DPDP obligations are not all live at once. They roll out in 3 phases across an 18-month window from November 2025 to May 2027. Most organizations are operating under “The Phasing Misread”: they treat Phase 3 as the starting line. It is the deadline.
Phase 1 activated on November 13, 2025. The Data Protection Board of India became operational on that date. It can receive complaints, conduct inquiries, and impose penalties today. The organizations waiting for May 2027 to begin compliance are already operating under an active enforcement regime.
What you will master in this guide:
- Which obligations are live and enforceable today under Phase 1
- What Phase 2 activates on November 13, 2026
- What becomes fully enforceable on May 13, 2027 under Phase 3
- How to map the 3 phases to your internal planning calendar
- The obligations that require the longest lead time and must start now
For the complete compliance architecture, read DPDP readiness on Databricks: complete guide 2026.
What Is the Legal Basis for DPDP’s 3-Phase Timeline?
The phased commencement structure flows from the DPDP Act, 2023 and the DPDP Rules, 2025. The Act was passed in August 2023 but required delegated rules before obligations could be enforced. The DPDP Rules were notified in 2025, establishing the 3-phase schedule.
Phase 1: November 13, 2025 The DPDP Rules came into force. The Data Protection Board of India was constituted and became operational. Phase 1 obligations became immediately enforceable.
Phase 2: November 13, 2026 Phase 2 obligations activate, including the Consent Manager framework. Registered third-party Consent Managers become operational. Data Fiduciaries must be able to accept consent signals from external Consent Managers.
Phase 3: May 13, 2027 Full enforcement. All remaining obligations are active. The complete penalty schedule is enforceable. There is no further phase after May 2027.
This is not a grace period structure. “The Phasing Misread” is treating Phase 1 as the warning shot and Phase 3 as the real enforcement date. Phase 1 is enforcement. The DPBI is operational and accepting complaints today.
The 3-phase timeline is a rolling compliance requirement, not a single enforcement cliff on May 13, 2027.
What Obligations Are Active Right Now Under Phase 1 of DPDP?
Phase 1 obligations became enforceable on November 13, 2025. Every Data Fiduciary in scope must already be compliant with these requirements.
Security safeguards (Section 8(5)) Reasonable security safeguards must be implemented. For Databricks deployments, this means: encryption of personal data at rest and in transit, Unity Catalog column masking and row-level security on PII-tagged tables, audit logging of all access to personal data, and anomaly detection on data access patterns. → Penalty for non-compliance: up to ₹250 crore
Breach notification (Section 8(6)) Within 72 hours of becoming aware of a personal data breach, the DPBI must be notified. Affected data principals must be notified as soon as possible thereafter. → Penalty for non-compliance: up to ₹200 crore
Consent obligation (Section 6) Personal data may only be processed with valid, purpose-specific, withdrawable consent. Consent must be linked to a specific notice in the data principal’s preferred language. → Penalty for non-compliance: up to ₹200 crore
Data principal rights fulfillment (Section 11) All 5 data principal rights must be honored within 30 days of a validated request. → Penalty for non-compliance: up to ₹50 crore per violation
Grievance officer appointment (Section 13) A named grievance officer must be accessible to data principals through your platform.
Data retention and purpose limitation (Section 8(3) and 8(9)) Personal data may only be retained as long as necessary for the specified processing purpose. It must be deleted or anonymized when the purpose is fulfilled. → Penalty for non-compliance: up to ₹150 crore
The DPBI became operational on November 13, 2025. All Phase 1 obligations are in scope for enforcement today. There is no waiting period.
What Obligations Activate Under Phase 2 on November 13, 2026?
Phase 2 adds one major framework obligation to the Phase 1 set.
Consent Manager Integration From November 13, 2026, registered third-party Consent Managers become operational. Data Fiduciaries must be able to:
- Receive consent signals from registered Consent Managers through a standardized API endpoint → A first-party-only consent store is non-compliant from this date
- Honor consent withdrawal signals from external Consent Managers immediately → Cascade revocation must work for externally originated withdrawal signals, not just signals from your own application layer
- Maintain an accurate consent ledger that reflects signals from both internal and external sources → Consent records must be reconcilable across first-party and third-party origins
The architectural implication for Databricks: your consent store must expose an API endpoint that accepts external consent events and writes them to the internal Delta consent ledger in the correct schema. Sinki.ai’s Consent Manager includes this Phase 2 API endpoint as part of its standard deployment, ready for the November 2026 activation date from day one.
Phase 2 does not introduce new consent or rights requirements. It extends the existing consent architecture to accept external signals. Organizations that have already built a DPDP-compliant consent store in Phase 1 need only add the Consent Manager API endpoint before November 2026.
Organizations that delay Phase 1 consent store construction past Q2 2026 will not have enough time to add Phase 2 Consent Manager integration before the November 13, 2026 deadline.
What Becomes Fully Enforceable Under Phase 3 on May 13, 2027?
Phase 3 is full enforcement. From May 13, 2027:
- All Phase 1 and Phase 2 obligations are enforceable with the complete penalty schedule
- Significant Data Fiduciary obligations are fully enforced for all designated organizations
- Cross-border data transfer restrictions, if any are notified by the Central Government, take effect
- Any remaining notifications or rules issued under the Act are in full force
Phase 3 is often described as the “enforcement deadline.” That framing is inaccurate. The DPBI can and does investigate complaints under Phase 1 and Phase 2 obligations today. Phase 3 is better understood as the point at which every obligation in the Act is active and no further transitional arrangements exist.
