DPDP Rules 2025: The Complete Enforcement Timeline

The DPDP Act does not switch on all at once. Section 1 allows the Central Government to appoint different dates for different provisions. Based on gazette notifications dated 13 November 2025, the Act is being rolled out in three distinct phases over an 18-month period. This phased approach gives organisations a runway to prepare, but it also means that some provisions are already in effect.

Phase 1 — 13 November 2025 (Immediate): The foundational provisions took effect on this date. The Data Protection Board of India was formally established under Sections 18 through 26. All 28 definitions in Section 2 became legally operative. Miscellaneous and transitional provisions came into force, including Sections 35, 38, 39, 40, 41, 42, and 43, along with Section 44(1) and Section 44(3). On the Rules side, Rules 1, 2, and 17 through 21 took effect — these cover the Board's procedures, member appointments, and terms of service. In practical terms, Phase 1 means the regulator now exists, the legal vocabulary is locked in, and the administrative machinery is being set up.

Phase 2 — 13 November 2026 (One Year): The enforcement and penalties framework becomes live. Sections 27 and 28 come into force, giving the Board its enforcement powers. Sections 29 through 34 activate the penalties regime — this is when financial consequences for non-compliance become real. Sections 36 and 37 enable appeals against Board decisions. Section 1(3) also takes effect, allowing further provisions to be brought into force. Rule 4 comes into force, establishing the registration process for Consent Managers. In practical terms, Phase 2 means the Board can now investigate, penalise, and adjudicate — and organisations can face financial penalties for violations.

Phase 3 — 13 May 2027 (18 Months): Full compliance is required. Sections 3 through 10 come into force — these are the core obligations covering the Act's applicability, consent requirements, notice obligations, Data Fiduciary duties, and the Significant Data Fiduciary framework. Sections 11 through 17 activate Data Principal rights (access, correction, erasure, grievance redressal), cross-border data transfer provisions, and the government's exemption powers. Section 6(9) and Section 44(2) also take effect. On the Rules side, Rules 3 and 5 through 16 come into force, along with Rules 22 and 23 — these are all the operational rules covering consent mechanisms, notice formats, security safeguards, breach notification, children's data, Data Principal rights, and cross-border transfers. In practical terms, Phase 3 is the deadline. By 13 May 2027, every organisation processing digital personal data of individuals in India must be fully compliant with every provision of the Act and Rules.