India’s DPDP Act Enters Its Enforcement Phase
After nearly a decade of drafts, consultations, and political delays, India’s first comprehensive data protection law has crossed from aspiration to obligation. The Digital Personal Data Protection Rules, 2025, were notified on November 14, 2025, by the Ministry of Electronics and Information Technology (MeitY), activating the compliance clock for every organization that processes digital personal data of Indian residents — regardless of where that organization is headquartered.
The law’s extraterritorial reach is explicit: any company offering goods or services to individuals within India, or processing personal data connected to such offerings, is covered. This places hundreds of thousands of global SaaS platforms, cloud infrastructure providers, and digital marketplaces squarely within scope — whether or not they have a legal entity in India.
The architecture of the DPDP Rules introduces a two-tier compliance system: baseline obligations that apply to all Data Fiduciaries, and a substantially heavier set of obligations for organizations designated as Significant Data Fiduciaries (SDFs). Understanding which tier applies — and when — is the most consequential compliance decision a global technology company will make in 2026.
The Phased Timeline: Three Deadlines That Cannot Slip
The DPDP Rules operate on a three-phase clock. According to the India Briefing’s detailed analysis, the phases are:
Phase I (November 14, 2025 — already active): The Data Protection Board of India is established and begins operations. Select enforcement provisions, including the Board’s procedural authority, take effect immediately.
Phase II (November 13, 2026): The Consent Manager framework becomes operational. Any Data Fiduciary that relies on consent as the legal basis for processing must integrate with a registered Consent Manager by this date. Consent Managers must hold Indian incorporation, maintain minimum net worth of INR 20 million (approximately USD 225,000), and preserve consent records in machine-readable format for seven years. This deadline is 6 months away.
Phase III (May 13, 2027): Full compliance obligations for all Data Fiduciaries take effect, including the core rights of Data Principals (notice, consent, correction, erasure), the 72-hour breach notification obligation, and the annual audit requirements for Significant Data Fiduciaries.
The accelerated timeline debate matters: in January 2026, MeitY consulted industry stakeholders on compressing the 18-month window for SDFs to 12 months, which would move full SDF enforcement to November 2026 — coinciding with the Consent Manager deadline. No final decision has been announced as of May 2026, but companies treating May 2027 as a comfortable backstop may be wrong.
Advertisement
Significant Data Fiduciary: The Tier That Changes Everything
The SDF designation is the single most consequential classification in the DPDP framework. Under Rule 13 of the DPDP Rules, organizations notified as SDFs must comply with a materially heavier regime than ordinary Data Fiduciaries.
The Central Government designates SDFs based on criteria including: volume of personal data processed, sensitivity of the data categories, potential impact on national security or electoral integrity, use of emerging technologies, and any other factors the government prescribes. Numerical thresholds for the volume criterion are expected to be notified in 2026.
For the most serious breaches — failure to implement reasonable security safeguards — penalties reach INR 250 crore (approximately USD 30 million). Non-compliance with SDF-specific additional obligations carries fines up to INR 150 crore (approximately USD 16 million).
Any global SaaS company with more than a few hundred thousand Indian users, or that processes sensitive categories such as health data, financial transaction data, or data used in automated decision-making, should assume SDF designation is a realistic risk and prepare accordingly.
What SaaS and Cloud Teams Should Do Before November 2026
The Consent Manager deadline in November 2026 is the first hard compliance moment. It is also the forcing function that makes SDF pre-classification urgent — because if your platform is later designated an SDF, the Consent Manager integration requirements are more stringent than baseline.
1. Complete a Data Mapping and SDF Self-Assessment in Q2 2026
Before any architecture decision, organizations need a structured inventory: which categories of personal data you process for Indian users, the approximate volume, whether any categories fall within the sensitive data list (to be notified by MeitY, but likely to include health, financial, and biometric data), and whether your processing involves automated decision-making that materially affects individuals. Secure Privacy’s Phase 2 compliance guide recommends completing this mapping by mid-2026 to leave adequate time for technical remediation before the November deadline.
The self-assessment does not require waiting for MeitY’s volume thresholds. Companies processing personal data for tens of millions of Indian users should treat SDF designation as a planning assumption. The alternative — scrambling to implement India-based DPO appointment, annual DPIAs, and algorithmic audits after designation — is operationally unworkable in a short window.
2. Redesign Your Consent Architecture for Consent Manager Integration
The Consent Manager framework requires Data Fiduciaries to integrate via API with a registered Consent Manager, allowing Data Principals to give, manage, review, and withdraw consents across all platforms from a single interface. This is structurally different from the consent banners most platforms use today. It requires building or updating API infrastructure capable of receiving consent signals, recording them with granularity (per purpose, not blanket), and processing withdrawals without delay — meaning a user’s withdrawal request cannot sit in a processing queue for 48 hours.
