ValkyaEditorial
Weekly Report

DPDP at six months: Phase-II readiness as the consent-manager regime approaches

Six months into the staged rollout of the Digital Personal Data Protection Act, 2023 — and the DPDP Rules notified by MeitY on 13 November 2025 — the practitioner architecture is now substantially visible. Phase I (the Data Protection Board's establishment) is live; Phase II (the consent-manager regime) takes effect on 14 November 2026; Phase III (the compliance obligations and the ₹250 crore penalty ceiling) takes effect on 14 May 2027. A practitioner read on where data fiduciaries should be at the six-month mark and what the remaining eighteen months require.

Valkya Editorial· Legal Intelligence··8 min read

The Digital Personal Data Protection Act, 2023, and the Digital Personal Data Protection Rules, 2025 — the Rules notified by the Ministry of Electronics and Information Technology on 13 November 2025 — have settled into a phased implementation architecture that is now six months into operation. The practitioner posture has, in that period, substantially clarified. This piece reads where data fiduciaries should be at the six-month mark, and what the remaining eighteen months require.

The phased architecture

The architecture has three phases, each operative at a different date.

Phase I — 13 November 2025. Provisions relating to the establishment of the Data Protection Board of India were made effective on the date of notification. The Board is, from that date, capable of being constituted and operative for its administrative functions.

Phase II — 14 November 2026. Provisions pertaining to consent managers — registration architecture, eligibility criteria, operational obligations — take effect twelve months from notification.

Phase III — 14 May 2027. The compliance obligations of the DPDP Act and Rules — rights of data principals, obligations of data fiduciaries, cross-border transfer mechanism, and the penalty architecture with its ₹250 crore per-violation ceiling — come into force eighteen months from notification.

The phased structure is operationally significant. The dates are not merely procedural; they create a timeline along which preparation must be done. The sections below read each phase against where practitioners should be at the six-month mark.

Phase I: where the Board is, and what it does

The Data Protection Board of India — the central regulator under the DPDP architecture — has been the institutional locus of the compliance regime since November 2025. When the Phase III provisions take effect, the Board's functions will include the investigation of data fiduciary practices, the imposition of penalties for contraventions, and the adjudication of disputes between data principals and data fiduciaries.

In the six months since Phase I, the Board has been the locus of operational set-up: recruitment, institutional architecture, preparation of operational guidelines, and engagement with the stakeholders that will be the principal subjects of its work.

For practitioners advising data fiduciaries, the Phase I posture is one of institutional engagement: monitoring the Board's development, participating in the consultation processes that will continue across the build-up to Phase III, and preparing the documentation that will support the data fiduciary's defensive case if and when an investigation is opened.

The Phase II consent-manager regime is, in design, the operational architecture for the management of data-principal consent within the DPDP framework. A consent manager is a platform registered with the Board that gives the data principal a single interface to give, manage, review, and withdraw consent across multiple data fiduciaries.

The design is structurally significant. Rather than requiring the data principal to manage consent separately with each platform or service — the position that has produced consent fatigue and disengagement under the EU's GDPR architecture — the consent-manager regime supplies a single interface through which the data principal can exercise control across all relationships. The consent manager is accountable directly to the data principal and must maintain interoperability, with the consequence that data principals are not locked into a single platform to exercise their rights.

The eligibility criteria are doctrinally important. The Rules require consent-manager applicants to be India-incorporated entities with a minimum net worth of ₹2 crore. The combined effect is to exclude the foreign consent-management platforms that have dominated the global market — OneTrust, TrustArc, and others — from operating as registered consent managers in India. The Indian consent-management market will, in consequence, be served by India-incorporated entities, with the foreign platforms — to the extent they remain operationally relevant — operating through India-incorporated affiliates or partnerships.

For data fiduciaries, the Phase II preparation runs along three axes. The first is the consent architecture itself — the templates, processes, and workflows through which consent is taken, recorded, varied, and withdrawn. The Rules' requirements engage the language of consent, the granularity of the purposes for which consent is sought, and the mechanism for withdrawal. The second is the consent-manager integration — the technical and contractual architecture for engaging with the consent-manager platforms that will, from November 2026, be the locus of consent management for many data principals. The third is record-keeping — the evidentiary architecture that will support the data fiduciary's case in any subsequent investigation by the Board.

Phase III: the compliance cliff

The Phase III provisions — taking effect on 14 May 2027 — produce the entry into the full DPDP architecture. The data principal's rights become enforceable; the data fiduciary's obligations attach; the penalty architecture, with its ₹250 crore per-violation ceiling, becomes operative.

The obligations are extensive. They include the data fiduciary's responsibility for the lawfulness and necessity of the processing it conducts; the grounds for processing — consent and "legitimate use" (the latter being a doctrinal question that remains substantially open); the limitations on processing including purpose limitation, data minimisation, and storage limitation; the rights of data principals — access, correction, erasure, and grievance redressal; and the cross-border transfer mechanism, the operational detail of which remains to be finalised.

