Is the DPDP Act currently in force?
Yes — and no, depending on what you mean by "in force."
The Digital Personal Data Protection (DPDP) Act 2023 was signed by the President on August 11, 2023 and notified in the Official Gazette. It is an active Indian law. The DPDP Rules 2025 were published in January 2025, providing the operational detail that makes the Act enforceable.
However, the enforcement machinery — the Data Protection Board of India — is still being constituted. Without the Board, there is no adjudicatory body to impose penalties. The practical enforcement date is May 13, 2027, after which the Board will be operational and can hear complaints and levy penalties.
The law is passed. The rules are notified. The Board is being set up. Full enforcement with penalties begins May 2027. But if you wait until 2027 to start, you will not finish in time — compliance takes 4–9 months for most organisations.
The DPDP Act 2025 enforcement timeline
Here is every milestone in the DPDP Act's path to full enforcement:
What the DPDP Rules 2025 actually change
The original DPDP Act 2023 established obligations but left critical operational detail to the Rules. The DPDP Rules 2025 filled these gaps. Here is what is now concrete:
1. Consent notice requirements
The Rules specify the required format and content of consent notices. Every Data Fiduciary must provide a notice that includes: the personal data being collected, the specific purpose of processing, the rights available to the Data Principal, and how to withdraw consent. The notice must be in clear, plain language and in the language of the individual's choice.
2. Data Principal rights procedures
The Rules establish how individuals can exercise their rights under the Act — access, correction, erasure, and nomination. Data Fiduciaries must have a functioning mechanism to receive and respond to these requests within the prescribed timelines. The specific timelines are expected to be 30–72 hours depending on the type of request.
3. Data Protection Board procedures
The Rules specify the constitution, operation, and adjudication procedures of the Data Protection Board. This includes the complaint process, the adjudication timeline, and the appeals mechanism. The Board will function as a quasi-judicial body with the power to levy penalties.
4. Cross-border data transfer
The Rules specify how personal data can be transferred to countries outside India. The government will maintain an allowlist of countries to which data can be freely transferred. Transfers to unlisted countries require additional safeguards. The details of the allowlist and specific safeguards are still being finalised as of mid-2026.
5. Significant Data Fiduciary criteria
The Rules provide the factors the government will consider when designating Significant Data Fiduciaries: volume of personal data processed, sensitivity of personal data, potential impact on national security, risk to Data Principals, and potential impact on rights of children. Organisations that believe they may be designated should begin preparing for additional obligations now.
What if your business is designated as a Significant Data Fiduciary?
Significant Data Fiduciary (SDF) designation is the highest-obligation category under the DPDP Act. If your organisation is designated, you face obligations beyond the standard requirements:
- Data Protection Officer (DPO): Must appoint a DPO based in India, who is the contact point for Data Principals and the Data Protection Board.
- Independent Data Auditor: Annual independent audit of your data processing operations by an accredited auditor.
- Data Protection Impact Assessment (DPIA): Periodic DPIAs for new or changed processing activities.
- Algorithmic transparency (if applicable): SDFs processing data for algorithmic decision-making must document and be prepared to explain those decisions.
The government is expected to designate the first SDFs in 2026. Large-scale consumer platforms, healthcare data processors, financial institutions, and government contractors are most likely to be designated in the first wave.
What your business must do right now — in 2025
The compliance clock is running. Here is what you should be doing now, regardless of your sector or size:
Complete a personal data inventory
Map every personal data flow in your organisation: what data you collect, where it is stored, how it moves, who can access it, and how long you retain it. This is the foundation of DPDP compliance — you cannot build consent mechanisms or respond to rights requests if you do not know where your data is.
Audit your consent mechanisms
Review every touchpoint where you collect personal data: your website, app, sales process, customer support, and HR system. Check whether your current consent mechanisms meet the DPDP Act standard — specific, informed, unambiguous, and as easy to withdraw as to give. Most organisations find significant gaps at this stage.
Draft DPDP-compliant privacy notices
Your existing privacy policy likely does not meet the DPDP Act's notice requirements. Draft new notices for every customer-facing touchpoint. They must be plain-language, cover all required disclosures, and be available in the languages of your users.
Build a breach detection and notification process
The DPDP Act requires notification of the Data Protection Board within a prescribed period after a personal data breach. Based on the Rules, this is expected to be within 72 hours of discovery. You need a technical process that detects breaches promptly and an incident response procedure that can trigger the notification within this window.
Establish a Data Principal rights response mechanism
Customers will be able to submit requests to access their data, correct errors, and request erasure. You need a process — and ideally a system — to receive these requests, verify the identity of the requester, and respond within the prescribed timeline.
Start compliance work in 2025. The 2027 deadline sounds distant, but implementation takes 4–9 months for a mid-size organisation, and that assumes no significant complications with your data architecture. Organisations that start late run out of time.
Frequently asked questions about DPDP Act 2025
Is the DPDP Act in force in 2025?
The Act is law. The Rules are notified. The enforcement machinery (the Data Protection Board) is being constituted. Practical enforcement with penalties begins May 2027. But the obligation to comply exists now — businesses cannot argue they were not subject to the law just because the Board is not yet operational.
What changed with the DPDP Rules 2025?
The Rules added operational detail missing from the Act: specific consent notice formats, Data Principal rights procedures, the Data Protection Board's adjudication process, cross-border transfer mechanisms, and Significant Data Fiduciary designation criteria.
When will the first Significant Data Fiduciaries be designated?
The government is expected to designate the first batch of Significant Data Fiduciaries in 2026, ahead of the May 2027 enforcement date. High-volume consumer platforms, financial institutions, and healthcare data processors are most at risk of early designation.
What is the penalty for non-compliance?
Up to ₹250 crore per violation for failure to implement reasonable security safeguards. Up to ₹200 crore for failure to notify the Board of a breach. Up to ₹50 crore for violations relating to children's data. Up to ₹10,000 for individual failures to fulfil Data Principal rights requests.
For NxgSecure's complete guide to the DPDP Act — including the six core obligations, the penalty structure, and the step-by-step compliance roadmap — read DPDP Act 2023: Complete Compliance Guide.
To understand who qualifies as a Data Fiduciary and what the Significant Data Fiduciary category means for your organisation, read What Is a Data Fiduciary Under the DPDP Act?