DPDP Act — Soft Enforcement Now vs Hard Enforcement May 2027

The Digital Personal Data Protection Act, 2023 was notified on August 11, 2023. The Rules under the Act were notified on November 13, 2025. The Act has been in force for over two years — but penalties of up to ₹250 crore are not yet being imposed. The distinction between what is enforceable now and what becomes enforceable in May 2027 matters practically for every Bangalore business that handles personal data.

What came into force on November 13, 2025

The DPDP Rules, 2025, notified on November 13, 2025, activated several provisions immediately. The Data Protection Board of India (DPBI) became operational. The DPBI has jurisdiction to receive complaints, initiate inquiries, and issue directions to Data Fiduciaries. The consent manager framework — entities that manage consent on behalf of Data Principals — becomes mandatory from November 13, 2026, one year after the Rules notification.

What the DPBI is doing in 2026 is building the enforcement infrastructure: publishing guidance, inviting public consultation, and assessing compliance posture across sectors. Formal penalty proceedings have not yet been initiated in the manner that will be possible after May 13, 2027. This is the 'soft enforcement' window.

What changes on May 13, 2027

May 13, 2027 is the date by which substantive provisions of the DPDP Act are scheduled to become fully enforceable against all Data Fiduciaries — including the penalty regime. The DPBI will have the power to impose financial penalties for non-compliance: up to ₹250 crore for a personal data breach involving failure to implement reasonable security safeguards; up to ₹200 crore for failure to notify the DPBI and affected Data Principals of a breach; up to ₹10,000 for breach of a Data Principal's duties. These are per-instance caps, not annual caps.

What 'soft enforcement' looks like in practice

In 2026, the DPBI can receive complaints from Data Principals whose rights — right to access, right to correction, right to erasure, right to grievance redressal — are alleged to have been violated. The DPBI can inquire, issue directions, and technically impose penalties under the Act. The practical question is whether it will, absent the full operational and institutional readiness it is building toward May 2027.

Separately, CERT-In's 6-hour incident reporting requirement — notified in April 2022 and independently in force — continues without reference to the DPDP timeline. A reportable cyber incident must still be reported to CERT-In within 6 hours of detection. The CERT-In obligation is not DPDP-dependent and is not affected by the May 2027 date.

What businesses should be doing in 2026

• Gap analysis: map all personal data processing activities against the DPDP Act's definitions — Data Fiduciary, Data Processor, Significant Data Fiduciary, and the applicable obligations for each.
• Consent architecture: the notice-and-consent requirement under Section 6 DPDP is already in force. Consent requests must be clear, itemised, and separate from other terms.
• Vendor contracts: where personal data is processed by a third party, the Data Processor agreement must align with the DPDP Act's requirements. Old GDPR-style DPAs without India-specific adjustments are non-compliant.
• Breach response readiness: a documented incident response plan that covers the DPDP notification obligations (DPBI and affected Data Principals) and the CERT-In 6-hour reporting requirement.
• Grievance officer designation: every Data Fiduciary must designate a grievance officer and publish contact details on the website. This is already required.

Significant Data Fiduciaries

The government will notify certain entities as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed, national security implications, and other criteria. SDFs face additional obligations: mandatory Data Protection Officer appointment, periodic Data Protection Impact Assessments, and an annual independent audit. The SDF notifications are expected progressively through 2026–2027. Bengaluru-headquartered companies processing large volumes of health, financial, or children's data should assess whether they are likely candidates.

The DPDP-CERT-In interaction

The CERT-In Direction of April 2022 requires service providers, intermediaries, data centres, and body corporates to report cyber incidents to CERT-In within 6 hours of detection. The DPDP Act separately requires notification to the DPBI and, where the breach is likely to cause significant harm, to the affected Data Principals. These are two different obligations with different timelines and different recipients. A breach response plan that handles only one is incomplete.