India DPDP Act in 2026: What the Rules Actually Require Now That They're Notified

India spent six years drafting a national data protection law. The Digital Personal Data Protection Act passed in August 2023, then sat idle for over two years while everyone waited for the implementing rules. On 13 November 2025, MeitY finally notified the DPDP Rules 2025 — and the Act, in phases. The Data Protection Board of India (DPBI) is now real. The consent manager regime kicks in November 2026. The substantive data fiduciary obligations follow.

If you run a SaaS company, an app, an e-commerce business, a payments platform, a health-tech, a fintech, or pretty much any digital business with Indian users — DPDP applies to you. If you process Indian personal data from outside India, it still applies to you (it has explicit extraterritorial reach for offering goods or services to data principals in India).

Here's the honest picture of what changes and what you should be doing this year.

What the Act Actually Covers

DPDP is comprehensive but narrower in some ways than GDPR. The core scope:

• Personal data of natural persons processed digitally or processed digitally after non-digital collection
• Within India, or outside India if processing is in connection with offering goods or services to data principals in India
• Excludes personal data processed by an individual for personal or domestic purposes, and personal data made publicly available by the data principal themselves

The Act uses GDPR-adjacent terminology with local twists:

• Data Fiduciary = controller (the one who decides purposes and means)
• Data Processor = processor
• Data Principal = data subject (with the unusual addition that for minors and people with disabilities, the parent/lawful guardian acts as data principal)
• Significant Data Fiduciary (SDF) = a designated category facing heightened obligations (analogous loosely to large platforms under GDPR, but designation-based)

The principles are familiar: lawful purpose, consent or specified legitimate uses, notice, purpose limitation, data minimization, accuracy, retention limitation, security, accountability. Cross-border transfer is permitted in general, but the government can restrict transfers to specific countries by notification (a list, not a whitelist — the default is "permitted unless prohibited").

The Phased Timeline That Actually Matters

Notification on 13 November 2025 didn't trigger everything at once. The phases:

Phase 1 — Immediate (from 13 November 2025). Provisions establishing the Data Protection Board of India and related institutional sections. The Board is operational. It can be approached, but its full inquiry powers are tied to later phases.

Phase 2 — One year out (13 November 2026). Consent manager regime activates. Registration of consent managers with DPBI, consent manager obligations, DPBI powers to inquire into and penalize consent manager breaches.

Phase 3 — Eighteen months out (May 2027). The substantive obligations on data fiduciaries — notice, consent management, data principal rights, breach notification, security safeguards, SDF obligations — become fully enforceable.

This phasing is the most important thing to understand. The Act is law now, but the enforcement machinery turns on in stages. If you wait until November 2026 to start, you're 12 months behind the regulator's ramp-up. If you wait until 2027, you're racing the clock.

The Consent Manager Regime (And Why It Matters in 2026)

This is the bit that's genuinely novel. India is the first major jurisdiction to require consent managers as a regulated intermediary class.

A consent manager is a registered entity that gives data principals a single interface to grant, manage, review, and withdraw their consent across multiple data fiduciaries. It's interoperable, neutral (cannot have a conflict of interest with any data fiduciary), and accountable to the DPBI.

To register as a consent manager, an entity must:

• Be a company incorporated in India
• Have a minimum net worth of INR 20 million (about USD 240,000)
• Demonstrate independent certification of platform interoperability and technical/organizational measures
• Commit to neutrality, audit trails, data integrity, and grievance handling

For data fiduciaries, the consent manager regime isn't optional — once it's live, fiduciaries must be able to integrate with registered consent managers to honor consent and consent withdrawal that comes through them. The DPBI has signaled this is an India Stack-style infrastructure play, similar to how UPI handled payments and Account Aggregator handled financial data.

What this means practically: if your consent-capture and consent-revocation processes today are baked into your own product (cookie banners, in-app toggles, etc.), you'll need to also accept consent signals from external consent managers from late 2026.

Data Fiduciary Obligations (The Core Workload)

These come fully enforceable in 2027, but you should be implementing them through 2026.

Notice and consent. Notices must be clear, plain-language, available in English and the 22 scheduled languages of India where requested. Consent must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. No pre-ticked boxes. No bundled consent. Notice and consent records must be auditable.

Specified legitimate uses. A defined list of cases where personal data can be processed without consent — including voluntary provision by the data principal for a specified purpose, employment-related processing, medical emergencies, public health, and certain government functions. These need narrow interpretation; don't expect them to swallow the consent rule.

Data principal rights. Access, correction, erasure, grievance redressal, and nomination (ability to designate someone to exercise rights in case of death or incapacity — a uniquely Indian addition). Fiduciaries must respond within prescribed timelines and through a clear grievance officer.

