What every enterprise must do before May 2027.
In August 2023, India passed its first comprehensive data protection law. In November 2025, the operational rules were notified. By May 2027, the law will be fully enforceable — with penalties up-to₹250 crore per violation.
The Digital Personal Data Protection Act, 2023 — commonly called the DPDP Act — represents the most significant shift in how Indian organisations must handle personal data in the digital era. And yet, across boardrooms and engineering teams, DPDP is still treated as a future concern. That’s a mistake.
Here’s what the Act actually requires, who it applies to, and why the compliance clock is already running.
What is the DPDP Act?
The Digital Personal Data Protection Act is India’s first comprehensive law governing the collection, storage, and processing of digital personal data. It applies to any organisation — regardless of size or sector — that processes the personal data of Indian residents in digital form.
If your organisation operates a customer database, mobile application, HR system, or even an email marketing list— you are classified as a Data Fiduciary under this law.And as a Data Fiduciary, you carry defined, enforceable obligations.
The Act also introduces two other key roles. A Data Principal is the individual whose personal data is being processed — in other words, your customer, user, or employee. A Data Processor is any third-party that processes data on behalf of a Data Fiduciary.
The core obligations
At its core, the DPDP Act imposes six interconnected obligations on Data Fiduciaries:
- Obtain explicit, purpose-specific consent before processing personal data. Not a blanket ‘I agree.’ Not a pre-ticked checkbox. Each processing purpose requires its own clear, informed consent.
- Issue clear privacy notices at the point of data collection. The notice must explain what data is being collected, why, what rights the user has, and how to contact your grievance officer — in plain language.
- Enable user rights. Data Principals have the right to access their data, correct it, erase it, and withdraw consent at any time. Your systems must be able to honour these requests within defined timeframes.
- Limit data retention. Personal data cannot be held indefinitely. You must define retention periods, enforce automated deletion, and and eliminate unnecessary data retention.”
- Notify breaches promptly. Every personal data breach — regardless of severity — must be reported to the Data Protection Board and to affected individuals.
- Maintain grievance redressal. A functioning mechanism, with a real person or team responding within defined timelines.
The enforcement timeline
The DPDP Act is rolling out in three distinct phases, and understanding the timeline is critical to planning your compliance journey.
Phase 1 took effect in November 2025. The Data Protection Board of India — the regulatory body that will enforce the Act — has been established. Administrative provisions are now active.
Phase 2 begins in November 2026. Consent manager registration opens, and Significant Data Fiduciaries face accelerated obligations, including appointing Data Protection Officers and conducting annual audits.
Phase 3 begins in May 2027, when all substantive provisions become enforceable.. All substantive provisions become fully enforceable: consent mechanisms, privacy notices, breach reporting, data retention, user rights, children’s data protections. Everything.
Most enterprises we speak with are treating May 2027 as a start date rather than a deadline. This is a flawed approach.
The gap between what the Act requires and what most systems can currently deliver is significant. Closing that gap isn’t a policy update — it’s an engineering and operational transformation. Realistically, it takes 12 to 18 months of focused work.
The penalties
The financial consequences of non-compliance are structured and severe:
- Up to ₹250 crore — for failure to implement adequate security safeguards
- Up to ₹200 crore — for failure to notify a data breach
- Up to ₹200 crore — for violations involving children’s data
These are per-violation penalties. If an audit reveals systemic consent failures across multiple product lines, each instance is penalised separately. The cumulative exposure for a large enterprise can run into hundreds of crores.
But the fine is rarely the worst outcome. The Data Protection Board has the authority to issue orders halting data processing while an investigation is underway. For a bank, a payment platform, or any data-dependent business, that kind of operational suspension is an existential risk — far more damaging than the fine itself.
What DPDP compliance actually looks like
Most enterprises get DPDP wrong in the same way. The legal team reads the Act. A revised privacy policy is drafted. A new cookie banner appears on the website. Leadership ticks the compliance box and moves on.
Thisapproach fails the first audit. Because compliance under DPDP is not a document — it’s a system capability.
When the Data Protection Board asks for evidence, you need to produce it. Can you show the exact consent record for a specific user, for a specific processing purpose, with the original consent text shown at the time of capture? Can you demonstrate that a user’s erasure request was honoured across every database and third-party system? Can you produce an audit trail of every consent event, every breach response, every data sharing agreement?
If the answer is no, you have a compliance gap — regardless of what your privacy policy says.
The path forward
For enterprises serious about DPDP readiness, the work breaks down into a few clear stages.
Start with a data inventory. Map every application and process that handles personal data. Identify where data lives, how it flows, and who accesses it. You cannot protect what you haven’t mapped.
Next, assess your consent mechanisms. Are they purpose-specific? Are they granular? Is withdrawal as easy as granting? Most current consent flows will need fundamental redesign.
Then, build the infrastructure. Consent management systems, immutable audit ledgers, Data Principal rights portals, automated breach response workflows. This is the most complex and time-intensive phase and cannot be rushed.Finally, operationalise. Train your teams. Rehearse your breach response. Appoint a Data Protection Officer with real authority. Run your first Data Protection Impact Assessment.
The Takeaway
The DPDP Act is not a regulation that can be delegated solely to legal teams.It’s a structural change in how Indian organisations must think about data. Enterprises that treat it purely as a compliance exercise will struggle.The ones that treat it as a trust-building opportunity — giving customers genuine transparency and control over their data — will come out stronger.
The deadline is fixed. The work is substantial. The only variable is how much of it is complete when enforcement arrives.