MYITMANAGER

DPDP Act Compliance Checklist India 2026 — Complete Guide

HomeServices › DPDP Act Compliance India

DPDP Act Compliance Consulting India
Avoid Penalties Up to ₹250 Crore

India’s Digital Personal Data Protection Act 2023 is now in force. DPDP Rules 2025 notified. Full compliance required by May 2027 — with fines up to ₹250 crore. Get compliant before enforcement begins.

Book Free DPDP Gap Assessment → See Our Services ↓
₹250Cr Max Base Penalty
72 Hrs Breach Notification Window
May 2027 Full Compliance Deadline
100+ Organisations Helped

Trusted by Zomato, Tata 1mg, Magicpin, Renewbuy, CargoFlash, Nutrabay, EnableX, Penguin International and 100+ organisations across India & globally  |  Led by ex-Bain India IT Head with CISM (ISACA) & CIPP/E (IAPP)  |  20+ DPDP gap assessments completed  |  20+ years enterprise experience

What Is the DPDP Act 2023?

India’s first comprehensive data privacy law and why every organisation that handles personal data must act now.

The Digital Personal Data Protection Act 2023 (DPDP Act) is India’s comprehensive data privacy law that governs how organisations collect, store, and use personal data. Enacted on August 11, 2023 (No. 22 of 2023), it applies to every organisation from startups to enterprises that processes digital personal data in India or serves Indian users. The DPDP Rules 2025, notified by MeitY on November 13, 2025, make the law fully operational with a hard compliance deadline of May 13, 2027. MYITMANAGER provides end-to-end DPDP Act compliance consulting India with a free gap assessment delivering your risk score in 5 business days.

At its core, the DPDP Act recognises every individual’s right to the protection of their personal data and establishes clear obligations for organisations that process it. It creates a new regulator the Data Protection Board of India (DPBI) with powers to investigate complaints and impose penalties of up to ₹250 crore per violation. In summary: if your organisation collects even a customer’s name or email address digitally, you are a Data Fiduciary under the Act and must comply.

🚨

Enforcement Is Not a Future Event – Deadline ends on 13th May 2027

The Data Protection Board of India is being constituted and rules relating to Board establishment and proceedings are already in force (November 2025). Consent Manager integration is mandatory from November 13, 2026. Full substantive compliance — including security safeguards, breach protocols, and data rights management is mandatory by May 13, 2027, just 13 months from now (April 2026). Organisations that wait until 2027 will not have enough time to comply. A well-run programme takes 8–16 weeks minimum, start today.

Who Must Comply with the DPDP Act?

The DPDP Act applies to every organisation that processes digital personal data (PII) in one of these contexts with no exemption based on company size or turnover:

  • Processing personal data within India — collected online, or collected offline and then digitised (Section 3, DPDP Act 2023)
  • Processing personal data outside India in connection with offering goods or services to individuals in India (Section 3, DPDP Act 2023)

This means the law covers Indian companies, multinationals, startups, SMEs, non-profit organisations, and foreign entities serving Indian customers regardless of company size or annual turnover. There is no blanket SME exemption. If you collect a customer’s name, phone number, or email address digitally, you are a Data Fiduciary under the Act and must meet all core data fiduciary compliance obligations.

💡

Key DPDP Act Terms You Must Know

Data Principal: The individual whose personal data is being processed (your customer, employee, or user). Data Fiduciary: Any organisation that determines the purpose and means of processing personal data — that is you, the organisation (Section 2(i), DPDP Act 2023). Data Processor: An entity that processes data on behalf of a Data Fiduciary (your cloud provider, payroll vendor, etc.). Significant Data Fiduciary (SDF): A Data Fiduciary designated by the Government (Section 10) due to the volume, sensitivity, or risk associated with its data processing facing enhanced obligations.

