TL;DR: The DPDP Rules, 2025 were notified on 13 November 2025 and switch on in stages, not all at once. The Data Protection Board is already live. Consent Manager registration opens around 13 November 2026. The obligations that touch nearly every business - notice, consent, security, breach reporting, children’s data, data principal rights - become binding around 13 May 2027. This post is a compliance calendar, not a re-explanation of the law. It tells you what to do by when, sorted by business size, and what it costs if you miss a date. For the law itself, read our DPDP Rules 2025 guide and the Consent Manager framework explainer.

On this page

The phased structure in one minute

The single most useful fact about the DPDP Rules, 2025 is that they do not all start on the same day. The Ministry of Electronics and Information Technology (MeitY) built a staggered commencement into Rule 1 itself. Some rules switched on the moment the Rules were notified on 13 November 2025. One rule, on Consent Manager registration, starts a year later. The bulk of the operating obligations start 18 months after notification.

That phasing gives you a runway. It is also the trap. Plenty of businesses read “May 2027” and file it under “later.” The work needed to be ready by May 2027 - mapping data, rewriting notices, rebuilding consent capture, wiring up breach detection - takes far longer than the months left on the clock once you account for procurement, testing, and sign-off.

Supratim Chakraborty, Partner at Khaitan & Co, told reporters that the staggered approach gives firms “vital breathing room,” but warned that “the 18-month window will feel short once implementation challenges pile up.” That is the right way to read the calendar. Breathing room, not a holiday.

Here are the three anchor dates, each counted from the 13 November 2025 notification:

  • 13 November 2025 - the Data Protection Board rules and the definitions come into force. The regulator’s legal foundation is live.
  • 13 November 2026 - Rule 4 on Consent Manager registration comes into force, around one year after notification.
  • 13 May 2027 - the core operating rules come into force, 18 months after notification. This is the date most businesses must work back from.

The Mondaq analysis of the phased commencement confirms the same three-stage structure: institutional rules on notification, Consent Manager registration at one year, and the main processing, rights, and enforcement architecture at 18 months. We use “around” for the November 2026 and May 2027 dates because the precise calendar day depends on how the countdown is read from the notification, and MeitY can amend the schedule. Treat the dates as firm planning targets and watch the official Gazette for any change.

One more reason the phasing matters: it tells you the order Parliament and MeitY think the work should happen in. The Board comes first because there has to be a regulator before there are obligations to enforce. The Consent Manager layer comes next because the plumbing for consent has to exist before the consent rules go live. The operating obligations come last because they are the heaviest lift and businesses need the runway. If you build in that order - foundation, then consent plumbing, then full operations - you are working with the grain of the law rather than against it. Plenty of businesses will instead try to do everything in the six months before May 2027, which is exactly the failure mode the phasing was designed to prevent.

For the substance of what each rule requires, our DPDP Rules 2025 guide walks through every obligation. This piece stays on the calendar.

Obligations already in force

Several rules are not “coming.” They are here. As of 13 November 2025, the following are in force:

  • Rules 1 and 2 - the short title, commencement clause, and definitions. These set the vocabulary the rest of the framework runs on.
  • Rules 17 to 21 - the constitution, appointment process, and functioning of the Data Protection Board of India.

For most businesses these do not impose a build-it-now obligation. You are not yet legally required to have rebuilt your consent flows. But “no immediate obligation” is not the same as “nothing to do.” The smartest move in the period before May 2027 is to use this window for the slow, unglamorous foundation work that everything else depends on.

Two tasks belong in the already-in-force bucket because they have no deadline reason to wait and they unblock everything that follows:

  • Data mapping. You cannot write an accurate notice or build a working erasure flow until you know what personal data you hold, where it sits, who can touch it, how long you keep it, and where it goes when you share it. This is the single most valuable thing you can do today.
  • A grievance contact. The Rules will require a working grievance mechanism. Naming a contact and giving them a process now costs little and signals seriousness if the Board ever comes knocking.

The Scrut implementation guide frames the already-live rules the same way: the regulator’s machinery is being assembled, so the enforcement infrastructure exists even though the operating obligations land later. The Board being constituted is the signal that this is real, not a draft sitting on a shelf.

