Last updated: May 18, 2026
What just shifted
MeitY’s notification of Phase 2 of the DPDP Rules has locked the effective date for several previously-flagged sections. The headline change is that the bulk of operational obligations on data fiduciaries — grievance redressal SLAs, breach-notification timelines, the Consent Manager interaction model, and the cross-border negative-list mechanic — go live on 1 August 2026. The Significant Data Fiduciary (SDF) criteria and the additional obligations that flow from that designation kick in on the same date, with a 60-day extension window for SDF self-classification that ends 30 September 2026.
If you are a SaaS company processing the personal data of Indian Data Principals, you have approximately ten weeks. This piece is the practitioner-level checklist of what must be in place by then.
The August 2026 must-ship list
| Obligation | What it means for a SaaS | Engineering effort |
|---|---|---|
| Granular consent capture | Purpose-specific, withdrawable, with a free Hindi-language option | Consent registry + UI for withdrawal — 3-4 sprints if greenfield |
| Grievance Officer | Named individual, published email/phone, 30-day SLA | Process work — ticketing flow + monthly metric review |
| Breach notification | DPB notice within 72h; Data Principal notice “without delay” | Incident playbook update + draft notification templates |
| Erasure on purpose-completion | Active deletion when retention purpose is exhausted, not lazy | Hard. Schema-wide audit + scheduled deletion jobs |
| Cross-border transfer check | Negative list compliance for each downstream vendor | Vendor inventory + DPA addenda |
What the consent registry actually looks like
The Rules do not prescribe a schema, but auditors will ask for one. The minimum-viable consent registry needs to record: who consented, to what purpose, on what date, by what mechanism, and — the part most teams skip — when the consent ends. Worked example:
CREATE TABLE consent_record (
consent_id UUID PRIMARY KEY,
data_principal_id UUID NOT NULL,
purpose_code VARCHAR(64) NOT NULL, -- e.g. 'marketing_email', 'kyc_aadhaar'
legal_basis VARCHAR(32) NOT NULL, -- 'consent' | 'legitimate_use' | 'employment'
consent_text_id UUID NOT NULL, -- FK to the exact wording shown
language CHAR(5) NOT NULL, -- 'en-IN', 'hi-IN', 'ta-IN' …
channel VARCHAR(32) NOT NULL, -- 'web_signup', 'app_onboarding', 'partner_api'
granted_at TIMESTAMP NOT NULL,
expires_at TIMESTAMP, -- NULL = until withdrawn
withdrawn_at TIMESTAMP,
withdrawal_reason VARCHAR(64),
audit_ip INET,
audit_user_agent TEXT,
proof_blob_sha256 CHAR(64) -- hash of the consent UI snapshot
);
CREATE INDEX ix_cr_principal_active ON consent_record (data_principal_id)
WHERE withdrawn_at IS NULL;Three details matter. The consent_text_id points to an immutable record of the exact text the user saw — when you reword your consent flow, you must keep the old wording on file for the duration of the granted consent. The proof_blob_sha256 hashes a screenshot or DOM dump of the consent moment; this is what defends you if a Data Principal disputes that consent was ever granted. The partial index on the active set is what makes lookups cheap when the table grows to 100M rows.
Breach-notification timeline — what 72 hours actually looks like
The DPB notice is “without delay, and in any case within 72 hours.” Walk through a realistic timeline so the SLA is concrete, not abstract.
| T+ | Event | What’s needed |
|---|---|---|
| T+0h | SOC detects suspicious database read pattern | SIEM rule + Data Principal table tagging |
| T+2h | IR confirms unauthorized access, estimates scope | Forensic capture + log preservation |
| T+6h | Legal + DPO decide DPB-reportable | Decision tree pre-written; not invented on the day |
| T+24h | Preliminary DPB notice filed; CERT-In notice in parallel (6h SLA there!) | Template + designated submission account |
| T+48h | Affected Data Principals begin to be notified | Email + in-app + (if material) SMS |
| T+72h | Full DPB notice; remediation timeline; root cause working hypothesis | Incident lead, comms, legal all aligned |
The trap many Indian SaaS hit: the CERT-In 6-hour reporting requirement under the 2022 Directions is parallel to and shorter than the DPB 72-hour clock. If you wait until you’ve finished the DPB notice, you’ve missed CERT-In. Build the dual-notification fork into the playbook explicitly.
The Consent Manager is the surprise
The 2025 draft Rules described a Consent Manager as an optional intermediary — most fiduciaries assumed it would be a feature of UPI-style infrastructure that may or may not arrive. Phase 2 sharpens this: a Consent Manager is a separately-registered entity that holds consents on behalf of the Data Principal and lets them be issued, withdrawn, and audited across multiple fiduciaries. Fintech, healthtech, and credit-bureau-adjacent businesses should expect their large bank partners to start asking whether they integrate with one or more registered Consent Managers by Q4. If you build directly on Account Aggregator infrastructure you have most of this stack already; if not, plan for an integration sprint.
What an SDF designation actually costs
Three controls that look modest in the text are operationally heavy in practice. First, the DPIA: every new processing purpose needs an impact assessment, signed by the Data Protection Officer. Second, periodic audit by an independent auditor — annual, not one-shot. Third, the DPO independence requirement: the DPO cannot report into the function whose processing they oversee. For a 300-engineer SaaS, that means lifting the DPO out of Engineering or Product and reporting to the CEO or Board. Get this structurally right now; reorgs in November are nobody’s idea of fun.
The negative list and your vendor inventory
Cross-border data movement remains legal except to countries on the published negative list. As of notification, no countries have been added — but the mechanism is now live, and additions are by Central Government notification with no consultation requirement. The defensive posture is to maintain a current data-flow map of every processor in your stack with the storage region per processor. A spreadsheet works. The hard part is the long tail: the analytics tool, the email sender, the SaaS CRM your sales team adopted last quarter, the AI vendor you tried during a hackathon and never deprovisioned. If one of those vendors hosts in a country that gets added to the negative list with 30 days’ notice, you need to know within hours, not weeks.
A useful exercise: run grep -r "api." config/ .env* across your repos, intersect the hostnames with public Whois region data, and grade each. The output of this 20-minute exercise on a mid-stage Indian fintech we audited last quarter found seventeen processors the inventory sheet did not — three of them in jurisdictions that would be plausible candidates for the first negative-list additions.
What to do this week
- Get the August 2026 date on the engineering roadmap with a named owner.
- Run a 90-minute working session: list every personal-data field in your product, mapped to a purpose. The list is shorter than you think; the gaps are where the work lives.
- If you are likely SDF-eligible — fintech, healthtech, ed-tech serving children, anything >5M Indian users — start the DPO conversation now.
- Subscribe to MeitY’s DPDP notifications page. The negative-list updates will land here first.
- Tabletop the breach-notification timeline end-to-end. The first time you walk it on a real incident is not when you want to discover the CERT-In 6-hour clock.
References
- RingSafe Academy module: DPDP Act 2023 Foundations
- RingSafe Academy module: DPDP Data Mapping & Inventory
- RingSafe guide: DPDP Act 2023 — Practitioner Guide
- CERT-In 2022 Directions on incident reporting (6-hour SLA reference)
Related engagement → How we delivered DPDP Act readiness for a multi-million-user fintech
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.