I remember sitting in a client meeting in October 2025 when the CEO asked me, "So when do we actually have to comply?" I told him the rules could drop any week. He laughed. Three weeks later, the DPDP Rules were notified on November 13, 2025.
He was not laughing anymore.
After two years of waiting, speculation, and draft after draft, India finally has its operational data protection rules. The Digital Personal Data Protection Rules, 2025 give teeth to the DPDP Act, 2023. They spell out exactly what businesses must do, by when, and how the Data Protection Board of India will enforce it.
I have been fielding calls non-stop since. The same question every time — what do we need to do, and when? So here is the complete timeline, broken down by phase, with practical advice on what to prioritise.
The Three-Phase Rollout: Why It Matters
The government did something smart. Instead of enforcing everything at once and watching companies panic, they split compliance into three phases. Each phase activates different obligations. Miss a phase, and you are already non-compliant when the next one hits.
Here is the full picture.
Phase 1: November 13, 2025 — The Foundation
This phase is already active. If you have not started, you are behind.
Phase 1 established the Data Protection Board of India (DPBI). The Board is now operational with its head office in the NCR region, and it is building out the digital infrastructure to accept complaints and conduct adjudication proceedings.
What this means for you: the enforcement body exists. It is real. It has staff, a mandate, and the power to impose penalties up to 250 crore rupees per violation under Section 33 of the Act.
Even though most day-to-day compliance obligations kick in later, the Board can already receive complaints. I have told every client — start treating this seriously from day one. When the Board asks for evidence of your compliance efforts, you want to show a paper trail that started in 2025, not a rushed implementation from 2027.
What You Should Have Done Already
- Appointed an internal data protection lead (does not have to be a full DPO yet)
- Started a data inventory — what personal data you collect, where it sits, who processes it
- Reviewed your vendor contracts for data processing clauses
- Run a gap assessment against the DPDP Act requirements
Phase 2: November 13, 2026 — Consent Managers Go Live
This is the next big milestone, and it is only seven months away.
Phase 2 activates the Consent Manager framework. Under Rule 4, organisations can register as Consent Managers — third-party intermediaries that manage consent on behalf of Data Principals (your customers, employees, users).
Think of it like the Account Aggregator framework but for consent. A Data Principal could use a registered Consent Manager to see every company that holds their consent, revoke consent with a single action, and manage their data rights across platforms.
Why This Changes Everything
Right now, consent is scattered. A customer has given consent to maybe 200 different apps and websites, and they have no easy way to track or manage any of it. Consent Managers fix that.
For businesses, this means your consent mechanism has to be machine-readable and interoperable. You cannot rely on a buried checkbox in your terms page anymore. If a Consent Manager sends you a revocation request on behalf of a Data Principal, you must honour it — promptly.
I am already seeing early-stage companies building Consent Manager platforms. If you are a Data Fiduciary, start preparing your systems to integrate with these platforms before November 2026.
What You Should Do Before November 2026
- Audit your current consent collection mechanism — is consent granular, specific, and easy to withdraw?
- Build an API or standardised process for receiving third-party consent queries and revocations
- Update your privacy notice to reference Consent Manager rights under the Rules
- Map every consent you hold to a specific, documented purpose
- Test your consent withdrawal flow — can a user actually revoke consent in one click?
Phase 3: May 13, 2027 — Full Enforcement
This is when the real weight drops. May 2027 is when most day-to-day compliance obligations become enforceable.
Phase 3 covers:
- Notice and consent operations: Every data collection must have a valid, compliant privacy notice and lawful consent
- Breach notification: Mandatory reporting to the Data Protection Board and affected individuals within the prescribed timeline
- Data Principal rights handling: You must have a functioning process for access, correction, erasure, and nomination requests
- Processor contracting: Formal data processing agreements with every vendor that touches personal data on your behalf
- Security safeguards: Demonstrable, reasonable technical and organisational measures
- Children's data: Verifiable parental consent and no behavioural tracking for minors under 18
After May 13, 2027, there is no grace period. The Board can investigate complaints, initiate suo motu proceedings, and impose penalties for non-compliance with any of these obligations.
The 12-Month Countdown Plan
If you start now — April 2026 — you have 13 months until full enforcement. Here is how I am structuring it for my clients:
April–June 2026: Complete data mapping and gap assessment. Know exactly what data you hold, where, why, and on what legal basis. Identify every vendor processing personal data.
July–September 2026: Fix consent flows, update privacy notices, draft data processing agreements for all vendors. Set up a Data Principal rights portal — even a simple ticketing system works.
October–December 2026: Build your breach response plan. Run a tabletop exercise. Implement security controls — encryption at rest, access logging, regular vulnerability scans. Address children's data if applicable.
January–March 2027: Test everything. Run mock Data Principal requests. Simulate a breach and see if your response plan works within the prescribed timeline. Train your team.
April–May 2027: Final audit. Fix gaps. Document everything. The Board will look at your documentation when evaluating compliance — make it thorough.
The Penalties Are Not Abstract Anymore
I keep hearing business owners say "250 crore is for the big guys." That is a dangerous assumption.
Section 33 of the DPDP Act prescribes penalties based on the violation, not the company size. A 50-person startup that fails to report a breach faces the same legal framework as TCS or Infosys. The penalty amount may vary based on severity, but the obligation is identical.
Here is the penalty schedule:
- Failure to implement reasonable security safeguards — up to 250 crore rupees
- Failure to notify the Board and affected individuals of a breach — up to 200 crore rupees
- Non-compliance with children's data obligations — up to 200 crore rupees
- General non-compliance with other provisions — up to 50 crore rupees
The Board also has the power to issue directions, require audits, and restrict data processing. A penalty is painful. A processing restriction can shut you down.
What I Am Telling My Clients Right Now
Stop waiting for "clarity." The rules are clear. The deadlines are published. The Board is operational.
Every week you delay costs more than the week before. Consent mechanisms are not something you bolt on in a weekend. Vendor agreements need negotiation. Breach response plans need testing. Data mapping across a mid-size company takes 4-6 weeks minimum.
Start with the gap assessment. Understand where you stand today versus where the Rules require you to be by May 2027. Then build a roadmap with quarterly milestones.
If you want a quick baseline, use our free DPDP compliance assessment — it takes 10 minutes and gives you a clear score across all major requirements. Better to know your gaps now than discover them during a Board investigation.