There is a subtle planning point hidden in the already-in-force phase. The DPDP Act itself - the parent statute - has been law since 2023. The rights of data principals exist as a matter of statute today, even though the operating machinery to exercise them arrives with the Rules in 2027. That gap is mostly academic for now, because without the Rules there is no detailed procedure and the Board’s complaint process is still scaling. But it does mean the legal direction of travel is fixed. A business that treats the pre-2027 period as a free pass, rather than a build window, is misreading the situation. The obligations are not “maybe coming.” They are scheduled, with a regulator already standing behind them.

A second reason to start the foundation work now is that data mapping rarely takes one pass. The first map is always incomplete - you find a shadow database in marketing, an export feed to an analytics vendor nobody documented, a spreadsheet of customer records on someone’s laptop. Each discovery sends you back to redo notices and consent scoping. Teams that start mapping in 2026 have time to iterate. Teams that start in 2027 discover their gaps under deadline pressure, which is the worst time to find out your data flows are messier than your org chart suggested.

The 18-month obligations: what lands around May 2027

This is the heavy phase. Around 13 May 2027, Rules 3, 5 through 16, and 22 and 23 come into force together. These are the rules that reshape how you collect, hold, and answer for personal data. A short tour of what becomes binding:

Notice (Rule 3). Before or when you seek consent, you must give the data principal a clear, itemised, plain-language notice. It must state what data you collect, the specific purpose, how to exercise rights, how to withdraw consent, and how to reach your grievance contact. The all-purpose privacy policy of today will not pass.

Consent and its records. Consent must be free, specific, informed, unconditional, unambiguous, given by clear affirmative action, and as easy to withdraw as to give. You must keep structured records that show who consented, to what, and when.

Security safeguards (Rules 5 to 9 and related). You must put appropriate technical and organisational measures in place to prevent breaches - access controls, encryption where suitable, logging, and the rest.

Breach notification. This one has a hard clock inside it. On becoming aware of a personal data breach, you must inform affected data principals without delay, and file a detailed report to the Board within 72 hours. The DPDP breach notification analysis stresses the trigger: the 72 hours run from when you become aware of the breach, not from when you finish investigating it. If your detection and response runbook is not ready, 72 hours is brutally short.

Children’s data (Rule 10). Processing the data of anyone under 18 needs verifiable parental consent. The Rules expect real verification, not a self-declared checkbox. The Consently analysis of verifiable parental consent explains that you must first detect whether a user is a child, then validate the parent’s identity and age - using details you already hold, or virtual tokens from a government-authorised provider such as an Aadhaar-linked DigiLocker. Behavioural tracking and targeted advertising aimed at children stay prohibited.

Retention and erasure. The Third Schedule sets retention limits for large platforms. Per the Seclore compliance guide, e-commerce entities with 2 crore-plus users, social media entities with 2 crore-plus users, and online gaming entities with 50 lakh-plus users must erase personal data three years after the last interaction, unless retention is otherwise required. You must also tell the data principal at least 48 hours before erasure, so they can act to keep their account alive.

Data principal rights. Access, correction, erasure, grievance redressal, and nomination all get operating machinery. You will need workflows to answer these requests inside the time the Rules and your grievance process allow.

Grievance redressal timelines. The Rules put a clock on complaints too. Per the KS and K analysis of grievance officers, the framework caps grievance redressal at 90 days, while most requests are expected to be resolved well inside that - on the order of a week - unless a documented exception justifies more time. You need a grievance officer or contact, a logged intake process, and turnaround targets your team can actually hit. A complaint that sits unanswered past the cap is its own compliance failure, separate from whatever the complaint was about.

So the May 2027 date is not one deadline. It is a dozen obligations going live at once, each with its own internal clock - 72 hours for breaches, 48 hours before erasure, days to weeks for grievances, and the full standard for notices and consent on day one. Sequencing the build is the real challenge, which is why the calendar and the size-based checklist below matter more than the rule numbers.

It helps to group the May 2027 obligations by the kind of work each demands. Some are writing tasks: the privacy notice, the grievance process document, the breach communication templates. These are cheap to start and easy to underestimate, because a compliant notice is harder to write well than it looks. Some are engineering tasks: consent capture and logging, rights-exercise workflows, retention timers, breach detection and alerting. These have procurement, build, and test cycles measured in months. And some are organisational: naming a grievance contact, hiring a DPO if you are an SDF, setting up an audit relationship, training staff. Each category has a different lead time, and the engineering tasks are the ones that quietly eat your runway. Map your May 2027 obligations to these three buckets and you will see immediately which ones cannot wait.

