The Complete Guide to India's DPDP Act 2023: Everything Enterprises Need to Know Before May 2027
Risk & Compliance

The Complete Guide to India's DPDP Act 2023: Everything Enterprises Need to Know Before May 2027

Ranu GuptaApril 202624 min read
DPDPActcompliancechecklist2026

The Complete Guide to India's DPDP Act 2023: Everything Enterprises Need to Know Before May 2027

83% of Indian organizations haven't begun comprehensive DPDP implementation. The average data breach in India costs ₹22 crore. And the Digital Personal Data Protection Act, 2023 carries penalties up to ₹250 crore per violation more than most companies' entire annual compliance budgets. The final enforcement deadline is May 13, 2027, and the clock is running.

India's first comprehensive data protection law isn't a sectoral guideline you can defer to next quarter. It applies to every organization processing digital personal data of individuals in India - from SBI processing 500 million customer accounts to a Bengaluru startup collecting email addresses. The DPDP Rules, notified by MeitY in November 2025, have turned what seemed theoretical into hard operational obligations with real financial consequences.

This guide is written for the CXO, compliance officer, DPO, CISO, or board member who needs to understand exactly what DPDP requires, who it affects, what the penalties look like, and how to build a compliance program before enforcement begins. Every claim cites the specific DPDP section or rule. Every obligation comes with an Indian enterprise example. And every section answers the question your board will ask: "What does this mean for us?"

Why May 2027 Changes Everything for Indian Enterprises

The DPDP Act represents India's first comprehensive data protection law, moving from a compliance vacuum to strict legal enforcement. Unlike sector-specific guidelines from RBI or SEBI, DPDP applies universally from neighborhood clinics maintaining patient records to global banks processing millions of transactions.

The timing is deliberate. The phased implementation gives enterprises breathing room, but the May 2027 deadline is non-negotiable. The Data Protection Board of India (DPBI) will have full enforcement powers, with penalty frameworks that dwarf most regulatory fines. A single data breach could trigger penalties exceeding ₹250 crore more than most companies' annual compliance budgets.

What makes DPDP particularly challenging is its departure from familiar compliance models. Unlike GDPR's principle-based approach or India's existing sectoral regulations, DPDP combines strict consent requirements with significant operational flexibility. Organizations that treat this as a legal exercise will fail. Those that recognize it as a fundamental business transformation will thrive.

The real shift isn't just legal, it's operational. DPDP forces enterprises to question every data touchpoint, from customer onboarding to employee records to vendor relationships. Organizations that get this right will have a competitive advantage in India's digital economy. — Sunil Kumar Gupta, Chairman, SARC

DPDP Act Timeline: From Law to Enforcement

The DPDP Act's phased implementation follows a carefully structured timeline that enterprises must track closely:

PhaseDateWhat HappensEnterprise Impact
Phase 1August 11, 2023DPDP Act receives Presidential assentPlanning and preparation begins
Phase 2November 13, 2025DPDP Rules notified by MeitY; DPBI establishedLegal framework becomes operational
Phase 3November 13, 2026Consent Manager framework goes liveConsent architecture must be DPDP-compliant
Phase 4May 13, 2027All substantive provisions effectiveFull compliance required; enforcement begins

Phase 1 (2023-2025): The preparation window. Smart organizations used this period for data discovery, gap analysis, and system design. Those who waited are now in catch-up mode.

Phase 2 (November 2025): The DPDP Rules provide operational clarity. The Data Protection Board gains legal standing and begins registration processes for Consent Managers and auditors. Organizations can no longer claim regulatory uncertainty.

Phase 3 (November 2026): The Consent Manager ecosystem launches. Any organization relying on consent must integrate with registered Consent Managers or build compliant consent infrastructure. This is the last checkpoint before full enforcement.

Phase 4 (May 2027): The enforcement cliff. All DPDP obligations become legally binding. The DPBI can investigate, issue directions, and impose penalties. Non-compliance shifts from regulatory risk to business-critical threat.

The gap most organizations miss is treating these as discrete phases rather than a continuous compliance journey. By May 2027, you need fully operational systems, trained staff, documented processes, and proven incident response capabilities.

