Fathom Legal Logo
Fathom Legal
Back to Thought Leadership
ARTICLE

When Does India's Digital Personal Data Protection Framework Become Fully Enforceable?

Published

Published May 30, 2026
When Does India's Digital Personal Data Protection Framework Become Fully Enforceable?

Introduction

The enactment of the Digital Personal Data Protection Act, 2023 ("DPDP Act") marked the culmination of nearly a decade of legislative and policy discussions concerning privacy and personal data protection in India. Since its enactment, one of the most frequently asked questions by businesses has been when the framework will become fully enforceable and what organisations should be doing in anticipation of regulatory oversight.

The answer lies not in the date on which the DPDP Act received Presidential assent, but in the implementation architecture adopted by the legislation and the subsequent Digital Personal Data Protection Rules, 2025 ("DPDP Rules").

The DPDP framework has been designed to become operational in phases. While certain institutional and procedural provisions are already in force, the majority of substantive compliance obligations applicable to organisations are scheduled to become operational in May 2027. For businesses operating in India, the period leading up to that date presents an opportunity to establish governance structures, review data processing activities and align internal practices with the requirements of the new framework.

The Development of India's Data Protection Framework

Prior to the DPDP Act, India's data protection regime consisted primarily of provisions contained in the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, sector-specific regulatory requirements and contractual obligations imposed through commercial arrangements.

The recognition of privacy as a fundamental right by the Supreme Court in Justice K.S. Puttaswamy v. Union of India in 2017 significantly altered the legal landscape. The judgment prompted a series of legislative initiatives beginning with the report of the Justice B.N. Srikrishna Committee, followed by multiple draft data protection bills that underwent substantial revisions before ultimately resulting in the DPDP Act, 2023.

The DPDP Act represents India's first comprehensive legislation dedicated specifically to the processing of digital personal data. It establishes rights for individuals, obligations for organisations processing personal data, mechanisms for grievance redressal and a framework for regulatory enforcement.

Phased Implementation Under the DPDP Act

Unlike many statutes that become effective in their entirety on a single commencement date, the DPDP Act authorises the Central Government to bring different provisions into force through separate notifications.

This approach reflects the practical realities associated with implementing a comprehensive data protection regime across one of the world's largest digital economies. The framework requires supporting rules, administrative infrastructure, enforcement mechanisms and organisational preparedness before substantive obligations can be enforced effectively.

Accordingly, the enactment of the DPDP Act in August 2023 did not result in immediate applicability of all compliance requirements. Instead, implementation has occurred through successive notifications and regulatory developments.

The most significant of these developments was the notification of the DPDP Rules, 2025.

The Significance of the DPDP Rules, 2025

The DPDP Rules provide the operational framework necessary for implementation of the legislation. They address several aspects of compliance, including notices to Data Principals, consent management, security safeguards, breach reporting, processing of children's data, obligations of Significant Data Fiduciaries and the functioning of the Data Protection Board of India.

Importantly, the Rules also establish the implementation timeline for various obligations under the framework.

While certain provisions relating to administration and institutional functioning became effective upon notification of the Rules in November 2025, the majority of substantive obligations applicable to Data Fiduciaries are scheduled to become operational eighteen months after notification.

This places the principal compliance deadline in May 2027.

As a result, the current period may be viewed as a transition phase during which organisations are expected to prepare for implementation of the framework before the substantive obligations become enforceable.

What Happens in May 2027?

The significance of May 2027 lies in the commencement of the principal operational obligations under the DPDP framework.

From that point onwards, organisations processing digital personal data will be expected to comply with requirements relating to notice obligations, consent management, security safeguards, grievance redressal, breach notification, processing of children's data, retention and deletion practices and various other obligations prescribed under the Act and Rules.

The commencement of these obligations will also coincide with the increasing operational role of the Data Protection Board of India, which has been established as the adjudicatory body responsible for enforcement under the framework.

While the precise nature and intensity of enforcement activity will develop over time, organisations should reasonably expect increasing scrutiny of privacy governance practices, particularly in sectors involving large-scale processing of personal data.

Which Organisations Will Be Most Affected?

The practical impact of the DPDP framework will vary depending on the nature and scale of an organisation's data processing activities.

Technology platforms and digital service providers are expected to undertake extensive compliance exercises. Organisations such as Google, Meta, WhatsApp, Instagram, YouTube, LinkedIn and other consumer-facing digital platforms process substantial volumes of personal data and are likely to focus on consent mechanisms, user rights management, data retention practices and governance structures relating to children's data.

The requirement for verifiable parental consent for individuals below eighteen years of age may necessitate significant operational changes for social media platforms, gaming platforms, educational technology providers and other digital services with substantial participation by younger users.

E-commerce businesses such as Amazon, Flipkart, Myntra and other online marketplaces are likely to review customer onboarding processes, marketing consent frameworks, loyalty programmes and behavioural analytics functions to ensure alignment with the requirements of the legislation.

Financial institutions are expected to face substantial implementation requirements. Banks, insurance companies, non-banking financial companies, payment aggregators and fintech businesses process large volumes of customer information as part of routine operations. Existing compliance frameworks implemented pursuant to Reserve Bank of India and sectoral requirements may provide a useful foundation, although additional measures may be required to address DPDP-specific obligations.

Healthcare providers, hospital chains, diagnostic laboratories, telemedicine platforms and health technology companies are similarly expected to undertake comprehensive reviews of patient data governance frameworks. The increasing digitisation of healthcare services has resulted in significant volumes of personal and health-related information being processed across multiple platforms and service providers.

Telecommunications providers have also publicly engaged with policymakers regarding implementation concerns, particularly in relation to obligations that may apply to entities processing data at scale.

Comparison with Global Privacy Frameworks

The DPDP framework has frequently been compared with the European Union's General Data Protection Regulation ("GDPR"). While there are similarities in certain underlying principles, the two frameworks differ in structure, scope and implementation.

The GDPR is built around multiple lawful bases for processing personal data and contains detailed provisions governing a broad range of processing activities. The DPDP Act adopts a comparatively streamlined structure centred primarily around consent and specified legitimate uses.

Organisations that have already implemented GDPR compliance programmes may therefore possess a degree of organisational readiness. However, GDPR compliance should not be viewed as automatically satisfying obligations under Indian law. Separate assessments will be necessary to identify areas where additional controls, documentation or operational measures may be required.

Multinational corporations with mature privacy governance frameworks are generally expected to adapt more quickly than organisations beginning their privacy compliance journey for the first time.

What Should Organisations Be Doing Now?

The period leading up to May 2027 should be utilised to establish the foundations of compliance.

For many organisations, the first step involves understanding what personal data is collected, where it is stored, how it is used and which internal and external stakeholders have access to it. Data mapping exercises therefore remain an important starting point.

Organisations should also review privacy notices, consent collection mechanisms, retention practices, vendor management frameworks and breach response procedures. Existing contractual arrangements with service providers may require amendment to reflect responsibilities relating to personal data processing.

Boards and senior management teams are increasingly treating data protection as a governance issue rather than a purely legal or technology matter. Effective implementation generally requires coordination between legal, compliance, information security, technology, human resources and business teams.

Larger organisations may also need to assess whether they are likely to be classified as Significant Data Fiduciaries and prepare for any additional obligations that may accompany such classification.

Looking Ahead

India's data protection framework has moved beyond the legislative stage and is now entering a period of implementation and operational readiness.

The notification of the DPDP Rules and the establishment of the Data Protection Board have provided substantial clarity regarding the structure of the framework and the anticipated timelines for compliance. The principal obligations applicable to organisations are expected to become operational in May 2027, providing businesses with a defined implementation window.

For organisations that process personal data as part of their operations, the focus over the next several months is likely to be on governance, preparedness and implementation. The extent of readiness achieved during this transition period may significantly influence an organisation's ability to demonstrate compliance once the substantive provisions of the framework become fully operational.