📥

Free Download: DPDP Compliance Checklist 2025–2027

Get our comprehensive DPDP Compliance Checklist — covering all obligations under the DPDP Act 2023 and DPDP Rules 2025, mapped to each deadline phase. Used by CISOs, DPOs, and Legal Heads at 100+ organisations. Download Free Checklist →

Related services: ISO 27001 Certification Consulting  |  GDPR Compliance for Indian Businesses  |  Cybersecurity Consulting India

DPDP Act Penalty Structure Up to ₹250 Crore Per Violation

The Data Protection Board of India can impose penalties per violation. These are not per-incident caps multiple violations mean multiple penalties.

The DPDP Act 2023 Schedule sets base maximum penalties for six categories of violation. The highest penalty — up to ₹250 crore — applies to failure to implement adequate security safeguards leading to a personal data breach. The Data Protection Board of India (DPBI) enforces these penalties and, under Section 33, can enhance them up to twice the standard quantum in serious cases (effectively up to ₹500 crore for the most serious breach). The key takeaway is: non-compliance is not just a compliance risk — it is a direct financial risk that can threaten business continuity.

ViolationSection / ScheduleMaximum Penalty
Failure to implement adequate security safeguards leading to a personal data breachSchedule, Item 1Up to ₹250 Crore
Failure to notify the Data Protection Board and affected Data Principals of a breachSchedule, Item 2Up to ₹200 Crore
Breach of obligations relating to children’s personal data (e.g., processing without verifiable parental consent; tracking or behavioural monitoring of minors)Schedule, Item 3Up to ₹200 Crore
Non-compliance by a Significant Data Fiduciary with its additional obligations (DPO appointment, DPIA, annual audit, algorithmic assessment)Schedule, Item 4Up to ₹150 Crore
Failure to honour data principal rights — including access, correction, erasure, grievance redressal, or nominating a representativeSchedule, Item 5Up to ₹50 Crore
Breach of any other provision of the Act or Rules not specifically listed aboveSchedule, Item 6Up to ₹50 Crore
Breach of duty by a Data Principal (e.g., impersonation, false complaints)Schedule, Item 7Up to ₹10,000

 

Factors the Board Considers When Determining Penalty Quantum

The DPBI does not automatically impose the maximum penalty. It considers six mitigating and aggravating factors (Section 33, DPDP Act 2023): the nature, gravity, and duration of the contravention; the type and nature of personal data affected; repetitive nature of the breach; whether the Data Fiduciary took remedial measures promptly; the impact on Data Principals; and the gain or loss avoided by the Data Fiduciary. Early, proactive compliance reduces both your risk of a penalty and its quantum if a breach does occur.

Don’t let a ₹250 crore penalty be your wake-up call.

Get your DPDP compliance risk score in 5 business days — free, no obligation.

Book Free DPDP Gap Assessment →

DPDP Rules 2025 — Compliance Timeline & Key Deadlines

MeitY structured the DPDP Rules 2025 rollout in three phases. Here is exactly what you need to do and when.

The DPDP Act 2023 compliance deadlines in India are structured in three phases. Phase 1 (November 2025) is already in force — the Data Protection Board of India is being constituted. Phase 2 deadline is November 13, 2026 — Consent Manager integration becomes mandatory under Rule 4 of the DPDP Rules 2025. Phase 3 is the hard final deadline of May 13, 2027 — when full substantive compliance with all DPDP Act obligations becomes enforceable. As of April 2026, organisations have just 13 months to achieve full compliance. In summary: starting your DPDP compliance programme now is not just advisable — it is essential.

✅ Phase 1 — November 13, 2025 (Already in Force)

Data Protection Board Establishment & Board Procedures

Rules governing the Data Protection Board’s establishment and proceedings are operative. The Data Protection Board of India is being constituted. Digital filing of complaints and proceedings has begun. If you haven’t started your compliance programme, you are already late for this phase.

⏳ Phase 2 — November 13, 2026 (12 Months from Notification)

Consent Manager Integration Mandatory

Rule 4 (Consent Management) comes into force. Every Data Fiduciary relying on consent as a lawful basis must integrate with registered Consent Managers. This requires updating API infrastructure, consent capture systems, and withdrawal mechanisms. Building this takes 3–6 months minimum — you must start now.