Rule 4 governs Consent Managers and comes into force around 13 November 2026 - roughly a year after notification, and ahead of the main May 2027 wave. A Consent Manager is a Board-registered intermediary that lets a data principal give, manage, review, and withdraw consent across many businesses from one dashboard.

Two things matter for your calendar:

First, using a Consent Manager is optional. Your business can keep obtaining consent directly, as long as you meet the notice, consent, withdrawal, and record-keeping standards yourself. The Consent Manager is shared plumbing, not a tollgate.

Second, the registration bar is high. To register, an applicant must be a company incorporated in India with a minimum net worth of Rs 2 crore, sound governance, and a platform that meets technical standards. Most businesses will never register; they will, at most, choose to route consent through someone who has. Our Consent Manager framework explainer covers the registration conditions, the fiduciary duties, and how the consent flow works end to end.

For the calendar, the November 2026 window means one decision needs to be made before then: will you manage consent in-house, or route it through a registered Consent Manager? If you plan to rely on one, start your due diligence in 2026, because the pool of registered managers will only begin to form once Rule 4 is live.

There is a sequencing subtlety here that catches people out. Rule 4 opening in November 2026 does not mean registered Consent Managers will be available and battle-tested the next morning. Registration takes time, the Board has to process applications, and the platforms have to prove interoperability. Realistically, a usable market of registered Consent Managers builds through late 2026 and into 2027. If your plan is to outsource consent, you are depending on a market that is still forming, on a timeline that runs uncomfortably close to the May 2027 operating deadline. That argues for one of two postures: either commit early to a credible provider and accept some delivery risk, or build a compliant in-house consent capability you control, with the option to migrate to a Consent Manager later. The riskiest posture is to assume a mature outsourced market will be there waiting for you in early 2027. It might not be.

The decision also has a cost dimension. Building compliant consent in-house means engineering effort, ongoing maintenance, and the burden of proving your records would satisfy the Board. Routing through a Consent Manager shifts some of that to the intermediary but introduces a vendor dependency and integration work. Neither is obviously cheaper; the right answer depends on your scale, your engineering capacity, and how central consent is to your product. What is not optional is making the call deliberately, with the November 2026 window in view, rather than defaulting into whatever is easiest in the final scramble.

Significant Data Fiduciary duties and their clock

The Central Government can designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process, the risk to data principals, and the potential impact on sovereignty, public order, national security, or electoral democracy. Designation is by notification, so you will know if you are named.

SDF obligations sit on top of the baseline. Per the Tsaaro analysis of SDF obligations, an SDF must appoint a Data Protection Officer based in India, engage an independent data auditor, and conduct an annual Data Protection Impact Assessment plus an annual independent audit. There are also added duties around algorithmic due diligence and tighter technical controls.

On the calendar, these enhanced duties become enforceable from the same 13 May 2027 anchor as the other core rules. The catch with SDF status is the “annual” cadence: a DPIA and an audit are not one-time tasks you tick off and forget. If there is any chance you will be designated - very large user bases, sensitive categories of data, or critical-infrastructure adjacency - build the DPIA and audit muscle now so the first annual cycle does not catch you flat.

The other reason to prepare ahead of designation is that the work behind these duties cannot be conjured quickly. Hiring a qualified Data Protection Officer based in India is a recruitment exercise in a tight market for genuine privacy expertise. Engaging an independent data auditor means scoping, contracting, and giving the auditor enough access and history to form a view. A meaningful DPIA requires you to already have your data map, your processing inventory, and your risk assessments in reasonable shape - which loops back to the foundation work everyone should be doing anyway. An SDF that waits for the designation notice before starting any of this is choosing to run the first compliance cycle on the back foot, with the regulator watching.

There is also the algorithmic dimension, which matters most for businesses building AI into their products. Chakraborty’s point - that firms must “rigorously audit how personal data is sourced, labelled, and used across model training and inference,” and that “models that cannot evidence compliant data handling will not be viable in India’s regulatory environment” - is sharpest for likely SDFs. If your product trains or runs models on personal data, the provenance and consent basis of that data becomes an evidentiary question. Building the records to answer it is not something you bolt on in the last quarter before a deadline.

