DPDP Act Compliance Consulting India
Avoid Penalties Up to ₹250 Crore
India’s Digital Personal Data Protection Act 2023 is now in force. DPDP Rules 2025 notified. Full compliance required by May 2027 — with fines up to ₹250 crore. Get compliant before enforcement begins.
What Is the DPDP Act 2023?
India’s first comprehensive data privacy law and why every organisation that handles personal data must act now.
The Digital Personal Data Protection Act 2023 (DPDP Act) is India’s comprehensive data privacy law that governs how organisations collect, store, and use personal data. Enacted on August 11, 2023 (No. 22 of 2023), it applies to every organisation from startups to enterprises that processes digital personal data in India or serves Indian users. The DPDP Rules 2025, notified by MeitY on November 13, 2025, make the law fully operational with a hard compliance deadline of May 13, 2027. MYITMANAGER provides end-to-end DPDP Act compliance consulting India with a free gap assessment delivering your risk score in 5 business days.
At its core, the DPDP Act recognises every individual’s right to the protection of their personal data and establishes clear obligations for organisations that process it. It creates a new regulator the Data Protection Board of India (DPBI) with powers to investigate complaints and impose penalties of up to ₹250 crore per violation. In summary: if your organisation collects even a customer’s name or email address digitally, you are a Data Fiduciary under the Act and must comply.
Enforcement Is Not a Future Event – Deadline ends on 13th May 2027
The Data Protection Board of India is being constituted and rules relating to Board establishment and proceedings are already in force (November 2025). Consent Manager integration is mandatory from November 13, 2026. Full substantive compliance — including security safeguards, breach protocols, and data rights management is mandatory by May 13, 2027, just 13 months from now (April 2026). Organisations that wait until 2027 will not have enough time to comply. A well-run programme takes 8–16 weeks minimum, start today.
Who Must Comply with the DPDP Act?
The DPDP Act applies to every organisation that processes digital personal data (PII) in one of these contexts with no exemption based on company size or turnover:
- Processing personal data within India — collected online, or collected offline and then digitised (Section 3, DPDP Act 2023)
- Processing personal data outside India in connection with offering goods or services to individuals in India (Section 3, DPDP Act 2023)
This means the law covers Indian companies, multinationals, startups, SMEs, non-profit organisations, and foreign entities serving Indian customers regardless of company size or annual turnover. There is no blanket SME exemption. If you collect a customer’s name, phone number, or email address digitally, you are a Data Fiduciary under the Act and must meet all core data fiduciary compliance obligations.
Key DPDP Act Terms You Must Know
Data Principal: The individual whose personal data is being processed (your customer, employee, or user). Data Fiduciary: Any organisation that determines the purpose and means of processing personal data — that is you, the organisation (Section 2(i), DPDP Act 2023). Data Processor: An entity that processes data on behalf of a Data Fiduciary (your cloud provider, payroll vendor, etc.). Significant Data Fiduciary (SDF): A Data Fiduciary designated by the Government (Section 10) due to the volume, sensitivity, or risk associated with its data processing facing enhanced obligations.
Free Download: DPDP Compliance Checklist 2025–2027
Get our comprehensive DPDP Compliance Checklist — covering all obligations under the DPDP Act 2023 and DPDP Rules 2025, mapped to each deadline phase. Used by CISOs, DPOs, and Legal Heads at 100+ organisations. Download Free Checklist →
Related services: ISO 27001 Certification Consulting | GDPR Compliance for Indian Businesses | Cybersecurity Consulting India
DPDP Act Penalty Structure Up to ₹250 Crore Per Violation
The Data Protection Board of India can impose penalties per violation. These are not per-incident caps multiple violations mean multiple penalties.
