The DPDP Compliance Clock Has Started: What India's 2026 Deadlines Mean for SMEs
India's DPDP Rules are now in force and the real deadlines land in 2026 and 2027. Here is a plain-English read on the three dates that matter and what a small business should actually do first.
For a long time the Digital Personal Data Protection Act felt like a law that existed on paper and nowhere else. That changed on 13 November 2025, when the government notified the DPDP Rules, 2025 and set up the Data Protection Board of India. The abstract obligations most founders had been putting off now come with dates, procedures, and a regulator whose job is to enforce them.
If you run an SME or a startup that touches personal data, and almost every business does, 2026 is the year to stop treating DPDP as a someday problem. You do not need to panic. You do need a calendar.
What actually changed in late 2025
Two things happened together. The Rules filled in the operational detail the 2023 Act left open, the "how" behind consent notices, breach reporting, and the duties of larger data handlers. And the Data Protection Board was constituted, which means there is now a body that can receive complaints, investigate, and impose penalties.
Before this, non-compliance had no real address. Now it does.
The three dates worth writing down
The rollout is deliberately phased, so the whole weight of the law does not land at once. Three points on the timeline matter for planning.
13 November 2025 brought the Rules and the Board into effect. This is the administrative starting gun.
13 November 2026 is when the Consent Manager registration framework becomes operational. Consent Managers are a distinctly Indian idea: regulated intermediaries that let a person give, review, and withdraw consent across different companies from one place. Your systems will eventually need to speak to these platforms.
13 May 2027 is the one that carries the substantive obligations, the ones with teeth. Consent notices, the rights of data principals to access and correct and erase their data, breach notification duties, and the extra requirements for Significant Data Fiduciaries all take full effect around this point.
That gives most businesses roughly a year and a half from the Rules to genuine readiness. It sounds generous until you try to remap how your company collects data.
The middle deadline is the one people miss
Everyone fixates on the May 2027 date because that is when penalties for the core duties bite. The consent-manager milestone in November 2026 slips past quietly, and then becomes a scramble.
Here is the practical problem. If a registered Consent Manager sends your company a consent-withdrawal request on behalf of a customer, your backend has to recognise it, act on it, and stop the relevant processing. That is not a policy document you can write in an afternoon. It is plumbing. Building an interoperable consent layer into an existing product takes engineering time, and engineering time is the resource small companies have least of.
Starting that work in late 2026 is starting late.
The 72-hour breach clock is not theoretical anymore
One rule that deserves specific attention: breach notification. Under the DPDP Rules, once you become aware of a personal data breach, you must inform the Data Protection Board and the affected individuals, with the affected-individual notification required within 72 hours. The notice has to be in plain language and tell people what data was exposed, what they can do to protect themselves, and how to reach you.
Failure to notify a breach can draw a penalty of up to 200 crore rupees. The Act's overall ceiling runs to 250 crore per instance. These are not rounding-error numbers for a mid-sized company.
If you cannot today say who would be called at 2 a.m. when a breach is discovered, and what they would do in the first three hours, that gap is worth closing before anything else.
Why the Indian regulator is unlikely to go soft
It helps to look at where other privacy regulators have ended up. In Europe, cumulative GDPR fines crossed 7.1 billion euros by January 2026, a jump of about 21 percent in a single year. France's CNIL has handed down nine-figure penalties against very large companies. Regulators there have shifted from symbolic fines toward penalties sized against global turnover, and they hold both the company deciding how data is used and the vendors processing it accountable.
India's Board is new, and early enforcement will probably favour education over maximum penalties. But the direction of travel worldwide is clear, and the DPDP penalty ceilings were written to be taken seriously. Betting that enforcement will stay lax is a weak strategy.
What to do in the next 90 days
You cannot build everything at once, so sequence it.
Start with a data map. Write down what personal data you collect, where it lives, who you share it with, and why. Most compliance work is impossible until this exists, and most companies are surprised by what they find.
Rework your consent and notice flows next. The DPDP standard is consent that is free, specific, informed, and easy to withdraw. If your signup buries everything behind a single "I agree", that needs to change.
Then look at your vendors. Any third party that processes personal data on your behalf, from your email tool to your cloud host, should sit under a written agreement that reflects DPDP duties.
Finally, write a one-page breach runbook and name an owner for privacy. It does not need to be a full-time Data Protection Officer unless you qualify as a Significant Data Fiduciary, but someone has to hold the responsibility.
None of this requires a large budget. It requires starting.
This article is general guidance, not legal advice. If you want a readiness view specific to your business, our DPDP readiness checklist is a quick first pass, or you can book a free 30-minute consultation and we will map your exposure and a 90-day plan.
Get help implementing this
Turn this reading into a compliance plan.
Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.
Book a free 30-minute consultation