For two years the Digital Personal Data Protection Act, 2023 sat on the statute book without operational teeth. That changed on 13 November 2025, when the Government notified the Digital Personal Data Protection Rules, 2025 (Gazette Notification G.S.R. 846(E)) and the provisions establishing the Data Protection Board of India took effect immediately on the same date. The drafting followed a “SARAL” philosophy — Simple, Accessible, Rational and Actionable — and was finalised after a public consultation that drew more than 6,900 submissions. The era of “we will comply when the rules arrive” is over; the rules have arrived, and the clock is now running.
The most important strategic fact for any board is that the regime does not switch on all at once. It is phased across three tranches. Phase I, effective immediately on 13 November 2025, stood up the institutional machinery — principally the Data Protection Board of India, a digital-first adjudicatory body whose proceedings are conducted online and whose orders are appealable to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Phase II, effective 13 November 2026, operationalises the Consent Manager ecosystem — the registered intermediaries through which data principals will grant, review and withdraw consent. Phase III, effective 13 May 2027, switches on the substantive obligations that most enterprises think of as “the law”: lawful processing, notice and consent architecture, data principal rights fulfilment, breach response, and the heightened duties of Significant Data Fiduciaries.
Boards should resist the temptation to read the May 2027 date as a deadline to begin work. It is the deadline to be finished. Consent re-papering, vendor contract remediation, data-flow mapping and retention re-engineering are multi-quarter programmes; organisations that wait until 2027 will be remediating under enforcement pressure rather than on their own timetable. The interval until full effectiveness is best understood as a managed runway, not a grace period, and the firms that treat it as the former will carry a structural advantage.
The Rules give concrete shape to obligations that the Act described only in principle. Personal data breaches must be notified both to affected data principals and to the Data Protection Board, with a detailed report to the Board required within 72 hours of becoming aware of the breach — a window that compresses incident response, forensic triage and legal characterisation into a span most Indian enterprises are not yet engineered to meet. Data fiduciaries must also respond to data principal requests — access, correction, erasure and the newly codified right of nomination — within defined timelines, which means a request-handling capability, not an ad hoc inbox, has to exist before the obligation bites.
Processing of children’s data attracts a distinct and demanding standard: verifiable parental consent, subject to carefully drawn exemptions for services such as healthcare and education. For consumer internet, ed-tech and gaming businesses, age-assurance and parental-consent flows are not a feature to be bolted on — they are an architectural decision that touches onboarding, identity and product design, and they must be settled long before Phase III.
Significant Data Fiduciaries — entities the Government may designate by reference to the volume and sensitivity of data processed, risk to data principals, and impact on sovereignty, electoral democracy and public order — inherit an additional compliance tier: annual Data Protection Impact Assessments, independent audits, and the appointment of a Data Protection Officer based in India and answerable to the board. Designation is not self-selecting; the prudent course for large processors is to assume they may be designated and build the SDF control set proactively rather than scramble after a notification arrives.
At AMLEGALS, we frame DPDP readiness through our Vibe Data Privacy™ method — technical execution, commercial balance and legal accountability moving as one programme rather than three disconnected workstreams. The questions a board should be asking in 2026 are precise: Where does our personal data actually live, and who touches it? Can we evidence valid consent and effectuate withdrawal? Can we detect, characterise and report a breach inside 72 hours? Are our processor contracts DPDP-aligned? If the honest answer to any of these is “not yet,” the time to begin is now — because the runway to 13 May 2027 is shorter than it looks.
