India DPDP Act implementation: what you need to know for 2026--2027

India's Digital Personal Data Protection Act -- enacted August 2023, with final Rules notified November 2025 -- is now in active implementation. Phase 1 established the Data Protection Board. Phase 2 (Consent Manager framework) takes effect November 2026. Phase 3 -- full substantive compliance with enforcement power -- begins May 13, 2027. Yet 83% of organizations have not begun comprehensive implementation, and only 16% of Indian consumers understand the law.

---

Key Takeaways

• The DPDP Act follows a three-phase implementation: Phase 1 (Nov 2025, Board established), Phase 2 (Nov 2026, Consent Managers), Phase 3 (May 2027, full enforcement).
• Maximum penalty is 250 crore (~$30M) per violation, and penalties stack -- a single breach could trigger 450 crore in combined penalties.
• GDPR compliance does not equal DPDP compliance. Key differences include: no sensitive data categories, uniform 18-year children's threshold, mandatory notification for all breaches, and novel Consent Manager requirements.
• 83% of organizations have not begun comprehensive implementation. Only 9.9% of healthcare organizations have started.
• India hosted the first Global South AI summit (Feb 2026), attracting $200 billion in AI investment commitments and scaling to 38,000+ GPUs under the IndiaAI Mission.
• Consumer awareness is strikingly low: only 16% of Indian consumers understand the DPDP law.

DPDP Act Rules: timeline and key provisions

The Digital Personal Data Protection Act was enacted August 11, 2023. Draft Rules were released January 3, 2025, and final Rules were notified November 13, 2025, published in the Gazette the following day. India became the 19th G20 nation with a comprehensive data protection statute.

Three-phase implementation

Data Protection Board of India

The Board is a fully digital, independent statutory body headquartered in the National Capital Region, with power to impose penalties up to 250 crore. It operates as a quasi-judicial body adjudicating complaints from data principals.

Consent Managers

A novel concept unique to the DPDP Act. Consent Managers are registered intermediaries that enable data principals to manage, review, and withdraw consent through a single interface. Requirements:

• Must be Indian-incorporated companies with a minimum net worth of 2 crore (~$240K)
• Must implement AES-256 encryption
• Must maintain consent records for at least 7 years
• The 2 crore requirement has been criticized as a barrier excluding civic-tech nonprofits and startups

Key provisions

• Children's data: All persons under 18 are minors. Parental consent via verified identity is required. Tracking and profiling of children is prohibited.
• Breach notification: Must occur without delay initially, with a detailed report within 72 hours.
• Inactivity deletion: Platforms with 20M+ users face a 3-year inactivity threshold triggering deletion obligations.

DPDP Act vs GDPR: critical differences

GDPR compliance does not automatically equal DPDP compliance. Organizations operating in both jurisdictions need tailored strategies for each framework.

Key gaps for organizations

The absence of sensitive data categories is a significant gap. Under GDPR, processing health data, biometric data, or data revealing racial origin triggers enhanced protections. Under the DPDP Act, no such distinction exists, meaning organizations must apply the same processing standards regardless of data sensitivity.

The lack of a right to object to automated decisions is especially relevant for AI deployments. Under GDPR Article 22, individuals can challenge purely automated decisions with legal or significant effects. The DPDP Act provides no equivalent right, creating a regulatory gap for AI-driven decision-making.

Penalty structure

Penalties are per violation, not per incident. A single data breach could trigger 250 crore (security failure) + 200 crore (notification failure) = 450 crore combined. All penalties are civil/financial with no criminal sanctions. Enforcement begins May 13, 2027.

India's 250 crore (~EUR 28M) cap is significant in absolute terms but lower relative to GDPR's turnover-based model for global giants. By comparison: Singapore's PDPA allows 10% of annual turnover or SGD 1M; Brazil's LGPD caps at 2% of revenue up to R$50M. India's per-violation stacking creates potentially massive cumulative exposure.

India AI governance landscape

India AI Governance Guidelines (November 2025)

Published by MeitY as a principle-based, techno-legal framework -- guidelines, not legislation. Organized around seven guiding "Sutras":

1. Trust
2. People First
3. Innovation over Restraint
4. Fairness and Equity
5. Accountability
6. Understandable by Design
7. Safety, Resilience, and Sustainability

The framework proposes an AI Governance Group chaired by the Principal Scientific Adviser, a Technology and Policy Expert Committee, and an AI Safety Institute for testing and standards. India has "consciously chosen not to lead with regulation but to encourage innovation while studying global approaches" (IT Secretary S. Krishnan).

Related: the IT (Intermediary Guidelines) Amendment Rules, 2026 (February 20, 2026) target synthetically generated information, requiring labeling, metadata embedding, and traceability.

IndiaAI Mission: budget and compute

Cabinet-approved in March 2024 with a 10,372 crore (~$1.24 billion) budget over 5 years; 2,000 crore allocated in the FY 2025--26 Union Budget. Seven pillars: Compute Capacity, Innovation Centre, Datasets Platform, Application Development, FutureSkills, Startup Financing, and Safe and Trusted AI.

