India’s Digital Personal Data Protection Act (DPDPA) represents one of the significant overhauls in the country’s digital governance history. After years of contemplation, drafts, committee reviews, and stakeholder feedback, the act is now shaping the way businesses collect, store, and use personal data.
(Please note: The DPDPA is effective from November 13, 2025, and it is expected to be fully implemented till May 2027.)
Below is a clear, comprehensive timeline about the evolution of DPDPA.
Enforcement and deadlines of DPDPA
Year 2025: DPDPA implementation and deadlines
In 2025, the government prepared staggered enforcement schedule to help businesses transition smoothly and implement the act before its deadline. The schedules are as follows:
- Schedule 1: It defines Consent Manager eligibility and operational obligations.
- Schedule 2: It has specifications for processing of personal data by the State and its instrumentalities.
- Schedule 3: It specifies retention timelines belong to every class of Data Fiduciary.
- Schedule 4: It identifies outline about eligible Class of Data Fiduciaries and exemptions from the conditions of processing children’s data.
- Schedule 5: It has details of the terms and conditions of services of the Data Protection Board’s Chairperson and other members.
- Schedule 6: It offers another terms and conditions of appointment of officers and employees of the Data Protection Board.
- Schedule 7: It describes the purpose wherein the central government may require the Data Fiduciary or the intermediaries to provide information as requested.
(**Please note that initial three schedules outline requirements to guide Data Fiduciaries to achieve compliance, while the remaining schedules about the operation of the Board and the processing of data.)
There are 23 rules in the DPDPA, and organizations have deadline to achieve these rules.
Phase 1: To attain immediately.
It means that businesses / organizations ought to develop the data privacy framework supporting organization’s data privacy program and refresh requirements to implement the act.
Phase 2: Requirements that must get achieved by November 2026.
In this phase, organizations should
- Conduct data mapping,
- Enhance/implement baseline security measures,
- Update/develop breach response procedure, operationalize it and notify Data Protection Board without undue delay.
- Enhance/establish data privacy training program.
- Establish mechanisms for annual data protection impact assessments, independent annual audit, algorithmic transparency assessments, and potential data localization requirements.
Phase 3: The DPDPA should be executed completely till May 13, 2027.
The last phase is all about:
- Implementing Privacy Enabling Technologies to manage data governance activities efficiently.
- Endeavouring to acquire external certifications to demonstrate compliance with the Privacy Information Management System.
Important to note that after the last phase of DPDPA implementation, the penalty will be imposed on the organizations if they failed to adhere to the Act, which may go up to Rs. 250 crore (USD 28.17 million approx.). And the act is applicable to businesses across healthcare, finance, ecommerce, SaaS, and telecom.
The actual timeline: How it all began and DPDPA came into existence?
2017: The beginning - Justice Srikrishna committee formed
The process of creating a defined law began in July 2017, when the Government of India established the Justice B.N. Srikrishna committee to review issues related to data protection and recommend a robust framework. This move was triggered by rising concerns about data privacy, rapid digitalisation, and the Supreme Court’s growing focus on individual rights.
The committee’s mandate was to study global privacy practices, identify risks in India’s digital ecosystem, and build a foundation for a rights-based data protection system. The committee laid the intellectual groundwork for what would eventually become the DPDPA.
2018: Supreme Court declares privacy as a fundamental right
In August 2018, the landmark Puttaswamy judgment affirmed that privacy is a fundamental right under Article 21. This ruling strengthened the urgency for comprehensive data protection legislation and validated the committee’s work.
Later that year, the first draft of the Personal Data Protection Bill (PDPB) 2018 was submitted. Inspired by GDPR, it introduced concepts like data fiduciaries, consent, child protection, and cross-border data transfer rules.
2019: Personal Data Protection bill introduced in Parliament
In December 2019, the Government tabled the updated Personal Data Protection Bill, 2019, in the Lok Sabha. Some of its key pointers were:
- Made consent the primary legal basis for data processing.
- Proposed data localization, requiring certain data to be stored in India.
- Established the Data Protection Authority (DPA).
- Introduced rights such as data portability and correction.
- Defined data fiduciaries and their obligations.