Who Must Comply: Understanding DPDP's Scope

Data Fiduciary: The Primary Obligated Entity

A Data Fiduciary is any person who determines the purpose and means of processing personal data. This isn't limited to technology companies or large corporations. Examples include:

  • HDFC Bank collecting customer KYC data for account opening (determines why and how to process)
  • Apollo Hospitals maintaining patient records for treatment and billing
  • Infosys processing employee payroll and performance data
  • A neighborhood clinic storing patient appointment and medical history data
  • An e-commerce startup collecting customer shipping addresses and payment information

The key test isn't organizational size or sector — it's control over data processing decisions.

Data Processor: The Service Provider

A Data Processor processes personal data on behalf of a Data Fiduciary. The relationship is contractual, with specific obligations:

  • Amazon Web Services hosting bank customer data (processes but doesn't determine purpose)
  • A BPO company handling customer service calls for a telecom operator
  • Razorpay processing payment transactions for e-commerce companies
  • A payroll outsourcing company managing salary processing for multiple clients

Processors have fewer direct obligations but must comply with Fiduciary instructions and maintain security safeguards.

Significant Data Fiduciary: Enhanced Obligations

The Central Government will designate certain Data Fiduciaries as "Significant" based on:

  • Volume of personal data processed
  • Sensitivity of data
  • Risk to rights and freedoms of Data Principals
  • Potential impact on sovereignty and integrity of India

Likely candidates include:

  • Large banks (SBI, ICICI, HDFC processing millions of accounts)
  • Telecom operators (Jio, Airtel with subscriber data)
  • Major e-commerce platforms (Amazon India, Flipkart)
  • Social media platforms with Indian users
  • Government entities processing citizen data at scale

SDFs face additional obligations:

  • Appoint a Data Protection Officer (DPO) based in India
  • Conduct Data Protection Impact Assessments (DPIAs)
  • Undergo independent data audits
  • Potentially comply with data localization requirements

Consent Managers: The New Intermediary

Consent Managers are a unique DPDP innovation - registered entities that help individuals manage consent across platforms. Requirements include:

  • Indian company incorporation
  • Minimum net worth of ₹2 crore
  • AES-256 encryption for data transmission
  • 7-year record retention
  • No conflicts of interest (can't be owned by Data Fiduciaries they serve)

The 10 Core DPDP Obligations Every Enterprise Must Meet

1. Lawful Basis for Processing (Section 5)

DPDP permits processing personal data only for:

  • Consent: Free, specific, informed, unconditional, and unambiguous
  • Legitimate Use: Specified purposes that don't require consent

Practical Example: A bank can process customer transaction data for fraud detection (legitimate use) but needs separate consent for marketing communications.

Common Mistake: Assuming "legitimate business interest" covers everything. DPDP's legitimate use categories are narrow and specific.

2. Consent Requirements (Section 6)

Valid consent must be:

  • Free: No coercion or negative consequences for refusal
  • Specific: Clear about what data and which purposes
  • Informed: Individual understands what they're agreeing to
  • Unconditional: Not bundled with other agreements
  • Unambiguous: Clear affirmative action, not silence or inactivity

Practical Example: An e-commerce platform cannot make account creation conditional on marketing consent. Payment processing consent and promotional email consent must be separate.

Common Mistake: Pre-checked boxes or consent buried in terms of service. DPDP requires explicit, granular consent for each purpose.

3. Purpose Limitation (Section 5)

Personal data can only be processed for the stated purpose. New purposes require fresh consent.

Practical Example: If Swiggy collects delivery addresses for order fulfillment, using that data for targeted advertising requires separate consent.

Common Mistake: Assuming broad consent covers future use cases. Purpose creep without fresh consent violates DPDP.

4. Data Minimization (Section 5)

Collect only personal data necessary and proportionate to the purpose.

Practical Example: A job portal collecting Aadhaar numbers for resume verification may be disproportionate if email verification suffices.

Common Mistake: "We might need it later" justification. DPDP requires current necessity, not future possibility.

5. Privacy Notice Requirements (Section 7)

Data Fiduciaries must provide clear notice about:

  • What personal data is being processed
  • Why it's being processed
  • How Data Principal rights can be exercised
  • Contact details for queries and complaints

Notices must be in English or scheduled Indian languages, easily accessible, and regularly updated.