The DPDP Act 2023 Schedule sets base maximum penalties for six categories of violation. The highest penalty — up to ₹250 crore — applies to failure to implement adequate security safeguards leading to a personal data breach. The Data Protection Board of India (DPBI) enforces these penalties and, under Section 33, can enhance them up to twice the standard quantum in serious cases (effectively up to ₹500 crore for the most serious breach). The key takeaway is: non-compliance is not just a compliance risk — it is a direct financial risk that can threaten business continuity.
| Violation | Section / Schedule | Maximum Penalty |
|---|---|---|
| Failure to implement adequate security safeguards leading to a personal data breach | Schedule, Item 1 | Up to ₹250 Crore |
| Failure to notify the Data Protection Board and affected Data Principals of a breach | Schedule, Item 2 | Up to ₹200 Crore |
| Breach of obligations relating to children’s personal data (e.g., processing without verifiable parental consent; tracking or behavioural monitoring of minors) | Schedule, Item 3 | Up to ₹200 Crore |
| Non-compliance by a Significant Data Fiduciary with its additional obligations (DPO appointment, DPIA, annual audit, algorithmic assessment) | Schedule, Item 4 | Up to ₹150 Crore |
| Failure to honour data principal rights — including access, correction, erasure, grievance redressal, or nominating a representative | Schedule, Item 5 | Up to ₹50 Crore |
| Breach of any other provision of the Act or Rules not specifically listed above | Schedule, Item 6 | Up to ₹50 Crore |
| Breach of duty by a Data Principal (e.g., impersonation, false complaints) | Schedule, Item 7 | Up to ₹10,000 |
Factors the Board Considers When Determining Penalty Quantum
The DPBI does not automatically impose the maximum penalty. It considers six mitigating and aggravating factors (Section 33, DPDP Act 2023): the nature, gravity, and duration of the contravention; the type and nature of personal data affected; repetitive nature of the breach; whether the Data Fiduciary took remedial measures promptly; the impact on Data Principals; and the gain or loss avoided by the Data Fiduciary. Early, proactive compliance reduces both your risk of a penalty and its quantum if a breach does occur.
Don’t let a ₹250 crore penalty be your wake-up call.
Get your DPDP compliance risk score in 5 business days — free, no obligation.
Book Free DPDP Gap Assessment →DPDP Rules 2025 — Compliance Timeline & Key Deadlines
MeitY structured the DPDP Rules 2025 rollout in three phases. Here is exactly what you need to do and when.
The DPDP Act 2023 compliance deadlines in India are structured in three phases. Phase 1 (November 2025) is already in force — the Data Protection Board of India is being constituted. Phase 2 deadline is November 13, 2026 — Consent Manager integration becomes mandatory under Rule 4 of the DPDP Rules 2025. Phase 3 is the hard final deadline of May 13, 2027 — when full substantive compliance with all DPDP Act obligations becomes enforceable. As of April 2026, organisations have just 13 months to achieve full compliance. In summary: starting your DPDP compliance programme now is not just advisable — it is essential.
Data Protection Board Establishment & Board Procedures
Rules governing the Data Protection Board’s establishment and proceedings are operative. The Data Protection Board of India is being constituted. Digital filing of complaints and proceedings has begun. If you haven’t started your compliance programme, you are already late for this phase.
Consent Manager Integration Mandatory
Rule 4 (Consent Management) comes into force. Every Data Fiduciary relying on consent as a lawful basis must integrate with registered Consent Managers. This requires updating API infrastructure, consent capture systems, and withdrawal mechanisms. Building this takes 3–6 months minimum — you must start now.
Full Substantive Compliance Required
All remaining substantive rules come into force. This covers all core obligations: purpose-specific consent notices (in English or any of the 22 Indian scheduled languages), breach notifications to the Board without delay (with a detailed follow-up report), data deletion automation once purpose is fulfilled, children’s data processing safeguards, Data Principal rights fulfilment, and Significant Data Fiduciary additional obligations. Every organisation processing Indian personal data must be fully compliant.
13 Months Left — Start Now to Comply Comfortably, Not Reactively
As of April 2026, you have 13 months until the May 2027 full compliance deadline — and only 7 months until the November 2026 Consent Manager deadline. A well-run DPDP compliance programme for a mid-sized organisation typically takes 8–16 weeks. Significant Data Fiduciaries or complex data ecosystems should plan for 6–12 months. Organisations that delay past Q3 2026 will be scrambling — and reactive compliance is always more expensive than planned compliance. Book your free gap assessment today →
Our 5-Phase DPDP Act Compliance Process
A structured, outcome-driven programme — from understanding your current state to achieving full DPDP compliance. No guesswork, no generic templates.
