DPDP Compliance Timeline 2026–2027: Every Phase & Deadline You Need to Know

Introduction

On November 13, 2025, India's Ministry of Electronics and Information Technology (MeitY) published the Digital Personal Data Protection Rules, 2025, finally operationalising the DPDP Act, 2023. The rules introduce a three-phase enforcement timeline, giving organisations 18 months to achieve full compliance — with the final deadline set for May 13, 2027. According to EY India's 2026 readiness survey, 71% of Indian enterprises still have limited understanding of the Act. This article breaks down every deadline, obligation, and milestone so your organisation can plan with precision.

Phase 1: Immediate (November 13, 2025 — Now in Effect)

Phase 1 came into force on the date the rules were notified. These provisions are already enforceable, and organisations should have addressed them by now.

• Data Protection Board of India (DPBI) established — the Board is operational with its head office in the National Capital Region (MediaNama)
• Penalty framework activated — fines of up to ₹250 crore per violation are now legally enforceable under Section 33
• Administrative and definitional provisions — key terms like Data Fiduciary, Data Principal, and Consent Manager are formally defined
• Digital complaint portal launched — the DPBI's online filing system and mobile application are live for receiving complaints
• Board inquiry timelines set — inquiries must be completed within 6 months, extendable by 3 months at a time with written reasons (IAPP)

Phase 2: 12 Months (November 13, 2026)

Phase 2 focuses on intermediary infrastructure — specifically the Consent Manager framework — and heightened oversight of Significant Data Fiduciaries (SDFs).

• Consent Manager registration opens — only India-incorporated companies with a minimum net worth of ₹2 crore can register, effectively excluding foreign platforms like OneTrust and TrustArc from operating as registered managers (Osano)
• Consent Manager obligations activate — registered managers must maintain consent records for 7 years and undergo regular technical and organisational audits (Rule 4, DPDP Rules)
• SDF oversight intensified — Significant Data Fiduciaries face enhanced reporting requirements and may be required to complete compliance ahead of Phase 3
• Potential timeline acceleration — MeitY has proposed compressing the full compliance window from 18 to 12 months, which could make November 2026 the final deadline (Chambers & Partners)

Phase 3: 18 Months (May 13, 2027) — Full Compliance

This is the hard deadline. Every substantive obligation under the DPDP Act becomes fully enforceable. IT Secretary S. Krishnan has confirmed there will be no grace period — enforcement will be immediate from Day 1 (PwC).

• Privacy notices — every Data Fiduciary must provide clear, itemised notices to Data Principals at the point of data collection (Section 5)
• Consent systems — free, specific, informed, unconditional consent must be collected with no pre-checked boxes, consent walls, or bundled consents (Section 6)
• Security safeguards — reasonable technical and organisational measures must be in place. The ₹250 crore penalty can be triggered even without an actual breach — mere failure to have safeguards is sufficient (DPO India)
• Breach notification — 72-hour notification window to the DPBI and affected Data Principals. Currently only 4% of firms have proactive notification systems (EY India)
• Data Principal rights infrastructure — access, correction, erasure, grievance redressal, and nomination rights must all be operationally supported (Data Principal Rights)
• Children's data protections — verifiable parental consent mandatory for processing any data of individuals under 18 (Section 9)
• Data retention policies — personal data must be deleted once its purpose is fulfilled, with documented retention schedules
• Cross-border transfer compliance — adherence to any restricted jurisdiction notifications under Section 16

Visual Timeline: Three Phases at a Glance

Below is a simplified view of the DPDP compliance timeline. Each phase builds on the previous one — organisations that delay Phase 1 and 2 preparedness will face a compressed and high-risk scramble as May 2027 approaches.

• 📋 Phase 1 (Nov 2025) → Board established, penalties active, complaint portal live
• 📝 Phase 2 (Nov 2026) → Consent Manager registration, SDF oversight, possible deadline acceleration
• ⚖️ Phase 3 (May 2027) → Full compliance mandatory, no grace period, enforcement from Day 1

MeitY's Proposed Timeline Acceleration: What It Means

In January 2026 consultations, MeitY proposed compressing the compliance window from 18 months to 12 months. If enacted, this would move the full enforcement deadline from May 2027 to November 2026 — leaving organisations with significantly less preparation time. For Significant Data Fiduciaries, the timeline could be compressed even further. The message is clear: organisations that treat May 2027 as the starting point for compliance will be caught off-guard. Begin now.

What Should You Do Right Now?

Based on where most organisations currently stand — with only 48% having started gap assessments — here is a prioritised action plan:

• Conduct a gap assessment immediately — understand where you stand against all DPDP requirements
• Map your data — identify all personal data flows using AI-powered data discovery
• Implement consent management — build compliant consent collection before the November 2026 deadline
• Establish breach notification workflows — you need to be able to notify within 72 hours
• Appoint a DPO — if you're likely to be designated as an SDF, appoint a Data Protection Officer now
• Automate with AI — platforms like Kraver.ai can compress months of manual compliance work into weeks

Conclusion

The DPDP compliance timeline is not a distant concern — Phase 1 is already in effect, Phase 2 is months away, and Phase 3 could arrive sooner than expected if MeitY's acceleration proposals are enacted. With penalties of up to ₹250 crore, no exemptions for startups or SMEs, and no grace period after the final deadline, the cost of inaction far exceeds the cost of compliance. Contact Kraver.ai for a free compliance assessment and start your DPDP journey today.