The Union Budget 2026 has allocated ₹10 crore to the Data Protection Board of India (DPB), a five-fold increase from ₹2 crore in FY25–26. The higher allocation follows the enactment of the Digital Personal Data Protection (DPDP) Act, which received presidential assent in August 2023. The rules for implementation were notified in November 2025. Until now, the regulatory framework remained in a preparatory phase without operational enforcement.
Budget 2026 marks the beginning of the enforcement phase of India’s personal data protection regime. All organisations processing personal data of individuals in India are required to achieve compliance by May 2026. The rollout will follow an 18-month phased implementation schedule across sectors, including financial services, healthcare, e-commerce and other businesses handling personal data.
Building enforcement and adjudication capacity
The DPB functions as the national authority responsible for adjudicating complaints from data principals, determining non-compliance and imposing penalties under the DPDP framework.
The increase in budgetary allocation is intended to support the operationalisation of the Board, including staffing, adjudication infrastructure, administrative systems and investigation capacity. The enhanced funding is aimed at enabling the regulator to process and decide complaints at scale once enforcement commences.
With the notification of rules already completed, the additional allocation in Budget 2026 provides the financial base for the transition from rule-making to active regulatory oversight.
Penalties and compliance requirements
Under the DPDP framework, organisations can face penalties of up to ₹250 crore for specified violations. The penalty provisions apply to entities processing personal data of individuals in India, including financial institutions, healthcare providers, digital platforms, e-commerce companies and enterprises processing employee or customer data.
Compliance obligations include obtaining and recording valid consent, enabling data principal rights such as correction, deletion and portability, maintaining records of processing activities, implementing appropriate security safeguards and putting in place grievance redressal mechanisms.
Organisations are also required to establish contractual and operational controls with vendors and third-party processors involved in personal data handling.
Phased enforcement across sectors
The 18-month phased rollout provides for staggered enforcement across different categories of data-intensive sectors. The phased approach allows regulatory sequencing while requiring organisations to initiate compliance programmes ahead of their applicable enforcement window.
Enterprises operating across multiple sectors will be required to manage compliance timelines separately for different business units, based on the order in which enforcement is applied.
Technology and governance implications
The enforcement of the DPDP framework requires changes to enterprise data management and governance systems. Organisations are expected to deploy consent management systems, data discovery and mapping tools, access control mechanisms and incident response processes.
Legacy systems storing personal data without structured consent records or defined processing purposes will need remediation. In addition, organisations must put in place documentation and internal controls to demonstrate compliance during regulatory review or adjudication.
The increased allocation to the Data Protection Board in Budget 2026 establishes the operational foundation for enforcement of India’s personal data protection regime, with compliance obligations becoming effective from May 2026 under a phased national rollout.