The Data Protection Board: live, but ramping up

The Board’s legal foundation is in force from 13 November 2025 under Rules 17 to 21. That makes the regulator real. What is still building is its day-to-day capacity to receive, investigate, and adjudicate complaints, which will scale over the coming months.

Why this matters for your planning: the Board is the body that will receive breach reports, hear data principal complaints, and issue penalty orders once the core obligations are live. The EY overview of the DPDP framework describes the Board as the enforcement engine of the whole structure. Do not read the Board’s ramp-up period as a reason to relax. By the time the May 2027 obligations bite, the Board is meant to be operational, and your first interaction with it - filing a breach report inside 72 hours, or answering a complaint - is not the moment to discover your processes do not exist.

The full compliance calendar by date

Here is the timeline as a single calendar. Dates marked “around” depend on the exact reading of the countdown from notification and any later MeitY amendment.

DateWhat changesWhat you must have done
13 Nov 2025Rules 1-2 and 17-21 in force; Board constituted; definitions liveStart data mapping; name a grievance contact
Through 2026Board builds operational capacityFinish data mapping; assess SDF risk; rewrite notice drafts
Around 13 Nov 2026Rule 4 in force; Consent Manager registration opensDecide: in-house consent or via a Consent Manager; begin vendor due diligence
Late 2026 to early 2027Registered Consent Managers begin to appearFinalise consent vendor or build in-house; start consent flow build and testing
Around 13 May 2027Rules 3, 5-16, 22-23 in force; notice, consent, security, breach, children’s data, rights, SDF duties all bindingCompliant notices live; consent capture and logging live; breach runbook (72-hour) ready; rights workflows ready; retention and 48-hour erasure notice live; DPO and audit in place if SDF
Annually after 13 May 2027Ongoing duties recurSDFs: annual DPIA and independent audit; all: refresh data map, review consents, retrain staff

The TCSA implementation roadmap lays out a similar staged plan and makes the same point we do: the work backloaded into May 2027 cannot be started in May 2027. Read the calendar right to left. Pick your hardest May 2027 obligation, estimate the build honestly, and count backwards. That is your real start date.

A checklist by business size

The Rules apply regardless of size - there is no blanket small-business exemption - but the practical weight differs enormously. A two-person startup and a 2-crore-user platform face the same principles and very different burdens. Use the slice that fits you.

Small business or early-stage startup (low volume, no sensitive data at scale):

  • Map your data now. Even a simple spreadsheet of what you collect, why, and where it lives beats nothing.
  • Rewrite your privacy notice to be clear, specific, and itemised. This is mostly a writing task, not an engineering one.
  • Build a basic consent capture that is specific and withdrawable, and log it.
  • Name a grievance contact and write a one-page process for handling complaints.
  • Put a minimal breach response plan on paper so the 72-hour clock does not catch you cold.
  • If your product can reach under-18 users, decide how you will detect that and obtain verifiable parental consent.

Mid-size business (meaningful user base, some sensitive data, vendor dependencies):

  • Everything above, plus:
  • Audit your vendors and data processors. Update contracts to reflect DPDP obligations - security standards, breach cooperation, and processing limits.
  • Decide on your consent approach before November 2026: in-house or via a registered Consent Manager.
  • Stand up real breach detection, not just a plan - logging, alerting, and a named response team.
  • Build proper rights workflows for access, correction, and erasure, with defined turnaround times.
  • Start a staff training programme across legal, product, engineering, and support.

Large platform or likely SDF (2-crore-plus users, sensitive data, or critical sector):

  • Everything above, plus:
  • Assume you may be designated an SDF and prepare for it. Appoint a Data Protection Officer in India.
  • Stand up the annual DPIA and independent audit cadence; do not wait for the first cycle to design it.
  • Implement the Third Schedule retention limits and the 48-hour pre-erasure notice for the right user thresholds.
  • Build algorithmic due-diligence and review processes if you use automated decisioning or train models on personal data. As Chakraborty noted, models that cannot evidence compliant data handling “will not be viable in India’s regulatory environment.”
  • Run a full compliance gap assessment and treat it as a programme, not a project.

The KS Legal compliance steps overview sets out a comparable progression, and the throughline is consistent: the principles are universal, the build effort scales with how much and how sensitive the data is.

