PHASE 1: IMMEDIATE EFFECT
Date: November 13, 2025 (Date of Gazette Publication)
| Provision | Section/Rule | Description |
|---|---|---|
| Definitions | Section 2 | All definitions come into force |
| Data Protection Board | Sections 18-26 | Constitution, powers, and functioning of the Board |
| Board Operations | Rules 17-21 | Appointment procedures, salary, meetings, digital office functioning |
| Miscellaneous | Sections 35, 38-44(1)(3) | General provisions, rule-making power, repeal and savings |
Key Compliance Actions:
- Board constitution begins
- No immediate compliance burden on businesses
- Appointment of Chairperson and Members
PHASE 2: ONE YEAR IMPLEMENTATION
Date: November 13, 2026 (12 Months from Gazette Publication)
| Provision | Section/Rule | Description |
|---|---|---|
| Consent Manager Framework | Section 6(9) & Rule 4 | Registration of Consent Managers |
| Board Powers – Consent Manager | Section 27(1)(d) | Board’s power to register Consent Managers |
Key Compliance Actions:
- Applications for Consent Manager registration open
- Companies planning to become Consent Managers must prepare
- Minimum net worth: ₹2 crores required
- Independent certification of interoperable platform needed
PHASE 3: EIGHTEEN MONTHS IMPLEMENTATION
Date: May 13, 2027 (18 Months from Gazette Publication)
A. SUBSTANTIVE COMPLIANCE OBLIGATIONS (ACT PROVISIONS)
| Provision | Section | Key Requirements |
|---|---|---|
| Notice | Section 3 | Clear notice to Data Principals before processing |
| Consent | Section 4 | Free, specific, informed, unconditional consent |
| Deemed Consent | Section 5 | Limited grounds for deemed consent |
| Data Fiduciary Obligations | Section 6(1)-(8), (10) | Purpose limitation, data accuracy, security safeguards |
| Rights of Data Principal | Sections 11-15 | Right to access, correction, erasure, grievance redressal, nomination |
| Breach Notification | Section 7(b) | Mandatory breach reporting to Board and Data Principals |
| Children’s Data | Section 9 | Verifiable parental consent requirement |
| Consent Manager Operations | Section 8 | Full operational requirements for Consent Managers |
| Processing by State | Section 7 | Standards for government processing |
| Significant Data Fiduciary | Section 10 | Additional obligations for SDFs |
| Data Protection Officer | Section 16 | Appointment requirement for SDFs |
| Restriction on Transfer | Section 17 | Cross-border transfer restrictions |
| Board Powers (Most) | Section 27 (except 27(1)(d)) | Inquiry, enforcement, direction powers |
| Penalties | Sections 28-34 | Financial penalties up to ₹250 crores |
| Appeals | Section 36 | Appeals to Appellate Tribunal |
| Exemptions | Section 37 | Research, archiving, statistical purposes |
| Repeal | Section 44(2) | IT Act Section 43A repeal |
B. RULES IMPLEMENTATION
| Rule | Key Requirements |
|---|---|
| Rule 3 | Notice requirements – itemized, independent, actionable |
| Rules 5-16 | Processing standards, security safeguards, breach notification (72 hours), retention & deletion, children’s data (verifiable consent), persons with disability, SDF obligations, rights exercise, cross-border transfers, research exemption |
| Rule 22 | Appeal procedures to Appellate Tribunal |
| Rule 23 | Government information requests framework |
CRITICAL COMPLIANCE DEADLINES
BY NOVEMBER 13, 2026:
- ✓ Consent Managers must complete registration process
- ✓ Board fully operational for Consent Manager oversight
BY MAY 13, 2027 – ALL DATA FIDUCIARIES MUST:
- ✓ Implement compliant notice mechanisms
- ✓ Deploy granular consent management systems
- ✓ Establish user rights exercise infrastructure (90-day resolution)
- ✓ Implement breach detection and 72-hour notification capabilities
- ✓ Deploy security safeguards (encryption, access controls, logging)
- ✓ Establish data retention and automated deletion systems
- ✓ Implement children’s data protection (verifiable parental consent)
- ✓ Establish grievance redressal mechanisms
- ✓ Appoint Data Protection Officer (if SDF)
- ✓ Conduct DPIA and audits (if SDF)
BY MAY 13, 2027 – CONSENT MANAGERS MUST:
- ✓ Launch fully operational interoperable platforms
- ✓ Enable Data Principals to manage consent across Data Fiduciaries
BY MAY 13, 2027 – BOARD POWERS ACTIVATED:
- ✓ Full enforcement authority
- ✓ Penalty imposition (up to ₹250 crores)
- ✓ Investigation and inquiry powers
SECTORAL IMPACT TIMELINE
| Sector | Critical Preparations Before May 2027 |
|---|---|
| Technology Platforms | SDF designation likely; DPIA/audit infrastructure; algorithmic accountability |
| E-commerce | 3-year retention with automated deletion; consent for marketing |
| Financial Services | Reconcile with RBI/SEBI regulations; cross-border payment data |
| Healthcare | Children’s health data exemptions; research exemption documentation |
| Telecommunications | Massive scale logging; location data protections; CDR retention vs deletion |
| Ed-Tech | Verifiable parental consent mechanisms; educational activity exemptions |
| BPO/IT Services | Data Processor contracts; one-year log retention; client data handling |
RECOMMENDED COMPLIANCE ROADMAP
Months 0-6
(Nov 2025 – May 2026)
- Data mapping and gap analysis
- Risk assessment for SDF designation
- Vendor and processor contract review
Months 6-12
(May 2026 – Nov 2026)
- Design consent and notice mechanisms
- Develop technical infrastructure
- Draft policies and procedures
- Establish DPO function
Months 12-18
(Nov 2026 – May 2027)
- Deploy systems to production
- User acceptance testing
- Breach response tabletop exercises
- Internal audits and documentation
- Final vendor contract execution
PENALTIES FOR NON-COMPLIANCE (Effective May 2027)
| Violation | Penalty (Section) | Maximum Amount |
|---|---|---|
| Data Fiduciary obligations breach | Section 28 | ₹250 crores (SDF) / ₹200 crores (others) |
| Non-compliance with Board directions | Section 29 | ₹250 crores (SDF) / ₹200 crores (others) |
| Failure to take reasonable security safeguards | Section 30 | ₹250 crores |
| Failure to report data breach | Section 30 | ₹250 crores |
| Children’s data violations | Section 31 | ₹200 crores |
| Failure to publish contact information | Section 32 | ₹10,000 (per day, up to ₹10 lakh per default) |
KEY TAKEAWAYS
- 18-MONTH COUNTDOWN IS ACTIVE – Organizations must start NOW
- 72-HOUR BREACH NOTIFICATION – Requires 24/7 incident response capability
- NO GRACE PERIOD – Full penalties applicable from Day 1 (May 13, 2027)
- CONSENT MANAGERS OPERATIONAL – Integration required by implementation date
- BOARD ENFORCEMENT BEGINS – Expect early exemplary actions