Security safeguards. "Reasonable" security measures, with specific examples in the Rules: encryption, access controls, masking, logs, periodic monitoring, retention controls, incident detection. The Rules are technology-neutral but list what regulators will look for. If you're already aligned to ISO/IEC 27001 or ISO/IEC 27701, you're largely there.

Breach notification. Mandatory notification to both the DPBI and affected data principals — without delay — for any personal data breach, broadly defined. The Rules add prescribed content: nature of breach, consequences, mitigation, contact for queries. This is broader than many comparable regimes, which often have de minimis thresholds.

Data retention and erasure. Retain only as long as needed for the specified purpose, then erase. SDFs face stricter requirements and must be ready to provide proof of erasure.

Children's data. Verifiable parental consent is required for any processing of data of children under 18 (yes, 18 — not 13 or 16). No tracking, behavioral advertising, or targeted ads to children. This is among the strictest children's data regimes globally — significantly tougher than COPPA in the US.

Significant Data Fiduciaries: Extra Burden

Some fiduciaries will be designated SDFs by the government, based on volume and sensitivity of data processed, risk to data principal rights, potential impact on sovereignty, public order, electoral democracy, and similar criteria. The Rules add specific designation factors.

SDFs must:

• Appoint a Data Protection Officer (resident in India, answerable to the board)
• Appoint an independent data auditor for periodic audits
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
• Report periodic compliance to DPBI

The DPDP version of "GDPR Article 35" applies primarily to SDFs, not all fiduciaries. This is a meaningful narrowing compared to GDPR.

Penalties That Will Actually Get Your Attention

Penalties under DPDP can be levied per breach, by the DPBI, and capped at the following:

• Up to ₹250 crore (~USD 30M) — failure to take reasonable security safeguards
• Up to ₹200 crore — failure to notify breach to DPBI or affected data principals
• Up to ₹200 crore — non-fulfillment of obligations regarding children
• Up to ₹150 crore — additional obligations of SDFs
• Up to ₹50 crore — other breaches of the Act or Rules

These are caps per instance, not per affected person — but they apply per breach event, and a single incident can trigger multiple categories. The DPBI also has powers to inquire suo motu (on its own motion), summon witnesses, examine on oath, and require document production.

How DPDP Compares to GDPR

If you've built GDPR-aligned operations, the work to extend to DPDP is meaningful but not from-scratch:

The biggest practical gaps tend to be:

• Children's data scope — many global products are not set up for an under-18 standard
• Consent manager integration — net-new work
• Breach notification timing — "without delay" is stricter than 72 hours in interpretation
• Indian-language notice — most consent flows aren't multilingual today

What to Do in 2026

If you handle Indian personal data:

1. Map your data. Inventory what Indian personal data you process, for what purpose, on which lawful basis, with which third parties. If you don't already have a data map for Indian users, build one now.
2. Re-paper your privacy notice. Clear, plain-language, available in English plus Indian languages on request. Specify purpose, retention, rights, grievance contact, DPO if SDF.
3. Upgrade consent capture. Free, specific, informed, unambiguous. No bundled consent. Granular withdrawal. Auditable consent records. Prepare for consent manager integration from late 2026.
4. Build the rights workflow. Access, correction, erasure, grievance, nomination. Make sure your existing GDPR/CCPA rights infrastructure handles the DPDP additions, especially nomination.
5. Lock down breach response. "Without delay" is a tight standard. Tabletop your incident response, including how you'd produce the prescribed Rule-driven breach content within hours.
6. Children's data audit. If your product reaches users under 18 (even unintentionally), figure out verifiable parental consent. This may force product changes well beyond compliance docs.
7. Watch for SDF designation. If you're a major Indian-market platform, expect SDF designation. Pre-emptively run DPIAs, prepare to appoint a DPO, and set up an audit function.
8. Update your contracts. Processor agreements with vendors handling Indian personal data need DPDP-specific clauses. Don't assume your existing DPAs cover it.

For global SaaS companies expanding into multiple jurisdictions, DPDP is the largest new piece of the global compliance stack in 2026. India is too big to skip, and unlike the previous draft regimes, this one is actually live.

The Bottom Line

India's data protection regime has been "coming soon" for so long that some teams stopped treating it as a near-term risk. That ended in November 2025. The DPBI is real. The consent manager regime is going live in 2026. The substantive obligations follow in 2027.

If you process Indian personal data, treat 2026 as the implementation year. The penalties under DPDP are large enough — and the DPBI's powers broad enough — that "we'll handle it when enforcement starts" is not a defensible strategy. The companies that took GDPR seriously in 2017–2018 still benefited even when EU enforcement ramped slowly. The same will be true here.

References

1. The Digital Personal Data Protection Act, 2023 — Ministry of Electronics and Information Technology, India
2. Digital Personal Data Protection Rules, 2025 — Compiled rules reference
3. India's DPDP Regime Takes Effect — Lexology overview
4. Consent Management Under DPDPA — Implementation guidance