Practical Example: Zomato's privacy notice must clearly explain why they collect location data, how long they keep it, and how users can request deletion.

Common Mistake: Legal jargon that ordinary users can't understand. DPDP emphasizes "clear and plain language."

6. Data Principal Rights (Sections 10-13)

Individuals have rights to:

  • Access: Know what personal data is processed
  • Correction: Fix inaccurate or incomplete data
  • Erasure: Request deletion when purpose fulfilled or consent withdrawn
  • Grievance Redressal: Complain to Data Fiduciary and DPBI
  • Nomination: Appoint someone to exercise rights posthumously

Practical Example: A bank customer can request to see all personal data held, correct outdated contact information, and delete data if they close their account.

Common Mistake: Making rights exercise difficult or time-consuming. DPDP requires "reasonable and practical" processes.

7. Data Retention and Erasure (Section 8)

Personal data must be erased when:

  • Purpose of processing is fulfilled
  • Consent is withdrawn
  • Processing becomes unlawful
  • Retention is no longer necessary

Practical Example: Insurance companies must delete claim documents after regulatory retention periods expire, unless needed for ongoing legal proceedings.

Common Mistake: Indefinite data retention "just in case." DPDP requires active data lifecycle management.

8. Security Safeguards (Section 8)

Data Fiduciaries must implement reasonable technical and organizational measures to protect personal data.

Practical Example: Hospitals must encrypt patient data, restrict access to authorized personnel, and maintain audit logs of data access.

Common Mistake: Focusing only on technical security while ignoring organizational measures like staff training and vendor management.

9. Breach Notification (Section 8)

While DPDP doesn't specify timeframes, Data Fiduciaries must notify the DPBI and affected individuals of breaches that may cause harm.

Practical Example: If an ed-tech company's database is compromised exposing student personal data, they must notify both the DPBI and affected students/parents.

Common Mistake: Waiting for investigation completion before notification. Based on CERT-In precedent, 72-hour notification to authorities is emerging best practice.

10. Children's Data Protection (Section 9)

Processing personal data of individuals under 18 requires:

  • Verifiable parental consent
  • No behavioral tracking or targeted advertising
  • Extra care in processing decisions

Practical Example: Gaming platforms must obtain parental consent before collecting data from users under 18 and cannot use that data for targeted advertising.

Common Mistake: Age verification through self-declaration. DPDP requires "verifiable" parental consent, suggesting stronger verification mechanisms.

Significant Data Fiduciary: The Enhanced Compliance Tier

Organizations designated as Significant Data Fiduciaries face substantially higher obligations and scrutiny. The designation process is discretionary but predictable based on stated criteria.

Designation Criteria and Likely Candidates

The Central Government will consider:

  • Volume of personal data: Organizations processing data of millions of Indians
  • Sensitivity: Financial, health, biometric, or sensitive personal data
  • Risk to rights: Potential for significant harm from data misuse
  • Sovereignty impact: Strategic sectors or critical infrastructure

Almost Certain SDFs:

  • State Bank of India (processes data of 500+ million customers)
  • Reliance Jio (subscriber base exceeding 400 million)
  • UIDAI (Aadhaar data of 1.3+ billion Indians)
  • Major payment platforms like UPI ecosystem players

Likely SDFs:

  • Large private banks (ICICI, HDFC, Axis)
  • Major e-commerce platforms (Amazon India, Flipkart)
  • Healthcare aggregators processing sensitive health data
  • EdTech platforms with significant user bases

Additional SDF Obligations

Data Protection Officer (DPO)

SDFs must appoint a DPO who:

  • Is based in India
  • Acts as primary contact for DPBI
  • Monitors DPDP compliance
  • Conducts impact assessments
  • Reports directly to senior management

The DPO cannot be the same person responsible for marketing or business development — ensuring independence in privacy decisions.

Data Protection Impact Assessment (DPIA)

SDFs must conduct DPIAs for:

  • New data processing activities
  • Significant changes to existing processing
  • High-risk processing operations

A DPIA must assess:

  • Necessity and proportionality of processing
  • Risks to Data Principal rights
  • Mitigation measures
  • Alternatives considered

Practical Example: Before launching an AI-powered credit scoring system, a bank designated as SDF must conduct a DPIA evaluating algorithmic fairness, data accuracy requirements, and individual impact.

