₹250 crore is the maximum penalty for organizations that fail to maintain reasonable security safeguards under India’s Digital Personal Data Protection (DPDP) Act, 2023. That penalty is not conditional on intent. It applies from the moment full enforcement begins on May 13, 2027.
Most DPDP compliance briefings treat the Act as a single event. It isn’t. The DPDP Rules 2025 operate on a 3-phase commencement schedule — and the first phase is already active. “The Compliance Countdown” started running on November 13, 2025, whether or not your data team knows it.
This guide covers exactly what the Act requires, when each obligation activates, and what your legal and engineering teams must have operational before enforcement arrives.
What you will master in this guide:
- The core obligations of the DPDP Act 2023 and DPDP Rules 2025
- The exact 3-phase commencement timeline and what triggers each phase
- The data principal rights your platform must support and the response windows attached
- A deadline checklist for 2026 and 2027
For the technical implementation path on Databricks, read the DPDP readiness on Databricks: complete guide 2026.
What Does the DPDP Act 2023 Actually Require of Your Organization?
Most compliance briefings reduce the DPDP Act 2023 requirements to “you need consent.” That’s not wrong — but it understates the engineering problem by a significant margin.
The Act, passed on August 11, 2023, establishes 8 categories of obligation. Each maps to a specific technical or operational requirement your data platform must support:
Lawful processing — personal data can only be processed for a specified, consented purpose → Every pipeline processing personal data must have a matching consent record before it executes
Notice and consent — data principals must receive a clear notice in their preferred language before consent is obtained → Existing privacy policies buried in terms of service do not satisfy this requirement
Data minimization — only the personal data necessary for the stated purpose may be collected → This changes how ingestion pipelines are designed, not just what data is retained
Storage limitation — personal data must be retained only for as long as the consented purpose requires → Automated retention policies are required; manual deletion is not an acceptable substitute
Security safeguards — reasonable technical and organizational measures must protect personal data → ₹250 crore is the penalty for security failures — the highest in the schedule
Accountability — data fiduciaries are responsible for compliance across their entire data estate → Third-party processors do not absorb your liability
Breach notification — the Data Protection Board and affected data principals must be notified within 72 hours of awareness → The window starts from detection, not from when the breach occurred
Data principal rights — all 5 rights must be supported with defined response timelines → Rights requests require automated workflows; ticket queues cannot meet the 7-day Rule 14 window
Reliance Jio holds personal data for over 430 million subscribers across telecom, payments, and digital services. Under DPDP, every one of those records requires consent linkage, purpose mapping, retention enforcement, and a fulfilled erasure path. That obligation is a data engineering problem — not a legal one.
The DPDP Act 2023 does not distinguish between organizations that understand their obligations and those that don’t. Both are held to the same standard.
What Are the 3 Phases of DPDP Commencement in 2026?
This is the section most compliance briefings get wrong.
The DPDP Act does not have a single enforcement date. The DPDP Rules 2025, notified on November 13, 2025, operate on a 3-phase schedule. Each phase activates specific provisions — and the phases do not pause for organizations that are still planning.
| Phase | Effective Date | What Activates | Engineering Work Required |
|---|---|---|---|
| Phase 1 | November 13, 2025 | Data Protection Board operational — can investigate and penalize today | PII mapping, Unity Catalog governance foundation |
| Phase 2 | November 13, 2026 | Consent Manager registration framework live; interoperable consent platforms active | Consent store, multi-lingual notice engine, revocation workflows |
| Phase 3 | May 13, 2027 | Full enforcement — all rights obligations, complete penalty schedule, breach notification | Rights fulfillment automation, breach detection, SDF obligations, audit readiness |
Phase 1 is already active. The Data Protection Board can investigate complaints and issue penalties today. Phase 2 — the activation of India’s formal Consent Manager ecosystem — arrives in November 2026.
Here’s why that matters: Phase 2 is not more planning time. It activates a new technical requirement. Your consent architecture must be operational before November 2026 to integrate correctly with India’s Consent Manager framework.
Organizations treating May 2027 as their planning start date are already in breach of Phase 1 obligations.
What Are the Core DPDP Rules 2025 Obligations and Their Penalty Schedule?
The DPDP Rules 2025 translate the Act’s principles into operational requirements with specific response windows and penalties attached to each failure.
| Obligation | Requirement | Response Window | Penalty for Failure |
|---|---|---|---|
| Security safeguards | Reasonable technical and organizational measures | Ongoing | Up to ₹250 crore |
| Breach notification | Notify Data Protection Board and data principals | 72 hours from awareness | Up to ₹200 crore |
| Rights fulfillment | Respond to access, correction, erasure, nomination requests | 7 days (Rule 14) | Up to ₹50 crore per violation |
| Consent management | Obtain free, specific, informed, unconditional consent | Before processing | Up to ₹200 crore |
| Data retention | Delete personal data when purpose is fulfilled | Ongoing | Up to ₹150 crore |
| Grievance redressal | Appoint officer, resolve complaints within defined timelines | 30 days | Up to ₹50 crore |
Most organizations focus their compliance programs on consent. The real engineering pressure comes from breach notification and rights fulfillment — both require automated systems to meet their timelines at enterprise scale.
