The Government finally issued Notifications, published on 14 November 2025, laying out the roadmap for effectiveness dates of the Digital Personal Data Protection Act (DPDP Act/Act). Simultaneously, it has also issued the final DPDP Rules (Rules) that operationalise the DPDP regime. Both the notifications and the Rules provide for a phased implementation of the DPDP regime.
Here is a clear, consolidated view of what becomes effective when, drawing together the commencement notification of the DPDP Act and the commencement clauses of the DPDP Rules.
A Three-phased Implementation
The DPDP regime will go live in three phased waves. Each wave activates specific sections of the Act in tandem with the related Rules — creating a staggered, predictable runway for organisations.
In simple terms, the provisions to set up the Data Protection Board (DPB) and the administrative and oversight machinery under the Act become effective immediately.
The Consent Manager framework becomes effective next (12 months); and all substantive provisions dealing with consent, notice, purpose, breach notification and others become effective at the end of 18 months.
Here is a detailed overview of the regime implementation timetable.
PHASE 1 — IMMEDIATE
A. DPDP Act
-
-
- Section 2 – Definitions
- Sections 18 to 26 – Constitution, powers, functioning of the Data Protection Board of India (DPB)
- Sections 35, 38–43 – Administrative actions regarding operationalising the regime, including rule-making powers, jurisdictional matters, and power to amend penalty provisions
- Section 44(1) & 44(3) – Consequential amendments to the TRAI Act and the Right to Information Act
-
B. DPDP Rules
Rules that activate immediately:
-
-
- Rule 1 & Rule 2 – Title, commencement, definitions
- Rules 17 to 21 – Data Protection Board (DPB): governance, appointment of officers and employees, procedures for meetings, and digital functioning of the DPB
-
Practical Meaning of Phase 1
-
-
- The Data Protection Board-related provisions are now legally live.
- Government will move to appoint Chairperson, Members, officers.
- Procedural and administrative Rules governing the Board are already in effect.
- The enforcement machinery is now being built.
- No obligations yet for organisations — this phase is institutional.
-
PHASE 2 — AFTER 12 MONTHS (November 2026)
This entire phase focuses on Consent Managers.
A. DPDP Act
-
-
- Section 6(9) – Registration of Consent Managers with the DPB
- Section 27(1)(d) – Board’s power to inquire into and impose penalty in case of breach of conditions of registration of a Consent Manager
-
B. DPDP Rules
-
-
- Rule 4, and the related First Schedule – Registration, conditions, obligations etc. of Consent Managers
-
Practical Meaning of Phase 2
-
-
- The Consent Manager ecosystem becomes regulated and operational.
- Entities intending to act as Consent Managers must register with the DPB.
- The DPB gains supervisory powers over Consent Managers.
- Once registered, Consent Managers can start practical implementation of platforms and establish connectivity for the consent ecosystem.
-
PHASE 3 — AFTER 18 MONTHS (May 2027)
This is the true compliance go-live date, signalling full operationalisation of the DPDP regime.
A. DPDP Act
The following core operational sections activate:
1. Applicability & Core Compliance Obligations
-
-
- Sections 3–5 – Scope and territoriality, obligations of Data Fiduciaries, notice/consent framework
- Section 6(1)–(8), (10) – Consent, nature of consent request, appropriate notice to Data Principals, and related rules such as withdrawal and obligations of organisations
- Sections 7–10 – Deemed consent, legitimate uses, obligations of Data Fiduciary, children’s data, obligations of Significant Data Fiduciaries (SDF)
-
2. Rights of Individuals
-
-
- Sections 11–15 – Rights and duties of the Data Principal, including access, correction, erasure, grievance redressal, and nomination
- Sections 16–17 – Cross-border transfer of data; and situations where core obligations — including lawful processing, notice and consent requirements, and processing children’s data — will not apply
-
3. Enforcement Powers
-
-
- Section 27 (except 27(1)(d)) – Powers and functions of the Board, investigations, inquiries, directions
- Sections 28–34, 36, 37 – Appeals, alternative dispute resolution, DPB’s orders, voluntary undertaking, penalties and adjudication
- Section 44(2) – Consequential amendments relating to the repeal of provisions in the Information Technology Act (that governed the earlier privacy regime)
-
B. DPDP Rules
The entire operational rule-set activates:
-
-
- Rule 3 – Notice requirements
- Rule 5 – Processing of data by State, and related standards
- Rule 6 – Security safeguards
- Rule 7 – Breach notification to DPB and individuals
- Rule 8 – Erasure of personal data
- Rule 9 – Contact details of DPO or relevant person overseeing the data privacy regime in organisations
- Rules 10–12 – Children’s data & verifiable parental consent or consent in case of a person with disability
- Rule 13 – Obligations for Significant Data Fiduciaries (DPO, DPIA, audit)
- Rule 14–15 – Grievance redressal and rights processing
- Rule 16 – Exemptions
- Rule 22–23 – Appeals, audit logs and oversight
-
Practical Meaning of Phase 3
This is the full operationalisation of the DPDP regime.
From T + 18 months onward, organisations must comply with:
-
-
- Notice and consent
- Security safeguards
- Breach reporting
- Purpose limitation and data minimisation
- Retention and deletion
- Publishing DPO contact (if SDF)
- Rights of individuals
- Children’s processing rules
- SDF governance: DPO, DPIA, independent data auditor
- Responding to DPB inquiries
- Risk of penalties (₹50 crore–₹250 crore)
-
Closing Commentary
Now that the legislative regime is fully in place, the DPDP framework provides a clear 18-month runway for organisations to reach compliance.
It should be noted that, pending the full implementation of the DPDP regime over the next 18 months, the current privacy regime under the Information Technology Act and its relevant Rules continues to apply.
This article published as on 17 Nov 2025.
Minor updates carried on 20 Dec 2025.
~~~~~~~~~~~~~~~~~~~~~~~
Regulatory Resources:
From our Library:
- DPDP Resources – click here.
Note: The above article is for general informational purposes only and does not constitute professional or legal advice. Please seek specific advice for your situation. We do not warrant on the accuracy or completeness of the subject matter discussed above and disclaim all liability for any losses or damages caused to or incurred by any person.
Compliense Advisors is a Compliance Advisory firm. We advise on compliance and regulatory matters and our subject matter expertise includes Privacy (DPDP), AML (PMLA) and Anti-Financial Crime; and Insurance and Mutual Fund regulations. We can assist in your compliance framework and obligations. Write to us on info@compliense.com.
Visit our website for more such knowledge resources. If you liked this update, sign up for new articles and updates.