AMLEGALSDPDPAVibe Data Privacy
HomeInsightsDPDPA Implementation Timeline
ComplianceVibe Data Privacy

DPDPA Implementation Timeline

Navigating the 12-18 Month Compliance Runway

11 min
January 2026

"The 18-month milestone represents a cliff edge—significant effort will be required for sanitizing legacy data."

Implementation Advisory
DPDPA Implementation Timeline

DPDPA implementation follows phased commencement with critical milestones at 12 and 18 months. Organisations must treat this period as a compliance sprint, not a vacation. This article examines the implementation timeline, milestone obligations, and preparation strategies for each phase.

Phased Commencement

The implementation follows three phases: immediate effect for Data Protection Board provisions, 12-month window for Consent Manager obligations, and 18-month deadline for primary business compliance. Each phase introduces distinct requirements demanding different organisational responses.

Key Points

  • Immediate: DPB provisions
  • 12 months: Consent Manager obligations
  • 18 months: Full business compliance

The 12-Month Milestone

November 2026 is not a soft launch. Consent Manager provisions require registered intermediaries facilitating consent management for data principals. Organisations relying on Consent Managers must ensure registered providers are engaged and integrated. Internal consent management systems must achieve compliance standards.

The 18-Month Cliff Edge

May 2027 represents full compliance deadline. Legacy data presents the largest challenge—historical data collected without DPDPA-compliant consent must be sanitized. Purpose limitation requires reviewing existing data against original collection purposes. Data minimisation demands deletion of unnecessary historical records.

Key Points

  • Legacy data sanitisation
  • Purpose limitation review
  • Consent refresh campaigns
  • Data minimisation exercises

Preparation Strategy

Organisations should: complete gap analysis by Month 3, finalise policy frameworks by Month 6, implement technical controls by Month 9, conduct training by Month 12, and execute legacy data remediation by Month 15. Buffer time addresses unforeseen complications. Late starters face compressed timelines and elevated risk.

Key Takeaways

1

Map current state against DPDPA requirements immediately

2

Prioritise legacy data audit and remediation

3

Engage Consent Manager providers if required

4

Budget for implementation resources

5

Establish milestone tracking and governance

Statutory References

DPDPA Commencement ProvisionsDPDP Rules 2025Section 26 Consent ManagerSection 8 Data Fiduciary Obligations

Need Compliance Guidance?

Our data privacy practice provides tailored compliance assessments and implementation support.

Get in Touch