Independent Data Audit

SDFs must undergo regular audits by DPBI-registered auditors covering:

  • Compliance with DPDP obligations
  • Effectiveness of security measures
  • Data processing practices
  • Breach preparedness and response

Potential Data Localization

The Central Government may require SDFs to store certain categories of personal data within India. While specific requirements aren't yet announced, precedent from other sectors suggests:

  • Financial data (following RBI's data localization directive)
  • Health data (National Digital Health Mission requirements)
  • Critical personal data (to be defined by government)

Getting Consent Right: The Architecture That Will Make or Break Compliance

The Consent Challenge

Consent under DPDP isn't just a privacy notice and checkbox. It's an ongoing relationship requiring:

  • Granular choice: Separate consent for each processing purpose
  • Easy withdrawal: As simple as giving consent
  • Clear communication: No legal jargon or dark patterns
  • Documented proof: Audit trail of consent decisions

What Valid Consent Looks Like

Current Bank Practice (Non-Compliant): "By opening this account, you consent to HDFC Bank processing your personal data for account services, marketing, analytics, and sharing with partners as described in our privacy policy."

DPDP-Compliant Approach: "We need your consent for specific uses of your personal data:

  • ✓ Account services (mandatory for account opening)
  • ☐ Promotional offers via email/SMS
  • ☐ Sharing with insurance partners for product offers
  • ☐ Analytics to improve our services

You can change these choices anytime in your account settings."

Consent Manager Framework

From November 2026, Consent Managers will facilitate consent across platforms. Think of it as "single sign-on for privacy consent."

How It Works:

  1. Individual registers with a Consent Manager
  2. When visiting a website/app, they're redirected to their Consent Manager
  3. Consent Manager presents standardized consent options
  4. Individual makes choices, which are cryptographically recorded
  5. Website/app receives consent proof and processes accordingly
  6. Individual can review and modify consent across all platforms from one dashboard

Registration Requirements for Consent Managers:

  • Indian company (no foreign ownership exceeding sectoral caps)
  • Minimum net worth of ₹2 crore
  • AES-256 encryption for data transmission and storage
  • 7-year record retention capability
  • Independent audit and security certification
  • No conflicts of interest (cannot be owned by Data Fiduciaries they serve)

Business Impact: Organizations must either:

  1. Integrate with registered Consent Managers (recommended for most)
  2. Build consent infrastructure meeting DPDP standards (complex and expensive)
  3. Rely only on legitimate use exceptions (limited applicability)

Cross-Border Data Transfers: India's Unique Approach

DPDP takes a "negative list" approach to international data transfers — fundamentally different from GDPR's adequacy model.

How It Works

Permitted by Default: Personal data can be transferred to any country unless the Central Government specifically restricts transfers to that country.

Government Powers: The Central Government can restrict transfers to countries that:

  • Don't provide adequate protection for personal data
  • Could harm India's sovereignty and integrity
  • Pose risks to public order or national security

No Restricted List Yet: As of 2026, the government hasn't published any restricted countries, making most transfers currently permissible.

Comparison with GDPR

AspectDPDP ActGDPR
Default PositionTransfers allowed unless restrictedTransfers prohibited unless adequate protection
MechanismGovernment restriction listsAdequacy decisions, SCCs, BCRs
Business CertaintyHigh (until restrictions imposed)Lower (complex compliance mechanisms)
Government ControlHigh (can restrict overnight)Lower (through EU institutions)

Practical Implications

Current State (2026): Most Indian companies can transfer personal data to global cloud providers, outsourcing partners, and international subsidiaries without additional compliance mechanisms.

Future Risk: The government could restrict transfers to specific countries with minimal notice, potentially disrupting existing business arrangements.

What Enterprises Should Do:

  1. Map all cross-border data flows — know where personal data goes
  2. Document legal basis for each transfer
  3. Develop contingency plans for potential restrictions
  4. Consider data residency options for critical processing
  5. Monitor government announcements on restricted countries

Sector-Specific Considerations

Financial Services: RBI's data localization requirements create additional complexity. Payment data must already be stored in India, but customer data for non-payment purposes may be transferable under DPDP (unless restricted).

