Digital Personal Data Protection Act 2023
India's data protection law. Mandatory for any company processing personal data of Indian residents.
What Is dpdp?
The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. Passed in August 2023 and with Rules notified in November 2025, the Act establishes how organisations must collect, use, store, and protect the personal data of individuals in India. Unlike ISO 27001 or SOC 2, DPDP compliance is a legal obligation — not a voluntary certification. Non-compliance carries penalties of up to ₹250 crore per violation.
The Act creates two categories of regulated entities. Data Fiduciaries are organisations that determine the purpose and means of processing personal data — essentially any company that decides why and how personal data is used. Data Processors process data on behalf of Fiduciaries. Most companies are Fiduciaries for their own customer data. A subset — Significant Data Fiduciaries — will face additional obligations including a mandatory Data Protection Officer, periodic Data Protection Impact Assessments, and potential data localisation requirements. The SDF designation list is expected around May 2027.
The Act gives Data Principals — the individuals whose data you process — rights that your systems must support: the right to access their data, correct it, withdraw consent, and request erasure. You must be able to respond to these requests operationally, not just have a policy that says you will. Full enforcement is expected from 13 May 2027, which sounds distant but the data mapping, consent rebuild, and operational changes required typically take 9–18 months.
Does dpdp Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
Companies processing Indian resident data
If you process personal details (emails, IDs, addresses) of individuals based in India, compliance is a non-optional statutory mandate.
Indian B2C Apps and E-commerce Platforms
Handling consumer data at scale makes your organisation highly vulnerable to privacy disputes and regulatory audits.
Indian FinTech and HealthTech Platforms
Processing sensitive financial or health records triggers Significant Data Fiduciary obligations and audit cycles.
- Your company operates entirely outside India and processes no data from residents of India.
- Your database only contains anonymous data points that cannot be traced back to any individual.
- Your organization only processes corporate data (business-to-business names and company details) without personal identifiers.
Why dpdp Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
Rules Notified & Active Timeline
Rules were notified in November 2025. Full enforcement begins on 13 May 2027, meaning organisations have roughly a year to align operations.
Board Liability & Massive Fines
Violations trigger fines up to ₹250 crore. Under DPDP, directors are personally liable for failure to implement reasonable safeguards.
User Rights Requests Desk
Users (Data Principals) gain the legal right to erase data, withdraw consent, or correct records. Systems must support these requests natively.
The Requirements
The core security controls and evidence parameters audited for dpdp.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for dpdp.
Data Mapping & Inventory
Run a data discovery exercise. Identify where personal data is stored, who can access it, and where it flows.
Consent & Policy Rebuild
Rebuild website and application onboarding pages to include translated privacy notices and consent checkboxes.
Principal Rights Desk Setup
Build interfaces to support user requests for data access, correction, transfer, and complete deletion.
DPO & SDF Operations
Appoint a Data Protection Officer (DPO), run GRC workshops, and establish grievance resolution systems.
With Existing Certifications
12–16 weeks: Use existing GDPR privacy profiles to rapidly draft notices and consent workflows, though database changes remain necessary.
Starting from Scratch
24–36 weeks: Designing a data protection program from scratch requires mapping all databases, rewriting policies, and training employees.
The Mistakes That Delay Most dpdp Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Assuming GDPR compliance covers DPDP
GDPR and DPDP have different legal bases, notification authorities, and structural requirements. GDPR legitimate interest doesn't map to DPDP. GDPR consent mechanisms may not satisfy DPDP's 'free, specific, informed, unambiguous' standard.
Audit your GDPR compliance for DPDP gaps specifically. Four structural differences need attention: legal basis, breach notification process, children's data rules, and SDF designation exposure.
Not starting with data mapping
Every DPDP obligation — consent, retention, erasure, rights — requires knowing what data you hold, where it is, and why you have it. Without a data map, you cannot answer these questions.
Start with a data map before any policy writing. List every system, form, and integration that collects or processes personal data. This is the foundation everything else is built on.
Retroactive consent is an afterthought
Personal data collected before the Act came into force requires retroactive notification and a consent opportunity for existing users.
Identify your legacy data. Plan a consent re-collection campaign. This takes longer than expected — start planning it 12+ months before enforcement.
Ignoring the children's data requirements
DPDP Rule 10 requires verifiable parental consent via DigiLocker for processing data of anyone under 18. Many B2C companies have minor users they haven't identified.
Audit your user base for age verification capability. If you have or could have minor users, build DigiLocker-based verification before enforcement begins.
Rishabh's Take on dpdp
Practitioner Voice“DPDP Act compliance is the one I worry about most for Indian SaaS companies right now — not because the requirements are technically difficult, but because so many companies are treating May 2027 as if it's five years away. Data mapping alone takes 3–6 months. Rebuilding consent mechanisms takes another 3. Identifying whether you'll be designated a Significant Data Fiduciary and what that means for your architecture requires decisions that involve your board. Start with the data map. Do it this quarter. Everything else depends on it.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
dpdp Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
dpdp Checklist
Assess your baseline control posture against dpdp criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about dpdp compliance and certification processes.