The penalty ceiling of ₹250 crore per violation is a deterrent at a different order of magnitude from anything that preceded it in Indian data-protection enforcement. The calculation methodology — the factors that will guide the Board's penalty-determination function — will be a matter of guidance the Board is expected to produce in the build-up to Phase III.

Where the data fiduciary should be, six months in

A data fiduciary approaching the DPDP architecture at the six-month mark should be advanced along five axes.

Records of processing activities (RoPA). An inventory of processing activities — what personal data is processed, for what purposes, on what grounds, with what retention period — is the foundation for compliance. It should have been largely completed in the first six months and should be the basis for the further work that the remaining eighteen months require.

Vendor and processor mapping. The data processors that operate on the data fiduciary's behalf — and the contractual architecture that governs the relationship — should be substantially mapped. The Phase III responsibilities of the data fiduciary include supervision of its processors; the contractual architecture is the vehicle for that supervision.

Consent template review. The language of consent, the granularity of the purposes, and the mechanism for withdrawal should be under review against the Rules' specific requirements. The Phase II consent-manager integration — taking effect in six months — will require this work to be complete.

Breach response readiness. The architecture for detection, investigation, and notification of breaches — within the timelines the Rules specify — should be developed. Incident-response capability is one of the areas where the Board's Phase III enforcement attention is expected to focus.

DPO designation if Significant Data Fiduciary. The designation of a Data Protection Officer — required for Significant Data Fiduciaries under the Rules — should be advanced for entities likely to fall within the SDF designation. The criteria for SDF designation will be the subject of guidance from the Board; candidates should be preparing the internal architecture in anticipation.

What remains open

Three questions are substantially open at the six-month mark.

The cross-border transfer mechanism. The architecture for cross-border data transfers — the list of jurisdictions to which transfers are permitted, the adequacy or other mechanism that governs transfers to non-listed jurisdictions, and the role of the Central Government in maintaining and updating the list — remains to be finalised. The Phase III timeline will, at some point, require its resolution.

The "legitimate use" doctrine. The interpretation of "legitimate use" as a ground for processing — distinct from consent — has been left to be developed through the Board's jurisprudence. The doctrinal contours will emerge through enforcement decisions, with the scope of "legitimate use" likely to be tested in early matters.

The Board's procedural framework. The procedural framework that will govern the Board's functions — investigation, adjudication, appellate engagement — remains to be finalised. The due-process architecture for affected data fiduciaries will be a substantial determinant of how the enforcement architecture operates in practice.

What practitioners should be doing now

For data fiduciaries. The next twelve months are the Phase II preparation window. Consent-management architecture, vendor mapping, RoPA, and breach-response readiness are the priorities. The remaining eighteen months — to Phase III — produce the cliff edge.

For consent-management entities. The Phase II registration architecture, with its eligibility criteria, is the market opportunity for India-incorporated entities. Preparation for registration — including the net-worth qualification and the operational architecture — should be advanced.

For the broader privacy bar. The DPDP architecture is now visible, but its doctrinal contours will be developed through enforcement. Engagement with the Board — through consultation, advisory work, and participation in enforcement matters — is the route through which the doctrinal development will happen.

Related reading

The Digital Personal Data Protection Act 2023: the substantive architecture

A practitioner's primer on the structural design of India's first comprehensive data-protection statute — lawful basis, data-fiduciary obligations, the Significant Data Fiduciary tier, data-principal rights, cross-border transfers, exemptions, the Data Protection Board, the Schedule's ₹250 crore penalty cap, and the staged repeal of Section 43A IT Act and the SPDI Rules 2011. Written as the foundational reference for any DPDP question.

Valkya Editorial··15 min

The DPDP Rules, 2025: what the November notification actually does — and when

India's first comprehensive data-protection framework is now operational, but in a staged sequence: Consent Manager rules effective November 2026; substantive Significant Data Fiduciary obligations effective May 2027. A practitioner's read on the architecture, the timeline, and the compliance work that has just become urgent for law firms and for the entities they advise.

Valkya Editorial··10 min

Cyber and data protection: May-June 2026 roundup

The May-June 2026 cycle in Indian cyber and data-protection practice is dominated by the DPDP Rules 2025 first-year operationalisation, the transitional jurisprudence under Section 43A of the IT Act 2000 in its final operative phase, and the continuing post-Kunal Kamra recalibration of the intermediary-liability framework. A focused round-up of what changed in policy, what changed in the courts, and what practitioners are tracking.

Valkya Editorial··10 min
Research this line of authority in Valkya

Trace how this proposition has been treated across Indian courts — citations, bench strength, and subsequent history — in one workspace built for litigators.

Open Valkya →