However, the bill faced criticism from tech companies, civil society, and privacy advocates for its exemptions for government agencies and compliance complexities. It was then sent for a deeper review.
2020-2021: Joint Parliamentary Committee (JPC) review
The bill was referred to the Joint Parliamentary Committee (JPC) for detailed scrutiny. Over two years, the committee held extensive consultations with industry, regulators, and legal experts.
The JPC report (December 2021) recommended:
- Expanding the bill to cover non-personal data.
- New obligations for social media companies.
- Broader government exemptions.
- Stricter compliance enforcement.
- Mandatory data audits for large data fiduciaries.
The report sparked debates, signalling the need to rethink the framework entirely.
August 2022: The government withdraws the bill
In a surprising move, the Indian government withdrew the 2019 Bill in Parliament, stating that the draft had become too complex after numerous revisions.
The withdrawal was a new opportunity to rebuild India’s data protection architecture from scratch - simpler, modern, and more aligned with emerging technologies like AI, IoT, and digital public infrastructure.
The government published a fresh draft for public consultation, which was leaner, technology-neutral, and laser-focused only on digital personal data. This version included changes like:
- Clear, simple consent language.
- Removal of mandatory data localization.
- Flexibility for cross-border transfers.
- Lower compliance burden for startups.
- Heavy penalties for breaches.
The draft received 20,000+ public comments, making it one of the most widely reviewed digital laws in India’s history.
August 2023: Digital Personal Data Protection Act 2023, passed
The DPDPA 2023, was passed by both the Lok Sabha and Rajya Sabha in early August and received Presidential assent on August 11, 2023.
Key highlights included:
- Notice + Consent as the core processing model.
- Strict rules for children’s data safety.
- Individual rights, including access, correction, and grievance redressal.
- Obligations for data fiduciaries.
- Cross-border data transfer with notified countries.
- Hefty penalties (up to Rs 250 crore per violation).
Read about India’s RPD digital accessibility act!
2024: Draft rules released for stakeholder comments
In early 2024, the government circulated the DPDPA rules seeking industry feedback. The rules were about:
- Format of privacy notices
- Valid consent mechanisms
- Data breach reporting process
- Grievance resolution timelines
- Children’s data verification rules
- Data retention and deletion practices
- Role of the Data Protection Board of India (DPBI)
Industry bodies, global tech firms, and local SMEs reviewed the rules and provided extensive feedback. Businesses simultaneously began internal prep-policy updates, data mapping, and gap analysis.
Read detailed information on SOC Type 2 Compliance Certified Vendor
Mid-late 2024: Establishment of the Data Protection Board of India
The DPBI - India’s enforcement and adjudication body - began to take shape with appointments and institutional setup. Its responsibilities include:
- Reviewing data breach notifications
- Accepting complaints from data principals
- Conducting inquiries
- Imposing penalties
- Supporting grievance redressal
The establishment of the Board signalled India’s move from theory to enforceable governance.
Also read: SEBI digital accessibility – Finance sector website accessibility
A decade-long journey reaching an important milestone
From the Srikrishna Committee in 2017 to full-scale implementation in 2025, India’s Digital Personal Data Protection Act has evolved through public consultation, judicial influence, and global data governance trends. The act is now ready to form the backbone of India’s digital economy - ensuring better privacy, accountability, and user autonomy.
As India moves deeper into AI-driven innovation and hyper-digitalization, the DPDPA provides a strong regulatory foundation for secure, ethical, and transparent data handling.
India’s Digital Personal Data Protection Act also highlights the importance of transparent, user-friendly digital experiences for all users. Digital accessibility services help organizations present privacy notices, consent forms, and data request workflows in formats that are usable by people with disabilities. By aligning accessibility with data protection efforts, businesses can reduce legal risk, improve user trust, and support inclusive compliance. Integrating accessibility audit and remediation into DPDPA readiness creates digital platforms that are both privacy-aware and accessible.
The Digital Personal Data Protection Act marks a major shift in how organizations collect, process, and protect personal data in India. We deliver digital accessibility solutions by supporting businesses through every stage of this journey with privacy assessments, compliance-ready web solutions, and security-focused digital practices. Reach out hello@skynettechnologies.com for more information.