MYITMANAGER’s DPDP Act compliance process follows five structured phases, designed to take organisations from zero to full compliance in 8–16 weeks. The process starts with a Gap Assessment & Risk Scoring (Weeks 1–2), moves through Data Mapping & RoPA (Weeks 2–4), Policy Design & Consent Framework (Weeks 4–8), Technical & Operational Implementation (Weeks 6–12), and concludes with Training, Audit & Ongoing Support (Weeks 12–16+). The key takeaway is: DPDP compliance is a programme, not a checklist — and a structured approach prevents costly rework and missed obligations.
Gap Assessment & Risk Scoring
We evaluate your current data practices against all DPDP Act 2023 and DPDP Rules 2025 requirements. You receive a prioritised risk register with a clear compliance score.
Data Mapping & RoPA
We map every personal data flow across your systems — collection, processing, storage, sharing, and deletion — to create your Record of Processing Activities (RoPA) as required under DPDP Rules 2025.
Policy Design & Consent Framework
We draft purpose-specific consent notices (English + Indian scheduled languages per DPDP Rules 2025), privacy policies, data retention schedules, and data processing agreements.
Technical & Operational Implementation
We guide your engineering and operations teams to implement Consent Manager integration (Rule 4, November 2026 deadline), breach detection and two-stage notification protocols, data principal rights workflows, and vendor controls.
Training, Audit & Ongoing Advisory
We train your staff, conduct a full compliance audit against the DPDP Act / Rules 2025 checklist, and provide ongoing retainer advisory to maintain compliance as DPBI guidance and SDF designations evolve.
You Get a Risk Score in 5 Business Days
Our free DPDP Gap Assessment gives your organisation a compliance risk score, identifies your top 3 exposure areas, and recommends an implementation roadmap — all within 5 business days of our first engagement. No obligation to proceed.
Our DPDP Act Compliance Consulting Services
End-to-end coverage — whether you need a rapid gap assessment or a fully managed compliance programme. Trusted by CISOs, DPOs, Legal Heads, and Founders across India.
MYITMANAGER’s DPDP Act compliance consulting services cover the full spectrum — from an initial free gap assessment (results in 5 business days) through data mapping, consent framework design, Consent Manager integration, breach response protocols, and DPO as a Service for Significant Data Fiduciaries. Each service is delivered by Saurabh Gupta (CISM, CIPP/E) with 20+ years of enterprise data protection experience. Unlike generic IT consultancies, MYITMANAGER has completed 50+ DPDP gap assessments and brings direct enterprise implementation experience — not just advisory.
DPDP Gap Assessment
A structured evaluation of your current data practices against DPDP Act and Rules 2025. Delivered in 5 business days.
- Current-state data inventory review
- Compliance gap identification
- Risk prioritisation matrix
- Remediation roadmap
Data Mapping & RoPA
Comprehensive personal data flow mapping across your systems, teams, and third-party processors.
- Data flow diagrams
- Record of Processing Activities (RoPA)
- Third-party data processor inventory
- Data retention schedule
Policy & Notice Design
DPDP-compliant consent notices, privacy policies, and data processing agreements — drafted and reviewed by experts.
- Purpose-specific consent notices
- Privacy policy (plain language)
- Data Processing Agreements (DPAs)
- Internal data governance policies
Consent Management Implementation
End-to-end implementation of consent capture, management, and withdrawal systems — ready for Rule 4 (November 2026 deadline).
- Consent Manager integration guidance
- Consent API design & review
- Consent withdrawal automation
- Consent audit trail setup
Breach Response Protocol
Design and test a breach notification and response programme that meets DPDP Board notification requirements — immediate initial report, followed by a detailed 72-hour follow-up.
- Breach detection procedures
- Two-stage Board notification workflow
- Affected individual communication templates
- Tabletop breach simulation
DPO as a Service
A qualified Data Protection Officer — on demand, without the cost of a full-time hire. Ideal for Significant Data Fiduciaries required to appoint an India-based DPO.
