Enforcement deadline
13 May 2027
India’s Digital Personal Data Protection Act, 2023 is law, the Rules are notified, and the Data Protection Board is live. Core Data Fiduciary obligations become enforceable on 13 May 2027 — and meeting them is a board-level programme, not a last-minute checklist.
No account needed · ~5 minutes · Sign in later to saveTime to enforcement
until core Data Fiduciary obligations are enforceable — 13 May 2027.
Statutory penalty ceiling
Breach report to the Board
Every prompt names the section or rule it comes from
G.S.R. 846(E), notified 14 Nov 2025
Data Fiduciaries, SDFs, and in-scope foreign firms
Answers stay private — sign in only to save progress
The Law
The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) is India’s first comprehensive horizontal data protection law. It received Presidential assent on 11 August 2023 and governs the processing of digital personal data — whether collected online, or collected offline and subsequently digitised.
It establishes rights for individuals (Data Principals) and obligations for organisations that determine the purpose and means of processing (Data Fiduciaries). It is administered by MeitY and enforced by the Data Protection Board of India.
Where things stand · June 2026
DPDP Act passed by Parliament
11 Aug 2023 — in force
DPDP Rules 2025 notified (G.S.R. 846(E))
14 Nov 2025 — phased commencement
Data Protection Board of India operative
14 Nov 2025
Consent Manager registration framework
≈ 14 Nov 2026
Core Data Fiduciary obligations enforceable
13 May 2027 (≈18-month phased transition)
Why this matters now
Consent architecture, multilingual notice flows, breach-response playbooks, data inventories, vendor contracts, cross-border transfer mapping, DPO appointments — these are 6 to 12 month programmes, not weeks of work. Organisations that wait until Q1 2027 will not finish in time.
And the obligations are continuous, not one-off: a personal-data breach starts a 72-hour reporting clock to the Board the day it happens. Standing up consent, notice, and breach-response now means you are ready when the clock matters — rather than building it under pressure.
Scope
Any organisation that determines the purpose and means of processing digital personal data — e-commerce, fintech, banks, healthcare, ed-tech, telecom, SaaS, ad-tech, HR-tech, gaming, marketplaces, and government bodies (with carve-outs).
A class designated by Government based on volume and sensitivity of data and risk to individuals, sovereignty, or public order. SDFs face heightened obligations: DPIAs, audits, and an India-based DPO.
Section 3(b) extends the Act to processing outside India if it is in connection with offering goods or services to Data Principals in India. Foreign SaaS, e-commerce, ad-tech, and analytics firms with Indian users are in scope.
What the Act requires
Plain-language notice in English or any of the 22 scheduled languages. Consent must be free, specific, informed, and as easy to withdraw as to give.
Process only for the specified lawful purpose. Delete data when the purpose is served.
“Reasonable security safeguards” to prevent breaches. Failure carries the maximum ₹250 crore penalty.
Notify the Data Protection Board without delay; submit a detailed report within 72 hours. Also notify affected Data Principals.
Access, correction, erasure, grievance redressal, and nomination on death or incapacity.
Verifiable parental consent under 18. No tracking, behavioural monitoring, or targeted advertising directed at children.
India-based DPO reporting to the Board, independent data auditor, periodic DPIAs and audits.
Permitted except to countries on the Central Government’s negative list. Sector-specific localisation rules still apply.
Sign in with Google and walk through a guided gap assessment against every clause of the Act. Track owners, evidence, and remediation in one place.
Read the law for yourself
All links verified to resolve at time of publication. Statute text and Rules supersede any summary on this page.