According to the DPDP Rules analysis by Lexology, the consent record must link each data collection event to the specific purpose, the specific consent signal, and the identity-verified Data Principal. Consent records must be maintained for seven years. This is a non-trivial engineering commitment that typically requires 3-6 months of development time for platforms with complex consent flows.
3. Appoint an India-Based DPO and Build the Board Reporting Structure
If SDF designation is a realistic prospect, the India-based Data Protection Officer appointment cannot wait until after designation. The DPO must be a natural person based in India, must report directly to the Board of Directors or equivalent governing body, and serves as the primary point of contact for grievance redressal and Data Protection Board proceedings. Hiring and onboarding a qualified DPO takes time — and the pool of experienced DPDP-qualified DPOs is currently small relative to demand.
For global companies without an Indian entity, the DPO appointment may require establishing a legal presence in India for the first time. This interacts with the cross-border data transfer rules: transfers to non-whitelisted countries require Transfer Impact Assessments under the DPDP framework, and SDFs face additional localization requirements for specified personal data categories once those categories are notified.
4. Update Your Data Processor Contracts and Vendor Chain
The DPDP Rules place compliance responsibility firmly on the Data Fiduciary, even when processing is carried out by a Data Processor. The Rules require Data Fiduciary-Data Processor contracts to include specific security provisions, breach notification obligations, and audit rights. This means that cloud infrastructure providers, sub-processors, and analytics vendors in your data supply chain must be contractually bound to DPDP-compatible terms.
Existing contracts signed before November 2025 almost certainly lack DPDP-specific language. An audit of all data processor agreements, followed by systematic amendment, is a pre-condition for compliance — not a nice-to-have.
The Structural Lesson
India’s DPDP Act is the third major data protection framework, after the EU GDPR and Brazil’s LGPD, to impose extraterritorial obligations on global technology companies. But its SDF tier introduces something neither GDPR nor LGPD created: a government-designated category of organizations that face audit, algorithmic accountability, and potential data localization requirements calibrated to their specific scale and sensitivity profile.
This is not a compliance exercise that begins at the first MeitY enforcement notice. The organizations that will meet the November 2026 Consent Manager deadline comfortably are those that started their data mapping and architecture redesign in the first half of 2026. The MeitY acceleration proposal, if implemented, would collapse the already short window further. Treatment of this as a Q4 2026 project is a plan to miss the deadline.
For enterprise compliance teams, the DPDP framework represents a genuine governance obligation — not a tick-box exercise modeled on cookie consent banners. The 72-hour breach notification, the algorithmic audit for SDFs, and the machine-readable seven-year consent record are engineering and operational requirements, not legal paperwork.
Frequently Asked Questions
Who is covered by India’s DPDP Act?
The DPDP Act applies to any organization that processes digital personal data of individuals located in India — regardless of where the organization is incorporated or based. This includes global SaaS platforms, cloud providers, e-commerce companies, and digital services companies that offer goods or services to Indian residents, even without a physical presence in India. The extraterritorial reach is explicit in the Act’s text.
What is a Significant Data Fiduciary and what extra obligations does it face?
A Significant Data Fiduciary (SDF) is an organization designated by the Central Government based on factors including the volume and sensitivity of data processed, the potential risk of harm to Data Principals, and the use of emerging technologies. SDFs face obligations beyond baseline Data Fiduciaries: mandatory appointment of an India-based Data Protection Officer, annual Data Protection Impact Assessments, independent annual audits reported to the Data Protection Board, and algorithmic accountability reviews. SDFs may also face data localization requirements for specified sensitive data categories once those categories are notified by MeitY. Penalties for SDF non-compliance reach INR 150 crore (approximately USD 16 million).
What is the Consent Manager framework and when does it take effect?
A Consent Manager is a registered intermediary that provides a single interface for Data Principals to give, manage, review, and withdraw their consents across multiple Data Fiduciaries. The Consent Manager framework becomes operational on November 13, 2026. Data Fiduciaries relying on consent as the lawful basis for processing must integrate with a registered Consent Manager by this date. Integration requires building API infrastructure that can receive consent signals, record them per-purpose with seven-year retention, and act on withdrawal requests without delay.
—
Sources & Further Reading
- DPDP Rules 2025 Notified — India Briefing, November 2025
- India DPDP Phase 2: What Businesses Must Do to Prepare — Secure Privacy, 2026
- Digital Personal Data Protection Rules, 2025: Consent, Security, and Governance — Lexology
- Rule 13: Additional Obligations of Significant Data Fiduciary — DPDPA.com
- India’s New Data Privacy Rules: 8 Steps for Businesses — Fisher Phillips, 2026
- DPDP Rules for Cross-Border Data Transfers — Kalp Systems
🔗 Related Intelligence
India’s DPDP Rules Are Live: What Enterprises Must Do Before the May 2027 Enforcement Cliff
DSA Enforcement 2026: Platform Obligations for Minors Are Tightening
Platform Liability 2026: Section 230, the DSA, and the Global Battle Over Internet Rules
Adani’s $100 Billion Bet: India’s Play for AI Data Center Supremacy
