Centre Notifies DPDP Act Commencement, Sets Up Data Protection Board

The Central Government has formally set the Digital Personal Data Protection (DPDP) Act into motion through two gazette notifications dated November 13, 2025. Notification G.S.R. 843(E) specifies staggered commencement dates for different provisions of the Act, while G.S.R. 844(E) establishes the Data Protection Board of India under section 18, with its head office in the National Capital Region.

Key institutional and enforcement provisions are effective immediately. These include the definitions, the constitution and functioning of the Board (sections 18 to 26), and the penalty framework (sections 35, 38 to 43). Sub-section (9) of section 6, which governs withdrawal of consent, and clause (d) of section 27 on grievance redressal will come into force after one year, giving organisations limited time to adapt their consent and complaints-handling mechanisms.

The core compliance obligations for Data Fiduciaries—spanning sections 3 to 17, most of section 27, and sections 28 to 37—will take effect eighteen months from the notification date, placing the outer compliance deadline around May 2027. This phased rollout is designed to allow both regulators and industry to operationalise the new regime, but it also clearly signals that the government expects organisations to use this period to build and test DPDP-compliant data processing systems well before the final tranche becomes enforceable.

With the Board now constituted and headquartered in the NCR, the enforcement architecture under the DPDP Act has a formal institutional anchor. Organisations should treat the 18‑month window as a hard deadline for readiness, prioritising data-mapping, consent management, grievance redressal, and accountability frameworks so they can respond effectively once the Board begins active supervision and adjudication.