Healthcare: No specific DPDP restrictions, but sector regulators may impose additional requirements for health data transfers.

IT/BPO: Significant advantage - processing personal data of individuals outside India for foreign clients remains largely exempted, preserving India's outsourcing competitiveness.

DPDP Act vs GDPR: Critical Differences for Global Organizations

Many Indian organizations assume GDPR compliance covers DPDP requirements. This is dangerous thinking — the frameworks differ substantially.

RequirementDPDP ActGDPRCompliance Gap
Lawful BasesConsent + Legitimate Use only6 bases including legitimate interestsGDPR's legitimate interests ≠ DPDP's legitimate use
DPO RequirementSignificant Data Fiduciaries onlyBroader requirement based on processing typeMay need DPO for GDPR but not DPDP (or vice versa)
Consent AgeUnder 18 (parental consent required)13-16 depending on member stateDifferent age thresholds
Data PortabilityNot explicitly providedExplicit right under Article 20GDPR systems may be over-engineered for DPDP
Transfer MechanismsNegative list (restricted countries)Adequacy + safeguards (SCCs, BCRs)Completely different compliance approaches
Breach NotificationTo DPBI + individuals (no timeframe specified)72 hours to authority + individualsDifferent notification requirements
PenaltiesUp to ₹250 crore (absolute amounts)Up to €20M or 4% revenue (whichever higher)Different penalty calculations
Consent ManagersUnique DPDP institutionNo equivalentNew compliance infrastructure needed

Why GDPR Compliance Isn't Enough

Consent Architecture: GDPR allows "legitimate interests" for many processing activities. DPDP's "legitimate use" categories are narrower, requiring consent for activities that might be permissible under GDPR.

Example: A European retailer can process customer data for fraud prevention under "legitimate interests." The same company operating in India needs either explicit consent or must qualify fraud prevention as "legitimate use" (which may require regulatory clarification).

Organizational Requirements: A multinational bank might need a DPO in Europe under GDPR but not require one for Indian operations unless designated as SDF. Conversely, an Indian digital platform might need a local DPO under DPDP while not meeting GDPR's DPO thresholds.

Transfer Compliance: SCCs and BCRs developed for GDPR compliance become irrelevant under DPDP's negative list approach. Organizations need parallel transfer impact assessments.

The biggest mistake global organizations make is treating DPDP as "GDPR for India." While both are privacy laws, the compliance architectures are fundamentally different. You need parallel, not integrated, compliance programs. - Sunil Kumar Gupta, Chairman, SARC

Penalties and Enforcement: The DPBI's Expanding Powers

Data Protection Board of India (DPBI)

The DPBI operates as both regulator and adjudicator, with powers to:

  • Investigate complaints and suo moto violations
  • Issue directions for compliance and remedial action
  • Impose penalties up to ₹250 crore
  • Register and regulate Consent Managers and auditors
  • Monitor cross-border transfer restrictions

Penalty Framework

DPDP specifies penalty ranges for different violations:

Violation CategoryMaximum PenaltyKey Triggers
Security Safeguards Failure₹250 croreData breaches, inadequate security measures
Breach Notification Failure₹200 croreFailing to notify DPBI and affected individuals
Children's Data Violations₹200 croreProcessing children's data without proper consent
SDF Obligation Breach₹150 croreDPO failures, DPIA non-compliance, audit violations
DPBI Direction Non-Compliance₹50 croreIgnoring Board orders and directions
General Violations₹50 croreOther DPDP breaches not specifically categorized

Penalties are absolute amounts (not revenue-based like GDPR), making them particularly significant for smaller organizations.

