Skip to main content
Home » Data Privacy & DPDPA » DPDPA Compliance Timeline: Phase 1, 2, 3 Deadlines Explained (Nov 2026 & May 2027)

DPDPA Compliance Timeline: Phase 1, 2, 3 Deadlines Explained (Nov 2026 & May 2027)

Shashikant Kalsha

July 2, 2026

Blog features image

DPDPA Compliance Timeline: Phase 1, 2, 3 Deadlines Explained

When MeitY notified the DPDP Rules, 2025 on November 13, 2025, it did something unusual: instead of one big-bang enforcement date, it split the rollout into three phases spread across 18 months. That design rewards organizations that plan — and quietly punishes those who read "May 2027" and relax.

Here is exactly what takes effect when, and what you should be doing in each window.

Phase 1 — November 13, 2025 (already in force)

What it covers: Rules 1, 2, and 17 to 21 — the establishment and functioning of the Data Protection Board of India (DPB).

The regulator already exists. The Board is constituted, digital-first by design, and its complaint mechanisms are live. Data Principals can already file grievances, and the Board can already inquire into complaints arising under the Act.

What this means for you: the era of theoretical risk is over. Even though most substantive obligations phase in later, a public data incident today lands in front of a functioning regulator. Your incident response plan and grievance channel should exist now, not in 2027.

Phase 2 — November 13, 2026

What it covers: Rule 4 — the registration and obligations of Consent Managers.

Consent Managers are a new, formally regulated category of intermediary: platforms through which Data Principals can give, manage, review, and withdraw consent across Data Fiduciaries. From November 13, 2026, these platforms must be registered with the Board and meet strict conditions on governance, security, and interoperability.

What this means for you: if you rely on consent to process personal data, your consent architecture must be technically ready to interoperate with registered Consent Managers. That means machine-readable consent records, standardized withdrawal handling, and APIs that can honor externally managed consent state. This is engineering work with lead time — scope it in 2026, not after.

Phase 3 — May 13, 2027

What it covers: Rules 3, 5 to 16, 22, and 23 — the bulk of the substantive regime. Notices to Data Principals, consent requirements, legitimate uses, reasonable security safeguards, personal data breach reporting, retention and erasure, children's data protections, cross-border transfer conditions, and the additional obligations of Significant Data Fiduciaries.

This is the date most coverage focuses on. From May 13, 2027, the Data Protection Board is expected to move to active enforcement — and current guidance gives no indication of any grace period beyond it.

What this means for you: everything visible to your users (notices, consent flows, rights portals) and everything invisible to them (security safeguards, breach playbooks, retention schedules, vendor contracts, evidence trails) must be operational, tested, and provable by this date.

Why "we'll start after Phase 2" is a trap

The gap between Phase 2 and Phase 3 is exactly six months. The heavy technical lifting of DPDPA compliance — data discovery across systems, consent architecture, rights-request workflows, DPIA processes, processor contracts — takes most mid-size organizations nine to twelve months. The arithmetic only works if the build starts before Phase 2, with the final six months reserved for testing, evidence generation, and organizational rollout.

A balanced 12-month plan looks like this:

  1. Now — mid-2026: data mapping and discovery; classify what personal data you hold, where, and why. Confirm whether you are likely to be designated a Significant Data Fiduciary.
  2. By November 2026 (Phase 2): consent notices drafted (English plus relevant scheduled languages), consent capture and withdrawal flows live, Consent Manager interoperability scoped.
  3. November 2026 — May 2027: rights-request machinery with SLAs, breach response runbook against the 72-hour reporting window, retention and erasure automation, DPIA and audit readiness for SDFs — and evidence collection running throughout.

The real deadline is evidence

Every phase shares one theme: the Board will not take your word for it. Consent must be provable, rights requests must show closure within SLA, breach handling must show timestamps, and safeguards must show continuous operation. Organizations that treat evidence as an afterthought end up rebuilding their compliance program twice.

Data Adhikaar, the agentic DPDPA compliance fabric from Qodequay Technologies, was built around this timeline. Ten specialist AI agents automate consent, rights, breach response, DPIAs, and vendor management — and every action lands in a hash-chained, tamper-evident Evidence Vault, exportable as auditor-ready exhibit packs. Connect via SDK, API, or MCP and record your first consent within a week.

The phases are fixed. November 13, 2026 is not moving. Check your readiness now — free, and it takes minutes.

This article is general guidance on the DPDP Act, 2023 and the DPDP Rules, 2025, and is not legal advice.

Author profile image

Shashikant Kalsha

As the CEO and Founder of Qodequay Technologies, I bring over 20 years of expertise in design thinking, consulting, and digital transformation. Our mission is to merge cutting-edge technologies like AI, Metaverse, AR/VR/MR, and Blockchain with human-centered design, serving global enterprises across the USA, Europe, India, and Australia. I specialize in creating impactful digital solutions, mentoring emerging designers, and leveraging data science to empower underserved communities in rural India. With a credential in Human-Centered Design and extensive experience in guiding product innovation, I’m dedicated to revolutionizing the digital landscape with visionary solutions.

Follow the expert : linked-in Logo

Have a project in mind?

Free 30-minute consultation with our team — or see our products in action.

Book a 30-min Consultation