🚩 Phase 3 — May 13, 2027 (18 Months from Notification) — HARD DEADLINE

Full Substantive Compliance Required

All remaining substantive rules come into force. This covers all core obligations: purpose-specific consent notices (in English or any of the 22 Indian scheduled languages), breach notifications to the Board without delay (with a detailed follow-up report), data deletion automation once purpose is fulfilled, children’s data processing safeguards, Data Principal rights fulfilment, and Significant Data Fiduciary additional obligations. Every organisation processing Indian personal data must be fully compliant.

13 Months Left — Start Now to Comply Comfortably, Not Reactively

As of April 2026, you have 13 months until the May 2027 full compliance deadline — and only 7 months until the November 2026 Consent Manager deadline. A well-run DPDP compliance programme for a mid-sized organisation typically takes 8–16 weeks. Significant Data Fiduciaries or complex data ecosystems should plan for 6–12 months. Organisations that delay past Q3 2026 will be scrambling — and reactive compliance is always more expensive than planned compliance. Book your free gap assessment today →

Our 5-Phase DPDP Act Compliance Process

A structured, outcome-driven programme — from understanding your current state to achieving full DPDP compliance. No guesswork, no generic templates.

MYITMANAGER’s DPDP Act compliance process follows five structured phases, designed to take organisations from zero to full compliance in 8–16 weeks. The process starts with a Gap Assessment & Risk Scoring (Weeks 1–2), moves through Data Mapping & RoPA (Weeks 2–4), Policy Design & Consent Framework (Weeks 4–8), Technical & Operational Implementation (Weeks 6–12), and concludes with Training, Audit & Ongoing Support (Weeks 12–16+). The key takeaway is: DPDP compliance is a programme, not a checklist — and a structured approach prevents costly rework and missed obligations.

1

Gap Assessment & Risk Scoring

We evaluate your current data practices against all DPDP Act 2023 and DPDP Rules 2025 requirements. You receive a prioritised risk register with a clear compliance score.

Weeks 1–2  |  Free
2

Data Mapping & RoPA

We map every personal data flow across your systems — collection, processing, storage, sharing, and deletion — to create your Record of Processing Activities (RoPA) as required under DPDP Rules 2025.

Weeks 2–4
3

Policy Design & Consent Framework

We draft purpose-specific consent notices (English + Indian scheduled languages per DPDP Rules 2025), privacy policies, data retention schedules, and data processing agreements.

Weeks 4–8
4

Technical & Operational Implementation

We guide your engineering and operations teams to implement Consent Manager integration (Rule 4, November 2026 deadline), breach detection and two-stage notification protocols, data principal rights workflows, and vendor controls.

Weeks 6–12
5

Training, Audit & Ongoing Advisory

We train your staff, conduct a full compliance audit against the DPDP Act / Rules 2025 checklist, and provide ongoing retainer advisory to maintain compliance as DPBI guidance and SDF designations evolve.

Weeks 12–16+
📋

You Get a Risk Score in 5 Business Days

Our free DPDP Gap Assessment gives your organisation a compliance risk score, identifies your top 3 exposure areas, and recommends an implementation roadmap — all within 5 business days of our first engagement. No obligation to proceed.

Our DPDP Act Compliance Consulting Services

End-to-end coverage — whether you need a rapid gap assessment or a fully managed compliance programme. Trusted by CISOs, DPOs, Legal Heads, and Founders across India.

MYITMANAGER’s DPDP Act compliance consulting services cover the full spectrum — from an initial free gap assessment (results in 5 business days) through data mapping, consent framework design, Consent Manager integration, breach response protocols, and DPO as a Service for Significant Data Fiduciaries. Each service is delivered by Saurabh Gupta (CISM, CIPP/E) with 20+ years of enterprise data protection experience. Unlike generic IT consultancies, MYITMANAGER has completed 50+ DPDP gap assessments and brings direct enterprise implementation experience — not just advisory.

🔍

DPDP Gap Assessment

A structured evaluation of your current data practices against DPDP Act and Rules 2025. Delivered in 5 business days.