Enforcement Process

Stage 1: Complaint/Investigation

  • Individual complaints to DPBI
  • Suo moto investigations
  • Regulatory referrals from other agencies

Stage 2: Notice and Response

  • Show cause notice to alleged violator
  • Opportunity for written submissions
  • Hearing before DPBI (if requested)

Stage 3: Adjudication

  • DPBI issues reasoned order
  • Penalty imposition and/or compliance directions
  • Publication of order (with redactions)

Stage 4: Appeals

  • Appeal to appropriate High Court
  • Stay on penalty (if granted by court)
  • Final judicial determination

Enforcement Scenario: Major Bank Data Breach

Day 1: Cyberattack compromises customer database of a large private bank Day 3: Bank discovers breach during routine monitoring Day 5: Bank notifies DPBI and affected customers (potential delay penalty: up to ₹200 crore) Week 2: DPBI initiates investigation, requests detailed breach report Month 1: Investigation reveals inadequate encryption and access controls (potential security penalty: up to ₹250 crore) Month 3: DPBI issues show cause notice combining both violations Month 6: After bank's response and hearing, DPBI imposes ₹75 crore penalty plus compliance directions Month 9: Bank appeals to High Court, seeking stay on penalty payment

Total Potential Exposure: ₹450 crore (₹200 crore + ₹250 crore) Actual Penalty: ₹75 crore (considering bank's cooperation and remedial measures)

No Criminal Liability

Unlike some data protection laws globally, DPDP creates only civil penalties. No individual can be criminally prosecuted solely for DPDP violations, though related offenses under IT Act 2000 or IPC may still apply.

Industry-Specific DPDP Impact Analysis

Banking and Financial Services

Unique Challenges:

  • Dual Compliance: RBI data localization + DPDP requirements create overlapping obligations
  • SDF Designation: Large banks almost certainly qualify as Significant Data Fiduciaries
  • KYC Complexity: Customer onboarding requires extensive personal data collection
  • Third-Party Sharing: Insurance, investment, and lending partnerships need consent review

Key DPDP Impacts:

  • Account Opening: Cannot bundle marketing consent with account services
  • Credit Scoring: May require consent for alternative data sources
  • Cross-Selling: Each product offering needs separate consent
  • Data Retention: Must delete customer data after account closure (subject to RBI retention rules)

Compliance Priority:

  1. Segregate consent for banking services vs. marketing
  2. Review all third-party data sharing agreements
  3. Implement granular consent management for digital banking
  4. Prepare for SDF designation (DPO appointment, DPIA processes)

Healthcare and Pharmaceuticals

Unique Advantages:

  • Legitimate Use: Medical treatment and emergencies qualify for consent exemptions
  • Regulatory Backing: Existing health data protection frameworks provide foundation

Key DPDP Challenges:

  • Patient Consent: Elective procedures and wellness programs need explicit consent
  • Health Insurance: Data sharing with insurers requires careful consent design
  • Telemedicine: Digital health platforms face complex consent requirements
  • Research: Clinical trials and medical research need specific consent frameworks

Critical Considerations:

  • Medical emergencies allow processing without consent, but notice obligations remain
  • Health data sharing with family members needs careful consent architecture
  • Pharmaceutical marketing to patients requires opt-in consent

Information Technology and Business Process Outsourcing

Major Relief:

  • Outsourcing Exemption: Processing personal data of individuals outside India for foreign clients remains largely exempt
  • Competitive Advantage: Indian IT/BPO industry retains cost advantages without additional compliance burdens

Domestic Obligations:

  • Employee Data: Indian employees' personal data subject to DPDP
  • Local Clients: Domestic outsourcing contracts need DPDP compliance clauses
  • Vendor Role: When acting as Data Processor, must comply with client instructions

Implementation Focus:

  1. Separate compliance frameworks for domestic vs. international operations
  2. Update Data Processing Agreements for domestic clients
  3. Implement employee data protection measures
  4. Consider SDF risk for large domestic-focused operations

E-commerce and Digital Platforms

High Impact Areas:

  • User Profiling: Behavioral tracking and personalization need granular consent
  • Targeted Advertising: Each advertising partner requires separate consent
  • Recommendation Systems: AI-driven suggestions may need consent or legitimate use justification
  • Payment Data: Integration with UPI and payment providers creates data sharing complexity

SDF Risk Factors:

  • Large user bases make e-commerce platforms likely SDF candidates
  • Cross-platform data sharing increases sovereignty risk assessment
  • Integration with foreign platforms may trigger restrictions

Government and Public Sector

Legitimate Use Authority:

