Quick Answer
There is a particular kind of email that lands in a founder’s inbox these days. It comes from an enterprise customer, it has a subject line like “Vendor compliance questionnaire,” and somewhere on page three it asks: “Please confirm your organisation’s compliance status under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.” The honest answer for most Indian companies right now is “we are working on it.” This article turns that vague answer into a dated plan. We will walk through the phased timeline the government has set, what became applicable the moment the Rules were notified, what lands in November 2026, and the big bang of obligations arriving on 13 May 2027. Print the checklist at the end, stick it next to your OKRs, and you will be ahead of most of the market.
- The DPDP Rules 2025 give you a dated, phased runway that ends on 13 May 2027. The regulator already exists, the penalties are large, and the work, from data census to consent plumbing to breach drills, takes quarters rather than weeks. Companies that start now will treat May 2027 as a formality. Companies that wait will meet the Data Protection Board under worse circumstances.

The story so far, in three sentences
Parliament passed the DPDP Act in August 2023, but a law without rules is a car without keys. On 13 November 2025 the government notified the DPDP Rules, 2025, publishing them in the Gazette and starting a phased countdown. Some provisions took effect immediately, some arrive twelve months after notification, and the core operational obligations become enforceable eighteen months after notification, on 13 May 2027. That last date is the one to circle. It is not a suggestion. From that day, the Data Protection Board of India can receive complaints against your business and impose penalties that run up to 250 crore rupees for the most serious failures.
Phase one: in force now
The moment the Rules were notified, the machinery came alive. The Data Protection Board of India, the body that will hear complaints and impose penalties, was constituted and made operational as a digital first tribunal. The definitional and administrative provisions of the Act took effect alongside it. What this means for you today is simple but easy to miss: the regulator now exists. The grace period is for building your compliance program, not for pretending the law is theoretical. Enterprise customers, investors running due diligence, and insurers are already asking DPDPA questions precisely because the Board is real. Your phase one checklist looks like this. Map every category of personal data your business collects, where it sits, who touches it, and why you have it. Lawyers call this a data inventory or record of processing, but it is really just an honest census. Identify your role: are you a Data Fiduciary deciding the purpose of processing, or a processor acting on someone else’s instructions? Assign an internal owner for DPDPA compliance, even if it is a founder wearing one more hat. And start reviewing your privacy notice, because the notice requirements in the Rules are specific and most existing policies fail them.
Phase two: November 2026, consent managers arrive
Twelve months from notification, so from 13 November 2026, the provisions governing Consent Managers come into force. A Consent Manager is a new kind of registered platform that lets individuals give, review, and withdraw consent across many services from one dashboard, a bit like a UPI app but for permissions instead of payments. Unless your business plans to become a Consent Manager, you do not need to register. But you should watch this space for two reasons. First, once Consent Managers exist, users will have an easy, standardised way to withdraw consent, and your systems must be able to honour those withdrawals. Second, integrating with Consent Managers may become a market expectation in sectors like fintech and health tech well before it becomes a legal one. Your phase two checklist: confirm your consent records are structured well enough to interoperate with an external platform, and make sure withdrawal of consent actually switches off processing in your systems rather than just updating a database flag nobody reads.
Phase three: 13 May 2027, everything else
Eighteen months from notification, the heart of the law becomes enforceable. Here is what must be working on that day, described in plain language. Notice and consent. Every point where you collect personal data must present a clear notice, in plain language, itemising what data you collect and for what purpose, and consent must be free, specific, informed, and unambiguous. The Rules push for availability in English and the languages of the Eighth Schedule to the Constitution, so a Gujarati user should be able to read your notice in Gujarati. Data principal rights. Individuals get enforceable rights to access a summary of their data, correct it, erase it when the purpose is spent, nominate someone to exercise rights on their death or incapacity, and have grievances addressed. The Rules require you to respond to grievances within a defined window, and ninety days is the outer limit you should build around. Breach reporting. When a personal data breach happens, you must inform every affected individual without delay, in plain language, telling them what happened and what they can do. You must also notify the Data Protection Board promptly, with a detailed follow up report within seventy two hours. Notice the difference from older Indian rules: users must be told, not just the regulator. Retention and erasure. You cannot keep personal data forever on the theory that storage is cheap. When the purpose is served and no law requires retention, data must go. For large platforms meeting specified user thresholds, the Rules add specific timelines after which dormant user data must be erased, with an advance warning to the user before deletion. Children’s data. Processing a child’s data requires verifiable parental consent, and tracking, behavioural monitoring, and targeted advertising directed at children are off limits. If your product has any chance of attracting users under eighteen, this workstream is urgent and technical. Significant Data Fiduciaries. Companies designated as SDFs by the government must by this date have an India based Data Protection Officer reporting to the board, an independent data auditor, and periodic Data Protection Impact Assessments. If you suspect you are an SDF candidate, our article on the classification criteria explains the tests.
A worked example: how one company sequenced it
Consider a mid size D2C brand we will call Kesar Foods, selling across India through its own app. In early 2026 it ran a data census and found seventeen tools holding customer data, from its CRM to a forgotten survey platform. By mid 2026 it had cut that to nine, rewritten its privacy notice at a class eight reading level, and rebuilt its signup flow to collect purpose specific consent. In late 2026 it tested consent withdrawal end to end and discovered, usefully, that its email tool kept mailing people who had opted out. It fixed that, documented a breach response runbook, and walked into 2027 needing only rehearsals rather than surgery. Nothing in that story required heroics. It required starting eighteen months early.
Can AI help with DPDPA compliance?
Genuinely yes, in specific lanes. AI tools are very good at the census work: scanning systems to discover where personal data lives, classifying it, and flagging redundant copies. They can draft privacy notices in multiple Indian languages, monitor your consent logs for anomalies, and simulate breach scenarios. Used well, AI can compress months of compliance groundwork into weeks. But there are hard limits. Deciding whether your legal basis for a given processing activity holds up, whether a marketing use needs fresh consent, or how to respond when the Data Protection Board comes calling are judgment calls that carry legal liability, and the liability stays with you, not the software. AI also does not yet have reliable, settled interpretations of a law this young, so it can hallucinate obligations or, worse, invent safe harbours that do not exist. Let AI do the mapping and the drafting, and let a qualified human make the calls and sign off.
The checklist, all on one page
Now: complete a data inventory, appoint an internal compliance owner, publish a data queries contact, review vendor contracts for data protection clauses. By late 2026: rewrite notices and consent flows, implement working consent withdrawal, structure consent records for Consent Manager interoperability, build and test a breach response plan, set retention schedules with actual deletion. Before 13 May 2027: verify parental consent flows if children can use your service, finalise grievance workflows within the ninety day outer limit, complete SDF self assessment, and if you are an SDF candidate, appoint your India based DPO, engage a data auditor, and complete your first impact assessment.
When to Review This
- The DPDP Rules 2025 give you a dated, phased runway that ends on 13 May 2027. The regulator already exists, the penalties are large, and the work, from data census to consent plumbing to breach drills, takes quarters rather than weeks. Companies that start now will treat May 2027 as a formality. Companies that wait will meet the Data Protection Board under worse circumstances.
Disclaimer
This article is for general information only and is not legal advice. Compliance obligations depend on your specific facts, so take professional advice before acting.