One caution on the size buckets: they are about effort, not about whether the law applies. A small startup is not exempt from the notice and consent rules; it simply has less data to map and fewer systems to retrofit. Equally, a mid-size business that handles a small volume of very sensitive data - health records, financial detail, biometrics - may carry more risk than a larger business handling low-sensitivity data. Read the buckets as a starting point and then adjust for the sensitivity of what you hold. The Board’s penalty factors weigh the type of data affected, so a leak of sensitive records from a modest operator can still be a serious matter. Use the size guidance to plan resourcing, and use a clear-eyed view of your data’s sensitivity to set your priorities within that plan.

Penalties for missing each deadline

The cost of missing a deadline is not theoretical. The DPDP Act’s schedule sets a tiered penalty structure, adjudicated by the Board, with the top tier reaching up to Rs 250 crore for the most serious categories of breach. The Board weighs the nature, gravity, and duration of the breach, the type of data affected, whether it was repeated, and what you did to mitigate harm.

A few specific failure modes worth pricing into your planning:

  • Failure to take reasonable security safeguards that leads to a breach is among the most heavily penalised categories. This is the one that pairs with the 72-hour notification clock.
  • Failure to notify a breach to the Board and affected data principals is itself a distinct exposure, separate from the breach.
  • Breaches of children’s-data obligations - processing without verifiable parental consent, or tracking and targeting minors - sit in the higher penalty bands given the protected class involved.
  • General non-compliance with the Act and Rules carries penalties even where no single breach has occurred.

There is no published general grace period after May 2027. The Anand and Anand note on the 18-month imperative frames this as a board-level risk, not an IT housekeeping item. Beyond the rupee figure, a Board inquiry means document production, mandated process changes, and reputational damage. The penalty is the headline; the investigation is the grind.

If you are weighing this against the cost of compliance, the maths is plain: a serious safeguards failure can cost orders of magnitude more than the programme that would have prevented it.

It is worth being precise about how the penalty interacts with the calendar, because the two are linked. Before May 2027, the operating obligations are not yet binding, so there is no penalty for, say, an imperfect consent flow today. After May 2027, the same imperfect flow is a live exposure. The deadline is therefore also the moment your risk profile changes shape. A breach that happens on 12 May 2027 and a breach that happens on 14 May 2027 sit in very different legal worlds, even if the technical facts are identical. That is the real reason the date is not negotiable in practice: it is the line where latent risk becomes enforceable risk.

The penalty design also rewards good behaviour in a way that should shape your planning. The Board is directed to weigh what you did to mitigate harm and whether the breach was repeated. A business that can show a documented breach runbook, prompt notification within the 72-hour window, and genuine remediation is in a materially better position than one that cannot. None of that mitigation evidence can be assembled after the fact - it has to be built into your processes before the incident. So the compliance programme is not only about avoiding breaches; it is about being able to demonstrate diligence when something does go wrong, because something eventually will. The records you keep, the speed of your response, and the clarity of your processes are themselves part of how the penalty is calculated.

What to do now: the first 90 days

If you do nothing else after reading this, do these five things in the next quarter. They have the longest lead times and unblock everything else.

  1. Map your data. What you collect, from whom, why, where it lives, who can access it, how long you keep it, and where it flows. Everything downstream depends on this.
  2. Audit your notices and consent. Compare today’s privacy policy and sign-up flows against the notice and consent standards. Note the gap. It is almost always larger than expected.
  3. Decide your consent approach. In-house or via a Consent Manager. This drives procurement and build timelines, and the registration window opens November 2026.
  4. Draft a breach runbook. A named team, a detection method, and a 72-hour reporting template. Test it once before you ever need it.
  5. Assess your SDF risk and children’s-data exposure. If either applies, the extra obligations have their own lead time - DPO hiring, audit setup, age-verification design.

None of this needs to wait for a rule to switch on. Doing it now is the difference between a calm 2027 and a scramble.

A practical way to keep the programme honest is to assign each of these five a named owner and a review date, then treat the calendar above as a backlog you groom every quarter. Compliance work has a habit of slipping because it has no customer shouting for it and no revenue attached. A standing quarterly review, with the May 2027 date pinned at the top, keeps it from drifting to the bottom of every sprint. The businesses that will sail through 2027 are not the ones with the biggest legal budgets; they are the ones that started early and kept the work visible.