  • Government entities can process citizen data for:
    • Providing subsidies, benefits, services
    • Issuing certificates, licenses, permits
    • Compliance with legal obligations

DPDP Obligations Still Apply:

  • Security Safeguards: Government databases need robust protection
  • Breach Notification: Must notify DPBI of security incidents
  • Data Retention: Cannot keep citizen data indefinitely
  • Individual Rights: Citizens can request access and correction

Special Considerations:

  • Aadhaar processing has separate regulatory framework but DPDP principles apply
  • Inter-department data sharing needs legal basis documentation
  • Digitization initiatives must build in privacy-by-design

The 90-Day DPDP Readiness Playbook for Enterprises

With May 2027 approaching, organizations need structured preparation. This playbook provides actionable steps for comprehensive DPDP compliance.

Month 1: Assessment and Foundation (Days 1-30)

This month is about understanding your exposure. Appoint a DPDP project lead with cross-functional authority and form a core team spanning legal, IT, compliance, and business heads. Present a board briefing on DPDP implications with budget requirements, this isn't an IT project, it's a business transformation.

The critical deliverable is a complete data map. Identify every system, database, application, cloud service, and vendor that touches personal data. Document how personal data flows from collection to processing to storage to sharing to deletion. Most organizations discover 3-5x more personal data touchpoints than they expected.

Simultaneously, conduct a legal basis assessment: which processing activities have valid consent? Which qualify for legitimate use exemptions? Where are the gaps? If your organization processes data at scale, assess SDF designation risk and begin planning for the enhanced obligations that follow.

By month-end you should have: a cross-functional team with executive sponsorship, a comprehensive data inventory and flow map, a gap analysis showing where current practices fall short of DPDP requirements, and a clear understanding of whether SDF designation is likely.

Month 2: Build and Implement (Days 31-60)

This month converts assessment into infrastructure. Three workstreams run in parallel.

Privacy infrastructure: Redesign privacy notices in plain language covering what data is collected, why, and how individuals can exercise their rights. Build or procure a consent management system that supports granular, purpose-specific consent with easy withdrawal. Create a Data Subject Rights portal enabling individuals to access, correct, and delete their personal data.

Vendor and partner review: Update every Data Processing Agreement to define Fiduciary vs. Processor responsibilities, include DPDP compliance obligations, and address cross-border transfer requirements. Assess whether your critical vendors can meet DPDP security and breach notification standards.

Security and breach response: Review and strengthen security safeguards - encryption, access controls, authentication, and monitoring. Develop a breach response plan with internal escalation processes, DPBI notification procedures, and individual communication templates. If you process children's data, implement age verification and parental consent mechanisms.

By month-end you should have: DPDP-compliant privacy notices ready to deploy, a working consent management system, updated vendor agreements, a tested breach response plan, and a Data Subject Rights handling process.

Month 3: Test and Launch (Days 61-90)

This month stress-tests everything built in Month 2. Run end-to-end consent flow testing across all customer touchpoints. Simulate Data Subject Rights requests (access, correction, deletion) and measure response times. Conduct a tabletop breach simulation exercise with the full incident response team.

Training is non-negotiable and must reach beyond legal and IT. Legal and compliance teams need detailed DPDP training. IT and security teams need technical implementation guidance. Business teams need consent and data handling protocols. Customer service teams need scripts for individual rights requests. Every employee who touches personal data, which is nearly everyone - needs baseline awareness.

Finalize all documentation: processing records, consent logs, DPIA reports (if SDF), updated policies, and audit trails. Present a final board briefing covering implementation status, residual risks, and ongoing monitoring plans. If you're an SDF, arrange the independent data audit.

By month-end you should have: tested and validated privacy systems, trained staff across all functions, complete compliance documentation, board sign-off on residual risk, and activated DPDP compliance program.

Beyond 90 Days: Ongoing Compliance

DPDP compliance isn't a project with a finish line - it's an operating model. Monitor consent withdrawal rates, rights request volumes, and vendor compliance monthly. Conduct quarterly reviews of processing activities for new DPDP obligations. Run annual comprehensive compliance audits, especially if designated as SDF. And track DPBI guidance, penalty decisions, and enforcement patterns, the Board's early decisions will define compliance standards for years to come.

