04 Feb 2026 · 6 min read
After two years of waiting, the Digital Personal Data Protection Rules, 2025 were notified by MeitY on 13–14 November 2025. The Act now has operating teeth, the Data Protection Board is live, and the headline deadline is set: full compliance by 13 May 2027.
The Rules confirm what most observers expected — a phased, sector-aware rollout, with the heaviest obligations (verifiable parental consent for children, the Significant Data Fiduciary duties, the Consent Manager registration regime) coming online over 18 months rather than overnight.
What should you do this month? Three things. First, run a free scan and get a baseline. Second, fix your consent banner — almost everyone's is non-compliant. Third, name a Grievance Officer in your privacy notice and footer. That's three days of work that closes most of the easy gaps.
Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.