A CERT-In Empanelled Auditing Organization
Home/Blog/DPDPA
DPDPA

DPDP Rules 2025 are here: your countdown to 13 May 2027

The long wait is over. The Digital Personal Data Protection Rules, 2025 were notified in the Gazette on 13 November 2025, turning the DPDP Act, 2023 from a statement of principle into a working operating regime. For every organisation that handles the personal data of people in India, an 18-month compliance clock is now running, and it stops on 13 May 2027. If you have been treating India’s privacy law as a problem for another year, that framing no longer holds. The machinery of enforcement is being assembled now, and the runway is shorter than it looks once you account for procurement cycles, system changes, vendor contracts and staff training.

This post walks through what the Rules actually change, how the phased timeline works, and — most usefully — what a sensible organisation should be doing month by month through 2026.

Why the notification matters so much

The DPDP Act received presidential assent back in 2023, but an Act without rules is an intention rather than an instruction. The Rules are what convert broad obligations — “obtain consent,” “keep data secure,” “report breaches” — into concrete, testable requirements: the formats notices must take, the timelines that apply, the thresholds that trigger extra duties, and the mechanics of how the whole system is administered. Until the Rules landed, organisations could prepare only in general terms. Now the target is fixed.

The notification also ends a long stretch of uncertainty. Organisations that began work against the draft rules published in January 2025 did not waste their effort: the movement from draft to final was largely procedural rather than structural, so the direction of travel was clear for anyone paying attention. The lesson for the future is that waiting for perfect certainty is usually more expensive than acting on a well-signalled direction.

A phased rollout, not a single switch

The government chose a staggered timeline, and using it well — rather than fixating on the final date — is the difference between a calm programme and a last-minute scramble:

In practical terms, 2026 is the build-and-test year. Commentary across the profession is consistent that enforcement will be light through 2026 and firm from mid-2027, with no grace period once the deadline passes. Treating 2026 as breathing space rather than build time is the single most common planning mistake we expect to see.

What the Rules lock in

The detail is where the real work lives. The obligations that will most affect day-to-day operations include:

Penalties remain substantial — up to ₹250 crore for major failures such as inadequate security safeguards — and they can stack across categories, so a single incident that breaches several obligations can create cumulative exposure well beyond that headline figure. For most organisations, the cost of readiness is a rounding error against that risk.

Confirm the detail. Dates, thresholds and schedule-specific retention periods come straight from the notified Rules and may be refined by further notifications. Treat this as a planning map and verify specifics against the official gazette before you act.

A worked plan for 2026

Eighteen months divides neatly into a manageable programme if you sequence it sensibly rather than trying to do everything at once:

  1. First quarter — see clearly. Build a data inventory and flow map: what personal data you hold, why, where it lives, where it goes, and how long you keep it. Everything downstream depends on this, and it always takes longer than teams expect.
  2. Second quarter — measure the gap. Run a structured gap assessment against the Rules, covering notice, consent, rights, retention, security and breach response, and turn the findings into a prioritised roadmap with owners and dates.
  3. Middle of the year — rebuild the foundations. Redesign consent and notices, and design them to interoperate with Consent Managers as that framework goes live. Fix the retention and deletion mechanics.
  4. Third quarter — stand up the operational muscles. Implement rights-request and breach-response workflows, then test them with a tabletop exercise so they are practised, not theoretical.
  5. Fourth quarter — assure and evidence. If you may be an SDF, complete a DPIA and prepare for independent audit. Everywhere, make sure you can demonstrate compliance, not just assert it.

The takeaway

Eighteen months sounds generous until you map it against everything that has to change — policies, systems, vendor contracts, training and governance. The organisations that begin their gap assessment early in 2026 will move into 2027 calmly and confidently; those that wait will be remediating under enforcement pressure, competing for scarce specialist help, and explaining delays to their boards. The Rules have set the clock. The only real decision left is when you start.

DPDPADPDP RulesConsent ManagerCompliance
Share

Keep reading

Related insights

DPDPA

DPDPA 2023: what Indian businesses must do now

Who the Act applies to, the obligations that matter, the penalties at stake, and a practical six-step plan to get ready.

5 min read
DPDPA

Consent Managers under the DPDPA: what they are and how to prepare

The DPDP framework introduces a new intermediary - the Consent Manager. Here is what it is, who can be one, and how to get your systems ready.

4 min read
DPDPA

Do you need a Data Protection Officer under the DPDPA?

Some organisations must appoint a DPO under the DPDPA; many others benefit from one. Who needs it, what the role does, and how to resource it.

3 min read

Have a question this raised?

Our team turns guidance like this into working compliance and security programmes. Tell us where you are — we’ll help you plan the next step.