The organizations that succeed with DPDP won't be those with the biggest compliance budgets they'll be those that integrate privacy thinking into every business decision. Start with your customer onboarding journey and work backwards through every data touchpoint. — SARC Risk & Compliance Practice

Frequently Asked Questions

We're already GDPR compliant. Does that cover DPDP? No. While both are data protection laws, their compliance architectures differ fundamentally. GDPR allows six lawful bases for processing including "legitimate interests", DPDP permits only consent and a narrow set of legitimate uses. GDPR requires Standard Contractual Clauses for cross-border transfers, DPDP uses a negative list approach. You need a parallel compliance program, not an extension of your GDPR one. The comparison table in Section 8 above maps the specific gaps.

Do we need consent for processing employee data? Not always. DPDP provides a "legitimate use" exemption for employment-related processing — recruitment, onboarding, payroll, benefits, and performance management are covered without explicit consent. However, purpose limitation still applies. Using employee data for something unrelated to their employment, say, marketing a subsidiary's products — requires separate consent. Review every HR data use case individually.

What exactly counts as a "data breach" under DPDP? DPDP requires notification of any personal data breach that may cause harm to Data Principals. This includes unauthorized access, accidental disclosure, loss of data, and destruction of data. The threshold is potential harm, not confirmed harm, if there's a reasonable possibility that affected individuals could suffer financial loss, identity theft, reputational damage, or other harm, notification is required.

Can we still use cloud providers outside India? Currently, yes. DPDP's negative list approach means cross-border transfers are permitted unless the government specifically restricts a country. As of April 2026, no restricted countries have been announced. However, this can change with minimal notice, and sector-specific rules like RBI's data localization directive for payment data still apply independently.

How does DPDP interact with our existing RBI compliance? They operate in parallel. RBI's cybersecurity framework, data localization requirements, and IT outsourcing guidelines remain independently applicable. DPDP adds consent, individual rights, and breach notification obligations on top. For banks, the practical impact is: RBI governs how you secure financial data, DPDP governs how you collect, use, and delete personal data. A bank designated as SDF faces the most complex compliance matrix in Indian regulatory history.

What if we process data for clients outside India? Good news for IT/BPO companies: processing personal data of individuals located outside India for foreign clients remains largely exempt from DPDP. Your Indian employees' data is still covered, and domestic client work is fully subject to DPDP, but international outsourcing contracts won't face additional compliance burdens.

Who should our DPO be - legal, IT, or compliance? Only Significant Data Fiduciaries are required to appoint a DPO, but the choice matters. The DPO needs legal understanding of DPDP, technical knowledge of data systems, and organizational authority to influence decisions. Most organizations are appointing from compliance or legal backgrounds with strong IT collaboration. The DPO cannot hold conflicting responsibilities like marketing or business development — independence is mandatory.

Can the penalties really reach ₹250 crore? Yes, but context matters. ₹250 crore is the maximum for failure to implement security safeguards — essentially the worst-case scenario for a major breach with negligent security practices. The DPBI has discretion in penalty amounts and will likely consider factors like organizational size, breach severity, cooperation during investigation, and remedial measures taken. Early enforcement decisions will establish precedent, but treating the maximum as theoretical would be a costly assumption.

Is there criminal liability under DPDP? No. DPDP creates only civil penalties. No individual can be criminally prosecuted solely for DPDP violations. However, related offenses under the IT Act 2000, Indian Penal Code, or sector-specific regulations may still apply if personal data misuse involves fraud, identity theft, or other criminal conduct.

When should we start preparing if we haven't already? Now. The 90-day playbook above is designed for organizations starting from scratch, but it assumes focused effort and adequate resources. Organizations that begin in early 2027 will face compressed timelines, vendor bottlenecks for consent management systems, and limited availability of qualified DPOs and auditors. The enterprises that start today will have tested, refined systems by May 2027. Those that wait will be scrambling.

SARC's Data Protection Practice has guided enterprises through privacy law compliance across sectors. From SDF readiness assessments to consent architecture design, we help you turn regulatory requirements into competitive advantages.

Our advisory team is ready to help.

Contact Us
Ranu Gupta

Ranu Gupta

Co-founder & Chief Executive Officer

Back to Insights
Share: