Looking ahead: what changes on the DPDP timeline.

The DPDP Rules came into force in stages. A useful exercise: what changes when, and what should you do about each.

Now (already operative).

Consent notices in your language of choice. Grievance officers. Breach reporting within seventy-two hours. Erasure requests within ninety days. Children's data with verifiable parental consent.

What to do: file Section 12 notices for the exposures you care about. Update your consent preferences with major Fiduciaries (you have the right). Add a Grievance Officer notification to your inbox rules so you do not lose responses.

H2 2026: SDF designation.

The Ministry is expected to publish the criteria for Significant Data Fiduciary designation in the second half of 2026, with the first designations following six months later. SDFs face additional obligations: a DPO with statutory standing, periodic Data Protection Impact Assessments, periodic audits.

Likely SDFs: major payments platforms, large e-commerce, ride hailing, identity-verification services, large telcos. SDF designation matters to you because SDFs face higher scrutiny; your erasure requests against an SDF will likely be acted on faster after designation than before.

What to do: nothing now. If you have pending requests against likely-SDF candidates, the experience may improve once designation lands.

Late 2026 or early 2027: Consent Managers.

The Act provides for Consent Managers, licensed intermediaries that hold your consents and revoke them on your behalf. The licensing framework is in draft. We expect the first Consent Managers to be operational by early 2027.

A Consent Manager is functionally similar to a password manager for consents. You delegate the consent decisions to the manager, who maintains a record of what you have consented to with whom, and who can revoke any consent in bulk on your direction.

What to do: choose your Consent Manager carefully when they become available. The Consent Manager is essentially holding your privacy posture; the choice is similar in stakes to choosing a bank.

Mid-2027: cross-border transfer.

The Ministry is expected to publish the list of countries to which personal data of Indian residents may not be transferred by mid-2027. The Rules contemplate a negative-list approach: transfers are permitted unless the destination country is on the prohibited list.

This will affect you primarily in the form of changed terms-of-service notifications from foreign platforms. Some platforms may stop operating in India rather than restructure data flows; some will localise data storage.

What to do: if you have data on foreign platforms, expect changes. Some may include forced re-consent flows; read those carefully.

What we do as the timeline rolls out.

Our templates and workflows are versioned by date. As provisions become operative, we update templates and add the relevant invocations. Old notices we filed before a provision became operative do not need to be re-filed; new notices filed after carry the new invocations.

When SDF designation lands, we will add SDF-specific language to our notices against designated entities. When the negative list of countries publishes, we will add cross-border transfer language to notices against foreign Fiduciaries operating in India.

The next Vault.in product update is scheduled for August 2026 and will include the SDF additions if designation lands as expected.