  • Current-state data inventory review
  • Compliance gap identification
  • Risk prioritisation matrix
  • Remediation roadmap
🗺️

Data Mapping & RoPA

Comprehensive personal data flow mapping across your systems, teams, and third-party processors.

  • Data flow diagrams
  • Record of Processing Activities (RoPA)
  • Third-party data processor inventory
  • Data retention schedule
📝

Policy & Notice Design

DPDP-compliant consent notices, privacy policies, and data processing agreements — drafted and reviewed by experts.

  • Purpose-specific consent notices
  • Privacy policy (plain language)
  • Data Processing Agreements (DPAs)
  • Internal data governance policies
⚙️

Consent Management Implementation

End-to-end implementation of consent capture, management, and withdrawal systems — ready for Rule 4 (November 2026 deadline).

  • Consent Manager integration guidance
  • Consent API design & review
  • Consent withdrawal automation
  • Consent audit trail setup
🚨

Breach Response Protocol

Design and test a breach notification and response programme that meets DPDP Board notification requirements — immediate initial report, followed by a detailed 72-hour follow-up.

  • Breach detection procedures
  • Two-stage Board notification workflow
  • Affected individual communication templates
  • Tabletop breach simulation
👤

DPO as a Service

A qualified Data Protection Officer — on demand, without the cost of a full-time hire. Ideal for Significant Data Fiduciaries required to appoint an India-based DPO.

  • India-based DPO representation
  • DPBI interface and regulatory liaison
  • Data Principal grievance handling
  • Monthly compliance reporting
🏛️

Significant Data Fiduciary Readiness

Enhanced compliance programme for organisations likely to be designated as SDFs — covering all additional obligations.

  • SDF designation risk assessment
  • Data Protection Impact Assessment (DPIA)
  • Annual audit preparation
  • Algorithmic fairness assessment support
📚

Training & Awareness

Role-based training programmes for your board, management team, engineering, HR, and customer-facing staff.

  • Board-level DPDP briefing
  • Engineering team privacy-by-design workshop
  • All-staff awareness module
  • Annual refresher programme

Are You a Significant Data Fiduciary Under the DPDP Act?

If your organisation is designated as an SDF, you face enhanced compliance obligations — including a mandatory India-based DPO and annual DPIAs. Here’s what you need to know.

A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government of India under Section 10 of the DPDP Act 2023. SDFs face enhanced obligations beyond standard data fiduciary compliance requirements: they must appoint an India-based Data Protection Officer (DPO), conduct annual Data Protection Impact Assessments (DPIAs), undergo annual independent audits, and submit to algorithmic fairness assessments. Non-compliance with SDF obligations attracts penalties of up to ₹150 crore (Schedule, Item 4, DPDP Act 2023). In summary: if your organisation processes large volumes of sensitive personal data — health, financial, biometric, or location data — prepare for SDF-level compliance now, before designation forces your hand.

Under Section 10 of the DPDP Act, the Central Government may designate an organisation as a Significant Data Fiduciary (SDF) based on criteria including:

  • Significant volume of personal data processed
  • Processing data of a sensitive nature (health, financial, biometric, location data)
  • Using data for decision-making that significantly impacts Data Principals
  • Processing data in combination with other personal data previously held (creating rich profiles)
  • Potential risk to national security, sovereignty, or electoral democracy from the data processing activity

Industries most likely to be designated as SDFs include: banks and NBFCs, health-tech platforms, insurance companies, major ecommerce platforms, telecom providers, social media companies, and fintech platforms handling payment or lending data at scale.

