The DPDP Act is live. Fines reach ₹250 Cr, and every day matters.Run a free check
Sammati
All posts
DPDPComplianceFoundersTimeline

A Founder's Guide to the DPDP Act Compliance Timeline

12 May 20267 min readBy Sammati

Founders keep asking the same two questions about India's Digital Personal Data Protection Act, 2023: "Is it actually in force?" and "How long do I have?" The honest answer is that DPDP arrives in phases, and the dates that matter are now on the calendar. Here is the timeline, decoded, and what to do in each window.

The three dates that matter

  • August 2023 — the DPDP Act is enacted, but with commencement left to later notification.
  • 13 November 2025 — the DPDP Rules, 2025 are notified (Gazette G.S.R. 846(E)), with a staggered commencement.
  • 13 May 2027 — eighteen months after notification, the bulk of the substantive obligations come into force.

What to do: Put 13 May 2027 in your board calendar as the date the core obligations bite, and work backwards from it.

Why the Act sat dormant for two years

Passing a law and switching it on are different acts. The 2023 Act deliberately deferred its own commencement to "such date as the Central Government may appoint," and left the operational detail — how notices must read, how breaches are reported, how Consent Managers register — to Rules. Until those Rules were notified in November 2025, there was little a company could concretely comply *with*.

What to do: Don't treat the gap as a reason to wait. The Rules are now notified; the requirements are knowable; the runway is finite.

The commencement schedule, decoded

The Rules switch on in stages rather than all at once:

WindowWhat comes into forceWhat it means for you
13 Nov 2025Definitions and the provisions standing up the Data Protection BoardThe regulator and framework exist
Around Nov 2026The Consent Manager registration framework (Rule 4)Intermediaries can register with the Board
13 May 2027Notice and consent, security, breach reporting, retention, Data Principal rights, children's-data and SDF obligationsThe substantive compliance regime is live

What to do: Map your build plan to these windows. Nothing forces you to wait until 2027 — and the leading companies will be compliant well before it.

What "substantive obligations" actually includes

When the 13 May 2027 provisions land, you will need:

  • Itemised notices and valid consent (§5, §6; Rule 3)
  • Reasonable security safeguards (Rule 6)
  • Breach reporting to the Board within 72 hours and to affected individuals without delay (§8(6); Rule 7) — see breach reporting
  • Retention limits and erasure (§8(7); Rule 8)
  • Data Principal rights — access, correction, erasure, grievance (§11–§13) — see Data Principal rights
  • Children's-data protections (§9; Rule 10)
  • Additional SDF duties for designated fiduciaries (§10; Rule 13)

What to do: Use this as your gap-analysis checklist. Score where you stand on each line today.

What to do now vs later

Do now (the foundation):

  • Map your data and purposes — you cannot consent, retain, or fulfil rights for data you haven't inventoried.
  • Publish a grievance contact — a published contact and redressal mechanism is low-effort and expected (§8(9); Rule 9). See the Grievance Officer guide.
  • Fix your consent capture — unbundle purposes, drop pre-ticked boxes, block trackers until opt-in.
  • Assess SDF exposure — if you are a credible SDF candidate, the additional duties take longest to build.

Build through 2026 (the machinery):

  • Stand up rights-fulfilment and breach-response workflows and drill them
  • Put DPAs in place with every processor and sub-processor
  • Implement retention schedules and automated erasure

What to do: Sequence foundation first, machinery second — and treat the 2027 date as a deadline you beat, not one you scramble toward.

A note for early-stage founders

You do not need to become a registered Consent Manager to comply — that is a separate, regulated business model. What you need is a consent management platform and sound process. The distinction matters; see CMP vs Consent Manager.

What being unready by May 2027 actually costs

The phased timeline is generous, but the cost of treating it as "future work" is easy to underestimate. The risk is not only the penalty ceilings — up to ₹250 crore for a security-safeguards failure leading to a breach. It is the operational reality that the obligations are interdependent and slow to build.

You cannot honour an access request without a data inventory. You cannot meet the 72-hour breach window without a drilled runbook. You cannot capture valid consent without re-working signup, checkout, and cookie flows. Each of these takes months and touches engineering, legal, and operations — they are not a switch you flip in April 2027.

There is also pressure that arrives before the deadline. Enterprise customers, investors, and partners increasingly ask for DPDP posture in due diligence today, regardless of commencement. A "we'll start in 2027" answer loses deals now.

What to do: Use the runway as runway. Sequence the foundation work — data mapping, grievance contact, consent capture, SDF assessment — across 2026, and aim to be operationally compliant well before May 2027 rather than scrambling toward it.

Frequently asked questions

Is the DPDP Act in force right now?

Partly. The framework provisions — definitions and the establishment of the Data Protection Board — took effect when the Rules were notified on 13 November 2025. The substantive obligations most businesses care about commence on 13 May 2027.

What single date should I plan around?

13 May 2027. That is when notice and consent, security safeguards, breach reporting, retention limits, Data Principal rights, children's-data protections, and SDF duties come into force together.

Can anything be enforced before 2027?

The Board and the legal framework exist now, and the Consent Manager registration regime opens around November 2026. But the core compliance duties — and the build work behind them — are oriented to the 2027 commencement. Treat it as a deadline to beat, not a reason to wait.

Are the penalties live yet?

The penalty ceilings (up to ₹250 crore) attach to the substantive obligations. As those commence in 2027, the practical enforcement exposure scales with them. [VERIFY: confirm the exact commencement of the penalty/adjudication provisions with counsel.]

What should we actually do in 2026?

Map your data and purposes, publish a grievance contact, fix consent capture, put DPAs in place, and assess SDF exposure. The foundation work takes months — starting now is the point of the runway.

Does the staggered timeline mean smaller companies get more time?

No. Commencement is tied to the type of provision, not the size of the company. A small fiduciary and a large one both face the substantive obligations from 13 May 2027. Smaller teams simply have fewer hands to do the work, which is an argument for starting earlier, not later.

How Sammati helps

Sammati is a consent management platform (CMP) and Data Processor — not a registered Consent Manager — that helps you hit each milestone:

  • Notice and consent capture ready for the Rule 3 itemised-notice standard
  • Rights, grievance, and breach workflows aligned to the 2027 obligations
  • Immutable, hash-chained consent records and audit-ready exports
  • BYOC / in-VPC deployment for data-residency-sensitive teams

Take the free DPDP assessment to score your readiness, or talk to a DPDP expert.

Check your DPDP compliance readiness

62 questions · 15 obligation areas · Instant results · No login

Take the Assessment

More from the library

Browse all posts