DPDP
Getting Started Guide

Digital Personal Data Protection Act 2023

India's data protection law. Mandatory for any company processing personal data of Indian residents.

Audit Effort6–12 months for full compliance
Key FactEnforcement expected May 2027

What Is dpdp?

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. Passed in August 2023 and with Rules notified in November 2025, the Act establishes how organisations must collect, use, store, and protect the personal data of individuals in India. Unlike ISO 27001 or SOC 2, DPDP compliance is a legal obligation — not a voluntary certification. Non-compliance carries penalties of up to ₹250 crore per violation.

The Act creates two categories of regulated entities. Data Fiduciaries are organisations that determine the purpose and means of processing personal data — essentially any company that decides why and how personal data is used. Data Processors process data on behalf of Fiduciaries. Most companies are Fiduciaries for their own customer data. A subset — Significant Data Fiduciaries — will face additional obligations including a mandatory Data Protection Officer, periodic Data Protection Impact Assessments, and potential data localisation requirements. The SDF designation list is expected around May 2027.

The Act gives Data Principals — the individuals whose data you process — rights that your systems must support: the right to access their data, correct it, withdraw consent, and request erasure. You must be able to respond to these requests operationally, not just have a policy that says you will. Full enforcement is expected from 13 May 2027, which sounds distant but the data mapping, consent rebuild, and operational changes required typically take 9–18 months.

Does dpdp Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

Companies processing Indian resident data

If you process personal details (emails, IDs, addresses) of individuals based in India, compliance is a non-optional statutory mandate.

Likely applies

Indian B2C Apps and E-commerce Platforms

Handling consumer data at scale makes your organisation highly vulnerable to privacy disputes and regulatory audits.

Likely applies

Indian FinTech and HealthTech Platforms

Processing sensitive financial or health records triggers Significant Data Fiduciary obligations and audit cycles.

Likely applies
You probably don't need dpdp if:
  • Your company operates entirely outside India and processes no data from residents of India.
  • Your database only contains anonymous data points that cannot be traced back to any individual.
  • Your organization only processes corporate data (business-to-business names and company details) without personal identifiers.

Why dpdp Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

Rules Notified & Active Timeline

Rules were notified in November 2025. Full enforcement begins on 13 May 2027, meaning organisations have roughly a year to align operations.

Board Liability & Massive Fines

Violations trigger fines up to ₹250 crore. Under DPDP, directors are personally liable for failure to implement reasonable safeguards.

User Rights Requests Desk

Users (Data Principals) gain the legal right to erase data, withdraw consent, or correct records. Systems must support these requests natively.

The Requirements

The core security controls and evidence parameters audited for dpdp.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for dpdp.

1
Weeks 1–6

Data Mapping & Inventory

Run a data discovery exercise. Identify where personal data is stored, who can access it, and where it flows.

Key Deliverable:Data inventory mapping register
2
Weeks 7–14

Consent & Policy Rebuild

Rebuild website and application onboarding pages to include translated privacy notices and consent checkboxes.

Key Deliverable:Updated privacy policies, user consent databases
3
Weeks 15–22

Principal Rights Desk Setup

Build interfaces to support user requests for data access, correction, transfer, and complete deletion.

Key Deliverable:Self-service deletion modules and user rights portals
4
Weeks 23–28

DPO & SDF Operations

Appoint a Data Protection Officer (DPO), run GRC workshops, and establish grievance resolution systems.

Key Deliverable:Grievance ticketing desk, DPO appointment registry
With Existing Certifications

12–16 weeks: Use existing GDPR privacy profiles to rapidly draft notices and consent workflows, though database changes remain necessary.

Starting from Scratch

24–36 weeks: Designing a data protection program from scratch requires mapping all databases, rewriting policies, and training employees.

The Mistakes That Delay Most dpdp Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Assuming GDPR compliance covers DPDP

Why it happens:

GDPR and DPDP have different legal bases, notification authorities, and structural requirements. GDPR legitimate interest doesn't map to DPDP. GDPR consent mechanisms may not satisfy DPDP's 'free, specific, informed, unambiguous' standard.

How to avoid it:

Audit your GDPR compliance for DPDP gaps specifically. Four structural differences need attention: legal basis, breach notification process, children's data rules, and SDF designation exposure.

Not starting with data mapping

Why it happens:

Every DPDP obligation — consent, retention, erasure, rights — requires knowing what data you hold, where it is, and why you have it. Without a data map, you cannot answer these questions.

How to avoid it:

Start with a data map before any policy writing. List every system, form, and integration that collects or processes personal data. This is the foundation everything else is built on.

Retroactive consent is an afterthought

Why it happens:

Personal data collected before the Act came into force requires retroactive notification and a consent opportunity for existing users.

How to avoid it:

Identify your legacy data. Plan a consent re-collection campaign. This takes longer than expected — start planning it 12+ months before enforcement.

Ignoring the children's data requirements

Why it happens:

DPDP Rule 10 requires verifiable parental consent via DigiLocker for processing data of anyone under 18. Many B2C companies have minor users they haven't identified.

How to avoid it:

Audit your user base for age verification capability. If you have or could have minor users, build DigiLocker-based verification before enforcement begins.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

dpdp Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

dpdp Checklist

Assess your baseline control posture against dpdp criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about dpdp compliance and certification processes.