Additional Obligations for Significant Data Fiduciaries

India-Based Data Protection Officer (DPO) — Must be appointed and report to your Board of Directors. Serves as primary point of contact for the DPBI and Data Principals.
Annual Data Protection Impact Assessment (DPIA) — Required at least once every 12 months. Results must be submitted to the DPBI.
Annual Independent Data Audit — External audit of your data practices. Audit report filed with the DPBI.
Algorithmic Fairness Assessment — Assessment of risks associated with automated decision-making using personal data.
Data Localisation Restrictions — Certain categories of personal data (as specified by the Government) may be subject to restrictions on cross-border transfers.
All Standard Data Fiduciary Obligations — Plus all general obligations (consent, breach notification, data rights, etc.) that apply to every Data Fiduciary.
⚠️

Don’t Wait for SDF Designation — Prepare Now

The Government will notify SDF designations through a separate order. If your organisation processes large-scale, sensitive, or high-risk personal data, prepare for SDF-level compliance proactively. Organisations caught unprepared after designation face penalties of up to ₹150 crore for non-compliance with SDF obligations alone — on top of any breach or consent penalties.

DPDP Act vs GDPR — Key Differences for Indian Businesses

If your organisation already has GDPR compliance, you have a head start — but you are not automatically DPDP compliant. Here’s what changes.

The DPDP Act 2023 and GDPR both protect personal data, but differ significantly in scope, legal basis, and enforcement. The DPDP Act covers digital personal data only (GDPR covers all personal data), relies primarily on consent and legitimate use (GDPR has six lawful bases including legitimate interests), and imposes base maximum penalties of ₹250 crore per violation — extendable to ₹500 crore under Section 33 (GDPR penalties can reach €20M or 4% of global turnover). GDPR compliance gives organisations approximately 60–70% of DPDP compliance — the remaining gap lies in India-specific consent notice language requirements (22 scheduled languages), Consent Manager integration (Rule 4), and DPBI registration. The key takeaway is: GDPR-compliant organisations can achieve DPDP compliance faster, but a specific gap sprint of 4–6 weeks is still required.

DimensionDPDP Act 2023 (India)GDPR (EU)
Scope of DataDigital personal data only (offline data covered only if digitised)All personal data — digital and non-digital
Legal Bases for ProcessingPrimarily consent and “legitimate use” (contractual necessity, legal obligation, etc.) — narrower range6 lawful bases including legitimate interests — broader flexibility
Data MinimisationLess prescriptive — purpose limitation is the focusStrict data minimisation principle required
Right to be ForgottenRight to erasure exists but tied to withdrawal of consent or fulfillment of purposeBroader right to erasure with multiple grounds
Breach NotificationInitial notification to DPB without delay; detailed follow-up within 72 hours; separate notification to affected Data Principals thereafter72 hours to notify supervisory authority; individuals only if high risk
Data Protection OfficerMandatory for Significant Data Fiduciaries only; must be India-basedMandatory for all controllers meeting certain thresholds
Maximum PenaltyUp to ₹250 crore per violation (Board may enhance up to 2× in serious cases)Up to €20 million or 4% of global annual turnover — whichever is higher
Cross-Border TransfersAllowed unless restricted by Government notification; SDF restrictions applyRequires adequacy decision, SCCs, or BCRs
Children’s DataVerifiable parental consent required; no tracking/profiling/targeted advertising of minorsConsent of parent/guardian required below age 16 (varies by EU member state)
Privacy NoticesMust be available in English or any of the 22 Indian scheduled languages (as required by the Data Principal); must be separate from T&CsPlain language requirement; language of the relevant member state
💡

GDPR Compliance Gives You ~60–70% of DPDP Compliance

If you are GDPR-compliant, your data mapping, privacy-by-design culture, and breach response procedures are already ahead of most Indian organisations. However, you will still need India-specific consent notice redesign (22 languages), Consent Manager integration (Rule 4), DPBI registration if required, and SDF assessment. MYITMANAGER can run a targeted GDPR-to-DPDP gap sprint typically completed in 4–6 weeks.

Why Choose MYITMANAGER for DPDP Act Compliance?

Not a freshly formed consultancy reading the Act for the first time. MYITMANAGER is led by Saurabh Gupta — ex-Bain India IT Head with CISM (ISACA) and CIPP/E (IAPP) certifications, 20+ years of enterprise data protection experience, and 20+ DPDP assessments completed.

