← All articles · 8 May 2026 · compliance.hjlabs.in

DPDPA Phase 1 vs Phase 2 vs May 2027: Timeline & Deadlines

The DPDPA is being enforced in phases. As of 2027, some obligations are live, some are coming online, and some remain pending Government notification. This is the up-to-date timeline so you can prioritise correctly.

The legal calendar so far

Phase 1 — already live

If you are not compliant with these by now, you are exposed:

  1. DPDPA-compliant privacy notice (Section 5). Plain language, all required elements. Generate one.
  2. Consent capture (Section 6). Granular, opt-in, withdrawable.
  3. Grievance officer published (Section 13). Name, email, response timeline on every page footer.
  4. Reasonable security safeguards (Section 8(5)). Encryption, access controls, MFA.
  5. Breach notification capability (Section 8(6)). Templates and runbook ready.
  6. Children's data restrictions (Section 9). If you have any under-18 user surface.

Phase 2 — coming online May 2027 (expected)

Bring these online over the next 6-12 months:

  1. Full DSR pipeline (Sections 11-14). Information requests, correction/erasure, nomination, grievance — with logged response times.
  2. Records of Processing Activities (RoPA). Internal documentation of every processing activity, lawful basis, data flow.
  3. Sub-processor inventory and DPAs. Every vendor under contract.
  4. Annual privacy review. Self-assessment against the Act.
  5. Cross-border transfer documentation (Section 16). List of foreign processors, monitoring of restricted countries.

Phase 3 (SDF-specific) — late 2027 onward

Only relevant if you are notified as a Significant Data Fiduciary:

  1. Appoint DPO based in India reporting to the Board
  2. Appoint independent Data Auditor
  3. Conduct DPIAs for high-risk processing
  4. Annual independent audit with results reported to the Board

Penalty enforcement timeline

The Data Protection Board has indicated it will favour warnings and voluntary undertakings over penalties for the first 12-18 months — but only for cooperative offenders with low-impact violations. Egregious violations (large breaches, child-data abuse, willful negligence) are likely to see early penalty orders.

Expect the first wave of public penalty orders by end of 2027 / early 2028. These will set the tone for industry enforcement.

What you should do this quarter

  1. Self-audit against the 15-point checklist. Walk it once with your engineering and legal leads.
  2. Update or generate your privacy policy. Even if you have one from 2022, it likely does not reference DPDPA sections. Use our generator.
  3. Set up the grievance officer page. One hour of work, blocks a known violation category.
  4. Draft a breach response runbook. Even a one-pager.
  5. Inventory sub-processors. Prepare DPAs for the top 10.

Sectoral guidance to watch

Each of the following sectors is expected to receive specific DPDPA Rules or guidance:

Watch the MeitY website and the Board's gazette notifications.

Bottom line

You do not have time to wait for the perfect Rules. Phase 1 obligations are live. Phase 2 is six to twelve months away. The companies that will avoid early penalty orders are the ones already running compliant operations, not the ones who plan to start "after the next clarification." Start with the checklist, generate the policy, and revisit quarterly.

Generate your DPDPA privacy policy

Free. Two minutes. Section-by-section references. English & Hindi.

Open the generator →

More from the blog