Compute scaling has exceeded original targets:

• Initial goal: 10,000 GPUs
• February 2026: 38,000+ GPUs onboarded
• Additional announcement: 20,000 GPUs at the Summit
• Target: 100,000 GPUs by end of 2026

Ten companies were empaneled, providing Intel Gaudi 2, AMD MI300X/MI325X, NVIDIA H100/H200/A100/L40S/L4, and AWS Inferentia2/Tranium. Subsidized compute access is available at 65/hour with up to 40% reduced cost. Key models launched include BharatGen Param2 (17B parameter, 22 Indian languages, multimodal) and Sarvam AI (30B and 105B parameter MoE models).

India AI Impact Summit 2026

Held February 16--21, 2026, at Bharat Mandapam, New Delhi -- the first global AI summit hosted by a Global South nation (following Bletchley Park 2023, Seoul 2024, Paris 2025).

Scale: 100+ countries, 20+ heads of state, 60+ ministers, approximately 600,000 in-person attendees, 300+ exhibitors. PM Modi inaugurated; French President Macron and UN Secretary-General Guterres addressed the summit. Tech leaders present: Sundar Pichai, Sam Altman, Dario Amodei, Demis Hassabis, Mukesh Ambani.

Key outcomes:

• New Delhi Declaration on AI Impact: Endorsed by 91 countries and international organizations (both US and China endorsed; non-binding).
• Over $200 billion in AI investment commitments -- Reliance Industries alone announced $110 billion over 7 years for sovereign AI infrastructure; Microsoft committed $50 billion by end of decade.
• 13 frontier model developers signed the New Delhi Frontier AI Impact Commitments.
• IndiaAI Mission 2.0 was launched.
• Guinness World Record: 250,946 responsible AI pledges in 24 hours.
• Global AI Impact Commons platform launched with 80+ impact stories across 30+ countries.

Company readiness: significant gaps

Implementation status

EY India survey (150+ professionals):

• ~71% have limited understanding of the DPDP Act
• 83% have not begun comprehensive implementation
• 81% have not updated or drafted DPDP-aligned privacy policies
• 77% are not equipped to adopt privacy technologies

Biggest barriers: 76.4% cite limited access to subject-matter expertise, 58.8% struggle with cross-border data transfer complexities, and 45.3% face budget limitations.

Sectoral readiness

Healthcare's 9.9% compliance initiation rate is particularly concerning given the sensitivity of health data and the fact that the DPDP Act does not provide enhanced protections for sensitive data categories.

Consumer awareness

Consumer awareness is strikingly low:

• Only 16% of Indian consumers understand the DPDP law (PwC India)
• Over 50% are unaware of their data rights
• Nearly 70% are unaware they can withdraw consent

India's data protection market

India's information security spending is projected at $3.4 billion in 2026 (11.7% YoY growth, Gartner). The India data protection market is projected to grow from $1.5 billion (2022) to $4.52 billion by 2028 at a 20% CAGR, potentially reaching $27.8 billion by 2033.

Practical recommendations

For organizations operating in India

1. Conduct a data mapping exercise. Identify all digital personal data processing activities. The DPDP Act's scope is narrower than GDPR (digital only) but the consent requirements are stricter.

2. Prepare consent infrastructure. The consent-centric model requires verifiable consent for most processing activities. Plan for integration with Consent Managers when the framework becomes operational in November 2026.

3. Implement breach notification processes. Unlike GDPR, the DPDP Act requires notification for all breaches regardless of severity. Ensure you can detect, assess, and report within 72 hours.

4. Address children's data processing. The uniform 18-year threshold is the strictest globally. Any platform with users under 18 needs parental consent via verified identity and must prohibit tracking and profiling.

5. Review cross-border data transfers. The "blacklist" model is more permissive than GDPR's adequacy framework, but organizations must monitor the government's restricted-country list.

For organizations operating in both India and the EU

6. Do not assume GDPR compliance covers DPDP. The frameworks diverge significantly on consent models, breach notification scope, children's data thresholds, and the absence of sensitive data categories under DPDP.

7. Plan for dual consent management. GDPR's legitimate interests basis does not exist under DPDP. Activities processed under legitimate interests in the EU may require explicit consent in India.

8. Assess the Consent Manager landscape. Once the framework is operational (November 2026), evaluate which registered Consent Managers align with your operations and integrate accordingly.

Conclusion

India's DPDP Act represents a significant shift in the Asian data protection landscape. With the world's largest population of internet users, penalties that stack per violation to potentially massive amounts, and a unique Consent Manager framework, the Act demands dedicated compliance attention -- especially for organizations that assume their existing GDPR programs provide adequate coverage. The 13-month window to full enforcement (May 2027) is shorter than it appears, and the 83% non-compliance rate suggests most organizations are not yet on track.