DPDP Act Timeline: Every Date That Matters
The complete timeline
| Date | Event |
|---|---|
| 11 August 2023 | DPDP Act, 2023 receives Presidential assent |
| 3 January 2025 | Draft DPDP Rules released for public consultation |
| 13 November 2025 | DPDP Rules, 2025 notified (G.S.R. 846(E)); Data Protection Board provisions effective immediately |
| November 2026 | Consent Manager framework becomes operational (12-month mark) |
| 13 May 2027 | All remaining obligations enforceable — the hard compliance deadline (18-month mark) |
What is enforceable right now (mid-2026)?
The Data Protection Board of India exists and is operational — complaints can be filed and the institutional machinery is live. Substantive obligations on Data Fiduciaries (consent, notice, safeguards, breach notification, data principal rights) are in the transition window and become enforceable on 13 May 2027. Treat the window as implementation time: regulators consistently signal that "we were waiting for the deadline" will not be a defence for unpreparedness.
A quarter-by-quarter preparation plan to May 2027
- Q3 2026 — Data mapping: inventory every place personal data lives, including document stores, email attachments and shared drives, not just databases. Identify every third-party tool that touches personal data.
- Q4 2026 — Legal groundwork: rewrite privacy notices to the itemised standard, put Data Processor contracts in place, define retention schedules, designate a grievance contact (and check whether you may be notified as a Significant Data Fiduciary).
- Q1 2027 — Technical controls: encryption at rest/in transit, access control and logging, verified erasure capability, and a tested breach-notification runbook with drafted templates.
- Q2 2027 (before 13 May) — Dry run: simulate a data-principal access request and a breach scenario end to end; fix what fails; document everything you did.
Documents are data too
Compliance projects tend to focus on databases and forget documents. A folder of client PDFs containing PAN numbers, addresses and bank details is personal data at rest — subject to the same security-safeguard, retention and erasure obligations.
Fix your document workflow first
The cheapest safeguard is not transmitting personal data at all. EverydayPDF processes documents entirely in your browser — an easy win to log in your compliance register.
See the full checklistFrequently asked questions
Is the DPDP Act in force today?+
Partly. The Data Protection Board provisions have been in force since 13 November 2025. The substantive obligations for organisations become enforceable on 13 May 2027, with consent-manager provisions arriving in November 2026.
Why is 13 May 2027 called the hard deadline?+
It is 18 months from the notification of the DPDP Rules 2025, the date all remaining provisions commence. From then on the Data Protection Board can penalise non-compliance — up to ₹250 crore for security-safeguard failures.
What happened to the older SPDI Rules 2011?+
The Information Technology (Reasonable Security Practices) Rules, 2011 — the SPDI Rules — remain the operative privacy framework until the corresponding DPDP provisions fully commence, after which the DPDP regime supersedes them for digital personal data.
Will small businesses get more time?+
The Act allows the government to notify different application of certain provisions for classes like startups and MSMEs, but no blanket extension of the May 2027 deadline has been notified. Plan for the standard timeline unless a specific exemption covering you is published.
Continue reading
DPDP Rules 2025
The rules that switched the Act on — notification, phased commencement, and the 13 May 2027 hard deadline.
Compliance checklist
Twelve concrete steps — from data mapping to breach drills — sized for firms without a compliance department.
What is the DPDP Act?
India's first comprehensive data protection law, explained in plain English — definitions, scope, rights and duties.
Penalties under DPDP
The full fine schedule — from ₹10,000 for individuals to ₹250 crore for security-safeguard failures.
This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.