The 72-hour breach notification window is the hardest to meet. A delayed detection system does not extend your window. It eliminates it.
Rights fulfillment is the second pressure point. 7 days at enterprise volume means automated workflows — and every organization still relying on engineering tickets will fail this requirement.
What Are the DPDP Compliance Deadlines Your Team Must Hit in 2026 and 2027?
This information has not been clearly laid out elsewhere — until now.
Before November 13, 2026:
- PII discovery and classification complete across the full data estate → You cannot consent-map, erase, or audit what you haven’t found
- Consent store architecture deployed and operational → Must be ready to interact with India’s Consent Manager ecosystem from day one
- Multi-lingual notice engine deployed → DPDP requires notices in the data principal’s preferred language
- Consent revocation workflows operational → Withdrawal must trigger automatic downstream data restriction
Before May 13, 2027:
- All 5 data principal rights supported with automated fulfillment workflows → Access, correction, erasure, grievance redressal, and nomination — all within 7 days
- Breach detection and 72-hour notification pipeline operational → Detection lag does not extend the notification window — it eliminates it
- Data retention policies automated across the estate → Manual deletion processes cannot meet enforcement-era volume requirements
- SDF assessment completed and obligations implemented if applicable → Significant Data Fiduciary designation adds DPO, DPIA, and data localization requirements
- Audit trail infrastructure verified and defensible → Policy documentation is not evidence — technical logs are
A realistic enterprise DPDP program on Databricks takes 3 to 6 months to implement. That means the effective engineering deadline for Phase 3 is November 2026 — not May 2027.
The organizations that start now are the ones that will be defensible when the first enforcement notice arrives.
Final Verdict
The DPDP Act 2023 requirements are not ambiguous. They establish a clear set of obligations — consent, rights, breach notification, retention, security — with defined response windows and a published penalty schedule attached to each failure.
What is ambiguous is whether your data platform can actually fulfill those obligations at enterprise scale. A policy document cannot be audited. A Unity Catalog governance configuration can.
The 3-phase enforcement schedule is running. Phase 1 is active. Phase 2 arrives November 2026. Phase 3 carries the full penalty exposure in May 2027.
The only question left is whether your Databricks estate will be compliant before the first enforcement notice — or after.
For the technical architecture that fulfills these obligations, read implementing DPDP readiness on Databricks: architecture reference.
For the full program roadmap, see the DPDP readiness roadmap: implementation, operating model, and audit preparation.
FAQ: DPDP Act 2023 Requirements and Timeline
The Digital Personal Data Protection Act, 2023 is India’s primary data privacy legislation, governing how digital personal data of Indian residents is collected, processed, stored, and deleted. It applies to Indian organizations and foreign organizations that process personal data of Indian residents, regardless of where their servers are located.
Full enforcement begins May 13, 2027 — but the Data Protection Board became operational November 13, 2025 and can investigate complaints today. The Consent Manager framework activates November 13, 2026. Organizations do not have until May 2027 to begin; the Phase 2 deadline of November 2026 is the practical engineering cutoff.
Section 4 (lawful processing), Section 5 (notice), Section 6 (consent), Section 8–9 (data fiduciary obligations), Section 10 (Significant Data Fiduciary obligations), Section 11 (data principal rights), and Sections 25–40 (Data Protection Board and penalty schedule).
Penalties range from ₹50 crore to ₹250 crore depending on the violation. ₹250 crore applies to security safeguard failures — the highest in the schedule. Breach notification failure carries ₹200 crore. Penalties are per violation and cumulative.
Right to access information about processing; right to correction of inaccurate data; right to erasure of personal data; right to grievance redressal; and right to nominate a trusted person to exercise rights in the event of death or incapacity.
An organization designated by the government based on volume and sensitivity of data processed, national security risks, or risks to data principals. SDFs face additional obligations: India-resident DPO, annual Data Protection Impact Assessments, and data localization requirements — with up to ₹150 crore in additional penalty exposure.
DPDP is digital-only; GDPR covers all personal data. DPDP relies primarily on consent — there is no legitimate interest basis. DPDP introduces the Consent Manager role (no GDPR equivalent) and does not separately categorize sensitive data. The structural data architecture requirements also diverge significantly.
Automated PII discovery and classification, a consent store linked to all processing pipelines, rights fulfillment workflows that respond within 7 days, automated retention enforcement, breach detection capable of 72-hour notification, and immutable audit trails. Each of these requires specific technical implementation — not policy documentation.
Build a DPDP-Compliant Data Program on Databricks
Talk to Sinki.ai about building a DPDP-compliant program on Databricks before the November 2026 deadline.Book an assessment → make it for three liner