- India-based DPO representation
- DPBI interface and regulatory liaison
- Data Principal grievance handling
- Monthly compliance reporting
Significant Data Fiduciary Readiness
Enhanced compliance programme for organisations likely to be designated as SDFs — covering all additional obligations.
- SDF designation risk assessment
- Data Protection Impact Assessment (DPIA)
- Annual audit preparation
- Algorithmic fairness assessment support
Training & Awareness
Role-based training programmes for your board, management team, engineering, HR, and customer-facing staff.
- Board-level DPDP briefing
- Engineering team privacy-by-design workshop
- All-staff awareness module
- Annual refresher programme
Are You a Significant Data Fiduciary Under the DPDP Act?
If your organisation is designated as an SDF, you face enhanced compliance obligations — including a mandatory India-based DPO and annual DPIAs. Here’s what you need to know.
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government of India under Section 10 of the DPDP Act 2023. SDFs face enhanced obligations beyond standard data fiduciary compliance requirements: they must appoint an India-based Data Protection Officer (DPO), conduct annual Data Protection Impact Assessments (DPIAs), undergo annual independent audits, and submit to algorithmic fairness assessments. Non-compliance with SDF obligations attracts penalties of up to ₹150 crore (Schedule, Item 4, DPDP Act 2023). In summary: if your organisation processes large volumes of sensitive personal data — health, financial, biometric, or location data — prepare for SDF-level compliance now, before designation forces your hand.
Under Section 10 of the DPDP Act, the Central Government may designate an organisation as a Significant Data Fiduciary (SDF) based on criteria including:
- Significant volume of personal data processed
- Processing data of a sensitive nature (health, financial, biometric, location data)
- Using data for decision-making that significantly impacts Data Principals
- Processing data in combination with other personal data previously held (creating rich profiles)
- Potential risk to national security, sovereignty, or electoral democracy from the data processing activity
Industries most likely to be designated as SDFs include: banks and NBFCs, health-tech platforms, insurance companies, major ecommerce platforms, telecom providers, social media companies, and fintech platforms handling payment or lending data at scale.
Additional Obligations for Significant Data Fiduciaries
Don’t Wait for SDF Designation — Prepare Now
The Government will notify SDF designations through a separate order. If your organisation processes large-scale, sensitive, or high-risk personal data, prepare for SDF-level compliance proactively. Organisations caught unprepared after designation face penalties of up to ₹150 crore for non-compliance with SDF obligations alone — on top of any breach or consent penalties.
DPDP Act vs GDPR — Key Differences for Indian Businesses
If your organisation already has GDPR compliance, you have a head start — but you are not automatically DPDP compliant. Here’s what changes.
The DPDP Act 2023 and GDPR both protect personal data, but differ significantly in scope, legal basis, and enforcement. The DPDP Act covers digital personal data only (GDPR covers all personal data), relies primarily on consent and legitimate use (GDPR has six lawful bases including legitimate interests), and imposes base maximum penalties of ₹250 crore per violation — extendable to ₹500 crore under Section 33 (GDPR penalties can reach €20M or 4% of global turnover). GDPR compliance gives organisations approximately 60–70% of DPDP compliance — the remaining gap lies in India-specific consent notice language requirements (22 scheduled languages), Consent Manager integration (Rule 4), and DPBI registration. The key takeaway is: GDPR-compliant organisations can achieve DPDP compliance faster, but a specific gap sprint of 4–6 weeks is still required.
