withdrawal, structure consent records for Consent Manager interoperability, build and test a breach response plan, set retention schedules with actual deletion. Before 13 May 2027: verify parental consent flows if children can use your service, finalise grievance workflows within the ninety day outer limit, complete SDF self assessment, and if you are an SDF candidate, appoint your India based DPO, engage a data auditor, and complete your first impact assessment.

When to Review This

  • The DPDP Rules 2025 give you a dated, phased runway that ends on 13 May 2027. The regulator already exists, the penalties are large, and the work, from data census to consent plumbing to breach drills, takes quarters rather than weeks. Companies that start now will treat May 2027 as a formality. Companies that wait will meet the Data Protection Board under worse circumstances.

Disclaimer

This article is for general information only and is not legal advice. Compliance obligations depend on your specific facts, so take professional advice before acting.

CLARITY

Common Questions

When do the DPDP Rules 2025 come into force?

In phases. Administrative provisions and the Data Protection Board took effect on notification in November 2025, Consent Manager provisions arrive on 13 November 2026, and all core operational obligations become enforceable on 13 May 2027.

Is my startup exempt from the DPDP Act?

No general exemption exists for startups. The government can notify limited relaxations for certain classes of companies, and purely personal or household processing is outside the Act, but a business processing customer data in digital form is covered.

What happens if we miss the May 2027 deadline?

From that date the obligations are enforceable and complaints can lead to penalties, which run up to 200 crore rupees for breach notification failures and up to 250 crore rupees for failing to maintain reasonable security safeguards.

Do the Rules apply to data collected before 2027?

Yes. For personal data collected before the law bites, you must provide notice to users as soon as reasonably practicable, and their rights to erasure and grievance redressal apply to that legacy data too.

Does DPDPA apply to paper records?

The Act covers personal data in digital form, and non digital data that is subsequently digitised. A purely paper file that never gets scanned sits outside it, which for any modern business is a vanishingly small category.

Need Help with DPDP Rules 2025 Compliance Checklist: Every Deadline Between Now and May 2027?

Contact Tirth Inamdar at Inamdar Legal for customized assistance on your specific requirements.

EXPLORE MORE

Related Resources

View All Resources

Related Services

Digital & E-Commerce Legal Support

Website Agreements

Website terms and legal documentation support for online businesses.

Digital & E-Commerce Legal Support

Terms and Conditions

Terms and conditions drafted for clear online use.

Digital & E-Commerce Legal Support

Privacy Policy

Privacy policy drafting support for websites and apps.

Digital & E-Commerce Legal Support

E-Commerce Legal Documentation

Legal documentation support for e-commerce operations.