DPDP Act 2026: Enforcement Timeline and What It Means
India's DPDP Act Rules are being finalised. Understand the enforcement timeline, what compliance looks like in practice, and how to prepare for the Data Protection Board.
- The DPDP Act 2023 is in force; the Rules defining operational requirements were being finalised as of early 2026.
- The Data Protection Board of India (DPBI) will be operationalised after Rules are notified.
- Significant Data Fiduciaries face the strictest obligations — including DPO appointment, DPIAs, and data audits.
- Companies should build DPDP compliance programmes now — enforcement readiness requires 6–12 months of preparation.
- The draft Rules indicate consent requirements, breach notification timelines, and cross-border transfer restrictions.
In this guide
Enforcement Timeline
The Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023. The Act came into force on its publication in the Official Gazette, but most operative provisions require Rules to be notified by the central government before they can be enforced.
As of early 2026, the DPDP Rules are in finalisation stages. The Ministry of Electronics and Information Technology (MeitY) published draft Rules for public consultation in early 2025. Finalised Rules are expected to be notified in 2026, after which a brief transition period before full enforcement begins.
Timeline summary: Act in force (August 2023) → Draft Rules for consultation (2025) → Rules notification expected (2026) → DPBI operationalisation (post-Rules) → Enforcement commencement (months after DPBI operationalisation). Companies have a window to prepare — but it is narrowing.
The Data Protection Board of India
The Data Protection Board of India (DPBI) is the enforcement body established under the Act. It will handle complaints from data principals, investigate violations, and impose penalties. The DPBI's composition, procedures, and operational guidelines will be specified in the Rules.
Unlike GDPR's DPA model (where each EU country has its own supervisory authority), India has a single centralised DPBI. This creates a single enforcement point for the entire country — more efficient but also potentially more impactful when enforcement begins.
The DPBI will have powers of inquiry, including the ability to summon records, request access to systems, and impose financial penalties. Data Fiduciaries can appeal DPBI orders to an Appellate Tribunal.
Significant Data Fiduciaries
The central government has the power to designate certain data fiduciaries as Significant Data Fiduciaries (SDFs) based on: volume of data processed, sensitivity of data, risk to national security and public order, sovereignty, and electoral integrity.
SDFs face additional obligations: appoint a Data Protection Officer based in India, conduct annual data protection impact assessments (DPIAs), engage a data auditor, and comply with additional measures specified by the DPBI.
The specific criteria for SDF designation will be in the Rules. Large consumer internet platforms, social media companies, and companies processing health or financial data at scale are the most likely SDF candidates. Most B2B SaaS companies below significant scale will not be SDFs initially.
What the Draft Rules Indicate
Consent notices: the draft Rules indicate requirements for consent notices to be clear, concise, and itemised (separate items for each purpose, each category of data). The notice must be presented before collection and must be comprehensible to a layperson.
Breach notification: the draft Rules indicate timelines for notification to the DPBI and data principals. The specifics were being finalised, but the expectation is a 72-hour reporting window (aligning with GDPR standards).
Cross-border data transfer: the draft Rules were expected to permit transfer to countries/territories approved by the central government while restricting transfer to countries on a blocked list. The initial approved transfer list and blocked list were not published with the draft Rules.
Preparing for Enforcement
Start now: the 6–12 months before enforcement begins is the ideal time to build your DPDP compliance programme. Key steps: data inventory (what personal data you hold and where), privacy notice review and update, consent management mechanism for consumer products, data subject request process, breach notification procedure, and vendor/processor contracts (data processing agreements).
Use a compliance tool: AuditPath maps DPDP Act obligations to specific controls, with policy templates, evidence requirements, and a compliance dashboard. Building your DPDP programme in a tool alongside your SOC 2 programme ensures both are maintained systematically.
Monitor MeitY communications: subscribe to MeitY newsletter updates and monitor the IndiaKanoon and Ministry of Law publications for Rules notification. Rules notification will be the signal to accelerate any remaining compliance gaps.
Penalty Framework
The DPDP Act specifies penalty tiers for different types of violations. The highest tier: ₹250 crore for failure to implement adequate security safeguards resulting in a personal data breach. ₹200 crore for failure to notify the DPBI of a breach. ₹200 crore for failure to fulfil obligations related to children's data.
Lower tiers: ₹10–50 crore for various procedural violations including non-compliance with data principal rights obligations.
Context: ₹250 crore is approximately $30 million USD. For comparison, GDPR's maximum is €20 million or 4% of global turnover, whichever is higher — potentially much larger for global companies. The DPDP Act's absolute cap rather than a turnover percentage makes the penalty more predictable but less severe for very large companies.
Frequently Asked Questions
Is the DPDP Act currently enforceable?
When will DPDP Act Rules be notified?
Do startups need to comply with DPDP Act?
How does DPDP Act enforcement differ from GDPR enforcement?
What is the DPDP Act's position on data localisation?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free