| Dimension | DPDP Act 2023 (India) | GDPR (EU) |
|---|---|---|
| Scope of Data | Digital personal data only (offline data covered only if digitised) | All personal data — digital and non-digital |
| Legal Bases for Processing | Primarily consent and “legitimate use” (contractual necessity, legal obligation, etc.) — narrower range | 6 lawful bases including legitimate interests — broader flexibility |
| Data Minimisation | Less prescriptive — purpose limitation is the focus | Strict data minimisation principle required |
| Right to be Forgotten | Right to erasure exists but tied to withdrawal of consent or fulfillment of purpose | Broader right to erasure with multiple grounds |
| Breach Notification | Initial notification to DPB without delay; detailed follow-up within 72 hours; separate notification to affected Data Principals thereafter | 72 hours to notify supervisory authority; individuals only if high risk |
| Data Protection Officer | Mandatory for Significant Data Fiduciaries only; must be India-based | Mandatory for all controllers meeting certain thresholds |
| Maximum Penalty | Up to ₹250 crore per violation (Board may enhance up to 2× in serious cases) | Up to €20 million or 4% of global annual turnover — whichever is higher |
| Cross-Border Transfers | Allowed unless restricted by Government notification; SDF restrictions apply | Requires adequacy decision, SCCs, or BCRs |
| Children’s Data | Verifiable parental consent required; no tracking/profiling/targeted advertising of minors | Consent of parent/guardian required below age 16 (varies by EU member state) |
| Privacy Notices | Must be available in English or any of the 22 Indian scheduled languages (as required by the Data Principal); must be separate from T&Cs | Plain language requirement; language of the relevant member state |
GDPR Compliance Gives You ~60–70% of DPDP Compliance
If you are GDPR-compliant, your data mapping, privacy-by-design culture, and breach response procedures are already ahead of most Indian organisations. However, you will still need India-specific consent notice redesign (22 languages), Consent Manager integration (Rule 4), DPBI registration if required, and SDF assessment. MYITMANAGER can run a targeted GDPR-to-DPDP gap sprint typically completed in 4–6 weeks.
Why Choose MYITMANAGER for DPDP Act Compliance?
Not a freshly formed consultancy reading the Act for the first time. MYITMANAGER is led by Saurabh Gupta — ex-Bain India IT Head with CISM (ISACA) and CIPP/E (IAPP) certifications, 20+ years of enterprise data protection experience, and 20+ DPDP assessments completed.
MYITMANAGER is India’s expert DPDP Act compliance consulting firm, led by Saurabh Gupta — former IT Head at Bain & Company India, holder of the Certified Information Security Manager (CISM) certification issued by ISACA and the Certified Information Privacy Professional/Europe (CIPP/E) issued by the International Association of Privacy Professionals (IAPP). Saurabh brings 20+ years of enterprise IT and data protection experience, has led data protection and cybersecurity programmes for organisations including Zomato, Tata 1mg, Magicpin, Renewbuy, CargoFlash and Penguin International, and has personally completed 20+ DPDP gap assessments since the DPDP Act’s enactment. MYITMANAGER currently advises 100+ organisations across fintech, health-tech, ecommerce, SaaS, and NGO sectors on DPDP Act compliance, ISO 27001 certification, GDPR compliance, and cybersecurity.
🏆 Ex-Bain India IT Head — Practitioner, Not Just Advisor
Founded by Saurabh Gupta, former IT Head at Bain & Company India — who has built and run data protection programmes for global enterprises from the inside, not just advised on them. 20+ years of enterprise experience across IT strategy, cybersecurity, and data protection.
📜 CISM (ISACA) & CIPP/E (IAPP) Certified
Certified Information Security Manager (CISM, issued by ISACA) and Certified Information Privacy Professional/Europe (CIPP/E, issued by the International Association of Privacy Professionals). The gold standard certifications for information security and data privacy practitioners globally — held by fewer than 1% of IT professionals in India.
🌍 Multi-Framework Expertise — DPDP, GDPR, ISO 27001, SOC 2
We implement DPDP Act compliance alongside GDPR, ISO 27001, SOC 2, HIPAA, and CCPA — so multi-jurisdiction organisations get a unified, non-duplicative compliance programme with no rework.
⚡ Risk Score in 5 Business Days — Not 5 Weeks
No bloated teams, no junior associates reading frameworks for the first time. You get senior expert attention on every engagement — a compliance risk score in 5 business days, and a 16-week programme that delivers full DPDP compliance on time, with your deadline tracked throughout.
🏭 20+ DPDP Assessments – 100+ Organisations Served
Trusted by Zomato, Tata 1mg, Magicpin, Renewbuy, Nutrabay, CargoFlash, Penguin International, EnableX, CARPL.ai, and 100+ organisations — across fintech, health-tech, ecommerce, defence, and SaaS. 50+ DPDP gap assessments completed since the Act’s enactment.