One last framing. The DPDP deadlines are not really an event that happens to you in May 2027. They are a change in how every Indian business has to treat personal data, arriving on a schedule you can see clearly today. The schedule is a gift, oddly enough, because it removes the excuse of surprise. You know the dates. You know the obligations. The only variable left is whether you use the runway or burn it.

For the underlying law and how each obligation is defined, our DPDP Rules 2025 guide is the companion to this calendar. For the consent intermediary in detail, see the Consent Manager framework explainer. And if you are juggling DPDP alongside other big 2025-26 statutory changes, the Income Tax Act 2025 overview covers another reform arriving in phases.

Frequently asked questions

What is the single most important DPDP date for my business?

For most businesses it is around 13 May 2027, when the core operating obligations - notice, consent, security, breach reporting, children’s data, and data principal rights - come into force together. Count your build backwards from that date. If you process very large volumes of data, the Consent Manager registration window around 13 November 2026 and your possible SDF designation also matter, but May 2027 is the anchor.

Are any DPDP obligations already binding right now?

Yes. The definitions (Rules 1-2) and the rules constituting the Data Protection Board (Rules 17-21) have been in force since 13 November 2025. They do not require you to rebuild consent flows yet, but the regulator’s legal foundation exists, and the sensible work to start now - data mapping and naming a grievance contact - has no reason to wait.

Is there a small-business exemption from the DPDP deadlines?

No general one. The Rules apply to data fiduciaries regardless of size. The Board must consider factors that could reduce a penalty for a smaller operator, and MeitY may issue sector-specific exemptions, but you should not assume you are excluded simply because you are small. The practical effort scales with how much and how sensitive your data is, not whether you are obliged to comply.

What exactly is the 72-hour breach deadline?

On becoming aware of a personal data breach, you must inform affected data principals without delay and file a detailed report to the Data Protection Board within 72 hours. The clock starts when you become aware of the breach, not when you finish investigating it. This obligation becomes binding around 13 May 2027, so your detection and reporting runbook needs to exist well before then.

No, on both counts. Registration under Rule 4 opens around 13 November 2026, but registering is only for entities that want to operate as Consent Managers, and using one is optional for everyone else. You may continue to obtain consent directly if you meet the notice, consent, withdrawal, and record-keeping standards yourself. What you should do before November 2026 is decide which route you will take.

How will I know if I am a Significant Data Fiduciary, and when do those duties start?

The Central Government designates SDFs by notification, so you will be told. Designation turns on the volume and sensitivity of data, risk to data principals, and impact on sovereignty, security, or electoral democracy. Once designated, you must appoint an India-based Data Protection Officer, engage an independent auditor, and run an annual DPIA and audit. These enhanced duties become enforceable from the same 13 May 2027 anchor as the other core rules.

What are the retention deadlines for large platforms?

Under the Third Schedule, e-commerce entities with 2 crore-plus users, social media entities with 2 crore-plus users, and online gaming entities with 50 lakh-plus users must erase personal data three years after the last user interaction, unless retention is otherwise required by law. You must also notify the data principal at least 48 hours before erasure so they can keep their account active. These obligations land with the core rules around May 2027.

What happens if I simply miss the May 2027 deadline?

There is no announced general grace period beyond May 2027. Once the obligations are binding, non-compliance is enforceable by the Board, with penalties under the Act’s tiered schedule reaching up to Rs 250 crore for the most serious categories. A Board inquiry also brings document production, mandated process changes, and reputational cost. Plan for full compliance by the date rather than betting on an extension.

Where Niyam fits

The DPDP calendar is a sequencing problem dressed up as a legal one. The hard part is not understanding any single rule; it is working out the order in which a dozen obligations have to be built, and reading the timeline back from May 2027 to a start date you can act on this quarter.

When the question is what a specific provision actually requires - what your notice must contain, what counts as verifiable parental consent, when the 72-hour clock starts - the answer has to come from the Act and the Rules themselves, read carefully and in context. Niyam is a legal AI built for India, with answers grounded in a corpus of 72,000+ Indian judgments, and every answer carries a citation you can open and verify. That verify-the-source habit is the whole point: for a compliance programme, an answer you cannot check is worse than no answer. If you want to understand why that matters, read how we think about checking whether a citation is still good law.

If you have questions about the DPDP deadlines that are specific to your business or sector, write to [email protected].

Start for ₹100