DPDPA Phase 1 vs Phase 2 vs May 2027: Timeline & Deadlines
The DPDPA is being enforced in phases. As of 2027, some obligations are live, some are coming online, and some remain pending Government notification. This is the up-to-date timeline so you can prioritise correctly.
The legal calendar so far
- August 2023 — DPDPA passed by Parliament
- 2024-2025 — Draft Rules published, public consultation
- Early 2025 — Final DPDPA Rules notified by MeitY
- Mid 2025 — Data Protection Board constituted, first chairperson appointed
- 2026 — Phase 1 enforcement begins (consent, notice, grievance officer, breach notification)
- May 2027 (expected) — Phase 2 — full Data Principal rights with strict timelines, SDF notifications begin
- Late 2027 / 2028 — Sectoral guidance (banking, healthcare, telecom) and the first wave of Board penalty orders
Phase 1 — already live
If you are not compliant with these by now, you are exposed:
- DPDPA-compliant privacy notice (Section 5). Plain language, all required elements. Generate one.
- Consent capture (Section 6). Granular, opt-in, withdrawable.
- Grievance officer published (Section 13). Name, email, response timeline on every page footer.
- Reasonable security safeguards (Section 8(5)). Encryption, access controls, MFA.
- Breach notification capability (Section 8(6)). Templates and runbook ready.
- Children's data restrictions (Section 9). If you have any under-18 user surface.
Phase 2 — coming online May 2027 (expected)
Bring these online over the next 6-12 months:
- Full DSR pipeline (Sections 11-14). Information requests, correction/erasure, nomination, grievance — with logged response times.
- Records of Processing Activities (RoPA). Internal documentation of every processing activity, lawful basis, data flow.
- Sub-processor inventory and DPAs. Every vendor under contract.
- Annual privacy review. Self-assessment against the Act.
- Cross-border transfer documentation (Section 16). List of foreign processors, monitoring of restricted countries.
Phase 3 (SDF-specific) — late 2027 onward
Only relevant if you are notified as a Significant Data Fiduciary:
- Appoint DPO based in India reporting to the Board
- Appoint independent Data Auditor
- Conduct DPIAs for high-risk processing
- Annual independent audit with results reported to the Board
Penalty enforcement timeline
The Data Protection Board has indicated it will favour warnings and voluntary undertakings over penalties for the first 12-18 months — but only for cooperative offenders with low-impact violations. Egregious violations (large breaches, child-data abuse, willful negligence) are likely to see early penalty orders.
Expect the first wave of public penalty orders by end of 2027 / early 2028. These will set the tone for industry enforcement.
What you should do this quarter
- Self-audit against the 15-point checklist. Walk it once with your engineering and legal leads.
- Update or generate your privacy policy. Even if you have one from 2022, it likely does not reference DPDPA sections. Use our generator.
- Set up the grievance officer page. One hour of work, blocks a known violation category.
- Draft a breach response runbook. Even a one-pager.
- Inventory sub-processors. Prepare DPAs for the top 10.
Sectoral guidance to watch
Each of the following sectors is expected to receive specific DPDPA Rules or guidance:
- BFSI — RBI and SEBI alignment, especially for KYC and account aggregator data
- Healthcare — interaction with the National Digital Health Mission and the proposed DISHA Bill
- Telecom — alignment with the Telecommunications Act 2023
- EdTech — likely tighter Section 9 enforcement guidance
- E-commerce / ONDC — joint guidance with the Consumer Affairs Ministry
Watch the MeitY website and the Board's gazette notifications.
Bottom line
You do not have time to wait for the perfect Rules. Phase 1 obligations are live. Phase 2 is six to twelve months away. The companies that will avoid early penalty orders are the ones already running compliant operations, not the ones who plan to start "after the next clarification." Start with the checklist, generate the policy, and revisit quarterly.
Generate your DPDPA privacy policy
Free. Two minutes. Section-by-section references. English & Hindi.
Open the generator →