🔄 Ongoing Advisory, Not One-Off Project
DPDP Act compliance is not a one-time project — it is an ongoing programme. We offer retainer-based advisory to keep you compliant as DPBI guidance evolves, SDF designations are notified, and new Rules are issued. Your DPDP consultant India for the long term.
Trusted By 100+ Organisations Across India
We engaged MYITMANAGER after realising our existing GDPR programme wasn’t enough for DPDP compliance. Saurabh’s team delivered our gap assessment in 4 business days, identified 11 critical gaps we hadn’t anticipated, and had us fully compliant within 14 weeks — well ahead of our internal deadline. The CISM and CIPP/E credentials meant they understood both the technical and legal sides of our data stack.
Get Your DPDP Compliance Risk Score in 5 Days
A no-obligation gap assessment that tells you exactly where you stand against the DPDP Act 2023 and DPDP Rules 2025 — and what to prioritise first. Led by Saurabh Gupta, CISM & CIPP/E, with 50+ DPDP assessments completed.
13 months to full compliance deadline · 50+ assessments completed · Trusted by Zomato, Tata 1mg, Magicpin
What Full DPDP Act Compliance Looks Like — The Complete Checklist
A reference checklist for Data Fiduciaries. Every item below is a legal obligation under the DPDP Act 2023 and DPDP Rules 2025. Download the full DPDP Compliance Checklist (free) →
Full DPDP Act compliance requires 12 core obligations for every Data Fiduciary in India. These include: purpose-specific consent notices in plain language (available in English and relevant Indian scheduled languages per DPDP Rules 2025, Rule 3); free, informed, and specific consent without pre-ticked boxes; easy consent withdrawal mechanisms; defined data retention periods with automated deletion; reasonable security safeguards against unauthorised access and breach; two-stage breach notification to the Data Protection Board (initial report without delay, detailed follow-up within 72 hours); fulfilment of Data Principal rights (access, correction, erasure, grievance redressal); written data processing agreements with all third-party processors; verifiable parental consent for children’s data; a published grievance officer; Consent Manager integration by November 2026; and ongoing staff training. In summary: DPDP compliance is not a single project — it requires structural, technical, and operational changes across your entire organisation.
DPDP Act Compliance — Frequently Asked Questions
Clear answers to the most common questions about DPDP Act compliance in India — including questions people ask ChatGPT, Perplexity, and Google about the DPDP Act.
Here are direct answers to the most common DPDP Act compliance questions from Indian CISOs, DPOs, Legal Heads, and Founders. For a personalised compliance assessment, book a free DPDP gap assessment with MYITMANAGER →
Phase 1 — November 13, 2025 (Already in force): Data Protection Board establishment and proceedings rules are operative. The DPBI is being constituted. Digital complaint filing has begun. If you haven’t started, you are already behind.
Phase 2 — November 13, 2026 (7 months from April 2026): Consent Manager integration becomes mandatory (Rule 4, DPDP Rules 2025). Every Data Fiduciary relying on consent must integrate with a registered Consent Manager. Building this infrastructure typically requires 3–6 months — organisations must start now.
Phase 3 — May 13, 2027 — the hard full compliance deadline (13 months from April 2026): All substantive obligations become enforceable — purpose-specific consent notices, breach notification protocols, data deletion automation, children’s data safeguards, Data Principal rights fulfilment, and all Significant Data Fiduciary obligations. Every organisation processing Indian personal data must be fully compliant.
In summary: There are two real deadlines — November 2026 for Consent Manager, and May 2027 for everything else. A well-run programme takes 8–16 weeks. Start today.
Ready to Achieve DPDP Act Compliance? 13 Months Left.
The May 2027 full compliance deadline is 13 months away. The Consent Manager deadline is 7 months away. Every month without a compliance programme is a month of avoidable risk.
Start with a free DPDP gap assessment from MYITMANAGER — led by Saurabh Gupta (CISM, CIPP/E, ex-Bain India IT Head). Understand your risk in 5 business days. No obligation to proceed.
Or email us at info@myitmanager.in | Response within 1 business day | Serving 100+ organisations across India & globally
Related: ISO 27001 Certification India | GDPR Compliance India | Cybersecurity Consulting India
