India's DPDPA Phase 2: What Fintechs Must Do Now

Five Months to Phase 2: The Compliance Clock Is Running

On 13 November 2025, India's Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025, bringing the Digital Personal Data Protection Act, 2023 (DPDPA) into force. The notification set a phased schedule: Phase 1 immediately established the four-member Data Protection Board of India; Phase 2 begins on 13 November 2026, when the Consent Manager Framework activates; and Phase 3, covering all remaining substantive compliance obligations, takes effect on 13 May 2027. With Phase 2 five months away, the readiness picture is concerning: approximately 70 per cent of Indian organisations report limited familiarity with the Act, only 48 per cent have initiated gap assessments, and just 38 per cent have classified their personal data — the foundational step without which compliance cannot begin in earnest.

What Phase 2 Actually Requires

The Consent Manager Framework introduces a regulated category of intermediary — Consent Managers — through which consumers can grant, review, track, and withdraw consent across multiple applications. To register as a Consent Manager with the Data Protection Board, an organisation must maintain a minimum net worth of INR 20 million (approximately USD 225,000), be incorporated in India, and satisfy independent certification requirements covering technical interoperability and security. For organisations that rely on a third-party Consent Manager rather than building their own, the technical integration requirement still exists: their product architecture must be able to connect to a registered Consent Manager's API by 13 November 2026.

The Penalty Structure: Fines That Stack

The DPDPA's penalties are designed to stack. A failure to implement reasonable security safeguards that results in a data breach carries up to INR 250 crore — approximately 30 million US dollars — per violation. A separate failure to notify the Data Protection Board and affected individuals of the same breach adds up to INR 200 crore. A single incident involving both a breach and a notification failure can therefore generate combined exposure of INR 450 crore. Children's data protection violations and failures to comply with Board notices carry penalties up to INR 50 crore each. For organisations processing significant volumes of Indian consumer data, the DPDPA creates material financial risk regardless of whether their primary business is technology.

Most-Exposed Sectors

Fintech companies — processing payment histories, credit data, and transaction records — face the highest combined sensitivity and volume exposure. Health apps, edtech platforms, and gaming companies processing personal data at high frequency are close behind. Mid-sized app developers in these categories, who built consent flows under the pre-DPDPA regime using dense terms-of-service acceptance rather than specific, purpose-bound consent, face the most significant technical rebuild requirements.

Compliance as a Software Engineering Problem

DPDPA compliance is not primarily a legal task — it is a software engineering project. Consent flows must be redesigned to capture specific, purpose-bound consent for each data processing category. Data lineage tracking must be implemented so the organisation can demonstrate what data it holds, where it came from, and how it is used. Automated data retention enforcement must be built so personal data is deleted once the processing purpose is fulfilled.

For teams building customer-facing fintech, health, or edtech applications, this work sits at the intersection of product design and backend architecture. It requires product managers, data engineers, and backend developers to collaborate on a problem none of them can solve independently. Teams that treat DPDPA compliance as a legal checkbox rather than a product engineering workstream will find the November 2026 and May 2027 deadlines difficult to meet.

What This Means for Indian Technology Teams

For custom software development companies building data-handling products for Indian clients, the DPDPA compliance timeline creates a near-term service demand and a forward-looking architecture requirement. Clients in fintech, health, and edtech will need engineering support to redesign consent flows, build data lineage tooling, and implement automated retention enforcement before the May 2027 deadline.

Teams auditing their own data practices should begin with the foundational steps: document all data processing activities, classify personal data by sensitivity and processing purpose, and assess whether current consent collection approaches meet the Act's granular, purpose-specific consent standard. The window for comfortable compliance — with time for development, testing, and iteration — is closing. Starting in July 2026 leaves approximately ten months before Phase 3 enforcement. Starting in January 2027 leaves four months. Neither is a comfortable timeline for the consent architecture changes the Act requires.

The Bottom Line

India's DPDPA Phase 2 activates on 13 November 2026 — five months from today. The Consent Manager Framework requires organisations facilitating consent at scale to register with the Data Protection Board and meet technical interoperability standards by that date. Phase 3 full enforcement follows on 13 May 2027, with penalties reaching INR 250 crore per violation and stacking to INR 450 crore for combined breach and notification failures. Only 38 per cent of Indian businesses have classified their personal data. For fintech, edtech, health, and gaming companies, DPDPA compliance is a software engineering programme — consent redesign, data lineage tracking, retention automation — that must begin now if the May 2027 deadline is to be met without a crisis-mode compliance sprint.