The FY2026–27 Budget documents allocate ₹10.00 crore for the DPB compared with ₹2.00 crore in FY26 (revised), with a ₹9.50/₹0.50 revenue–capital split. The ministry note adds that this provision is towards “salary and other establishment expenses” of the Board—useful context for interpreting early capacity building.

For enterprises, the bigger signal is the operating model. The DPDP Rules explainer describes a “Digital-First Data Protection Board” where people can file complaints online and track cases via a dedicated portal and mobile app. It also highlights phased implementation and sets out clear protocols for personal data breach notifications—so “self-reporting + transparency” becomes a core compliance muscle, not a paperwork exercise.

The sequencing makes FY27 strategically important. MeitY’s commencement notification triggers Consent-Manager-linked provisions one year after publication (around November 2026) and most substantive obligations eighteen months after publication (around May 2027). Consent Managers are defined as interoperable platforms through which individuals can give, manage, review or withdraw consent—so integration-readiness will matter well before “full enforcement.”

Dr Ram Kumar G, Cyber Security & Risk Leader at a global automotive company, calls the budget change an activation moment: “The transition from a ₹2 crore setup budget to a ₹10 crore operational budget for FY27 is a clear signal that the DPB is moving from ‘existence’ to ‘activation’… it’s the budget of a lean, high-tech startup, not a massive bureaucratic machine.” His enterprise inference: prepare for “algorithm-driven oversight” where digital filings, complaint quality, and response timelines become the first-order signals.

With an estimated 200,000+ entities likely to fall within the scope of the DPDP Act FY27, it is likely to be guidance-led with selective enforcement and limited capacity to enforce the law at scale. The likely multiplier could be: coordination with sector regulators in regulated industries, plus advisory/pro-bono support from qualified professionals.

What should be prioritized in FY27?

Evidence-first execution. Make breach response measurable (detect → triage → decide → intimate), and rehearse the clock.

Avinash Tiwari, CISO, Pidilite summarises the posture: “The five-fold increase signals a clear intent to operationalize the DPDP Act, [FY27] should be a focus on issuing clearer guidelines rather than widespread audits.” Yet the risk lens remains board-level: the DPDP explainer notes penalties up to ₹250 crore for failure to maintain reasonable security safeguards, and up to ₹200 crore for not notifying the Board/affected individuals of a breach.

FY27 plan that stands up in a notice, an audit request, or a board review:

• Treat breach reporting as a product, not a process: templates, decision trees, owner clarity, and “clock-speed” rehearsals aligned to portal-led reporting expectations.
• Modernise consent operations: map consent capture → update → withdrawal across channels, anticipating the Consent Manager ecosystem coming into force on the one-year mark from notification.
• Build an “evidence room”: control-to-proof mapping for safeguards and breach handling—the two costliest penalty heads.
• Codify the “crown jewels”: define your highest-risk data and processing, then align enhanced monitoring, access controls, and incident thresholds accordingly.

FY2026 – 27, in short, looks like a year of structured activation: digital-first processes, selective enforcement, and increasing expectations of demonstrable control. The organisations that use this window to operationalise—rather than only document—will enter the next phase with far less uncertainty and far more leverage.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!