Organizations that are not compliant with Phase 1 obligations by Phase 3 face compounding exposure: back-dated penalty risk for Phase 1 violations that have been accumulating since November 2025, plus Phase 3 obligations, all simultaneously.
How Does the 3-Phase Timeline Map to a DPDP Implementation Plan?
| Phase | Activation Date | Key Obligations | Planning Action Required Now |
|---|---|---|---|
| Phase 1 | November 13, 2025 | Security safeguards, breach notification, consent, rights fulfillment, grievance officer, data retention | Immediate: gap assessment and compliance build for all Phase 1 obligations |
| Phase 2 | November 13, 2026 | Consent Manager API integration | By Q3 2026: Consent Manager API endpoint deployed and tested |
| Phase 3 | May 13, 2027 | Full enforcement of all obligations | By Q1 2027: all obligations verified, SDF requirements complete, audit trail ready |
| SDF-specific | Ongoing post-designation | DPO appointment, DPIA, annual audit, algorithmic accountability | Immediate upon designation: begin DPO hiring and DPIA framework |
The planning calendar implication is direct. Organizations that have not completed Phase 1 compliance have 2 simultaneous problems. They are already behind on Phase 1 enforcement. And they need to complete Phase 1 before Phase 2 preparation can begin.
Which DPDP Obligations Have the Longest Lead Time and Must Start Now?
3 obligations require the longest build time and should begin immediately regardless of which phase they formally activate in.
Consent Store Architecture Building a DPDP-compliant consent store from scratch takes 6 to 10 weeks. If this work has not begun, it should begin immediately. Sinki.ai’s Consent Manager compresses this to days, but the configuration, validation, and stakeholder review still take 2 to 3 weeks.
PII Discovery and Unity Catalog Tagging A complete PII inventory is required before any other compliance control can be configured. Manual discovery takes 4 to 6 weeks at enterprise scale. Automated discovery with Audit Gap Finder takes days. But the validation, stakeholder review, and Unity Catalog configuration still take 2 to 3 weeks.
DPO Appointment for SDF Organizations Hiring an India-resident DPO with the required compliance expertise takes 3 to 6 months. This is the single longest-lead-time obligation in the entire DPDP program. Organizations at SDF designation risk that have not begun the hiring process are at risk of missing the SDF obligation even if all technical components are on schedule.
“The Phasing Misread” costs organizations 6 to 12 months of lead time they cannot recover. The compliance clock started on November 13, 2025.
Final Verdict
The DPDP timeline is not a single enforcement date. It is a rolling compliance schedule with obligations active at 3 distinct points. Phase 1 is live. The DPBI is operational. Phase 2 adds the Consent Manager integration requirement in November 2026. Phase 3 is full enforcement in May 2027.
Organizations that treat May 2027 as the starting line will arrive at Phase 3 with Phase 1 violations already on the board, no consent infrastructure, and a DPBI that has been operational for 18 months.
The compliance window is not closing in May 2027. It opened in November 2025. The only question left is how much of it you have used.
FAQ: DPDP Obligations Timeline
The first phase of DPDP obligations came into force on November 13, 2025, when the DPDP Rules were notified and the Data Protection Board of India was constituted. Phase 1 includes security safeguards, breach notification, consent, rights fulfillment, and data retention obligations.
Phase 1 activated on November 13, 2025, covering core obligations including security safeguards, breach notification, consent, and data principal rights. Phase 2 activates on November 13, 2026, adding the Consent Manager framework. Phase 3 is full enforcement from May 13, 2027.
As of May 2026, all Phase 1 obligations are active and enforceable: reasonable security safeguards (₹250 crore penalty), 72-hour breach notification (₹200 crore), consent with purpose specificity (₹200 crore), data principal rights fulfillment within 30 days (₹50 crore per violation), grievance officer appointment, and data retention and purpose limitation (₹150 crore).
By November 13, 2026, Data Fiduciaries must be able to accept consent signals from registered third-party Consent Managers through a standardized API endpoint. This requires modifying the consent store architecture to accept external consent events, not just first-party application signals.
Yes. The DPBI became operational on November 13, 2025 and can investigate complaints and impose penalties for Phase 1 violations today. The May 2027 date is the full enforcement deadline, not the start of enforcement. Phase 1 violations are already actionable.
Organizations should treat Phase 1 as the current compliance requirement and begin or complete the gap assessment and architecture build immediately. Phase 2 preparation (Consent Manager API endpoint) should be completed by Q3 2026 to allow testing time before the November 2026 activation. SDF organizations should begin DPO hiring immediately given the 3 to 6 month hiring timeline.
An organization non-compliant at Phase 3 faces the full DPDP penalty schedule with no further phasing. More significantly, Phase 1 violations that have been accumulating since November 2025 may be subject to retrospective investigation. The combined exposure from multi-phase non-compliance can exceed ₹800 crore for organizations with simultaneous violations across security, consent, and SDF obligations.
Sinki.ai’s DPDP compliance suite deploys Phase 1 and Phase 2 compliance infrastructure
Natively inside your Databricks workspace, with Phase 2 Consent Manager API readiness built in from day one.