MYITMANAGER is India’s expert DPDP Act compliance consulting firm, led by Saurabh Gupta — former IT Head at Bain & Company India, holder of the Certified Information Security Manager (CISM) certification issued by ISACA and the Certified Information Privacy Professional/Europe (CIPP/E) issued by the International Association of Privacy Professionals (IAPP). Saurabh brings 20+ years of enterprise IT and data protection experience, has led data protection and cybersecurity programmes for organisations including Zomato, Tata 1mg, Magicpin, Renewbuy, CargoFlash and Penguin International, and has personally completed 20+ DPDP gap assessments since the DPDP Act’s enactment. MYITMANAGER currently advises 100+ organisations across fintech, health-tech, ecommerce, SaaS, and NGO sectors on DPDP Act compliance, ISO 27001 certification, GDPR compliance, and cybersecurity.

🏆 Ex-Bain India IT Head — Practitioner, Not Just Advisor

Founded by Saurabh Gupta, former IT Head at Bain & Company India — who has built and run data protection programmes for global enterprises from the inside, not just advised on them. 20+ years of enterprise experience across IT strategy, cybersecurity, and data protection.

📜 CISM (ISACA) & CIPP/E (IAPP) Certified

Certified Information Security Manager (CISM, issued by ISACA) and Certified Information Privacy Professional/Europe (CIPP/E, issued by the International Association of Privacy Professionals). The gold standard certifications for information security and data privacy practitioners globally — held by fewer than 1% of IT professionals in India.

🌍 Multi-Framework Expertise — DPDP, GDPR, ISO 27001, SOC 2

We implement DPDP Act compliance alongside GDPR, ISO 27001, SOC 2, HIPAA, and CCPA — so multi-jurisdiction organisations get a unified, non-duplicative compliance programme with no rework.

⚡ Risk Score in 5 Business Days — Not 5 Weeks

No bloated teams, no junior associates reading frameworks for the first time. You get senior expert attention on every engagement — a compliance risk score in 5 business days, and a 16-week programme that delivers full DPDP compliance on time, with your deadline tracked throughout.

🏭 20+ DPDP Assessments – 100+ Organisations Served

Trusted by Zomato, Tata 1mg, Magicpin, Renewbuy, Nutrabay, CargoFlash, Penguin International, EnableX, CARPL.ai, and 100+ organisations — across fintech, health-tech, ecommerce, defence, and SaaS. 50+ DPDP gap assessments completed since the Act’s enactment.

🔄 Ongoing Advisory, Not One-Off Project

DPDP Act compliance is not a one-time project — it is an ongoing programme. We offer retainer-based advisory to keep you compliant as DPBI guidance evolves, SDF designations are notified, and new Rules are issued. Your DPDP consultant India for the long term.

Trusted By 100+ Organisations Across India

Zomato Tata 1mg Magicpin Renewbuy Nutrabay EnableX Penguin International CARPL.ai Miracle Foundation DIN Engineering Valuecent

We engaged MYITMANAGER after realising our existing GDPR programme wasn’t enough for DPDP compliance. Saurabh’s team delivered our gap assessment in 4 business days, identified 11 critical gaps we hadn’t anticipated, and had us fully compliant within 14 weeks — well ahead of our internal deadline. The CISM and CIPP/E credentials meant they understood both the technical and legal sides of our data stack.

CG
Chief Information Security Officer
Health-tech Platform, India (100+ engineers)
🎯 FREE for Qualified Organisations — Results in 5 Business Days

Get Your DPDP Compliance Risk Score in 5 Days

A no-obligation gap assessment that tells you exactly where you stand against the DPDP Act 2023 and DPDP Rules 2025 — and what to prioritise first. Led by Saurabh Gupta, CISM & CIPP/E, with 50+ DPDP assessments completed.

Book Free DPDP Gap Assessment → Download Free DPDP Checklist

13 months to full compliance deadline  ·  50+ assessments completed  ·  Trusted by Zomato, Tata 1mg, Magicpin

What Full DPDP Act Compliance Looks Like — The Complete Checklist

A reference checklist for Data Fiduciaries. Every item below is a legal obligation under the DPDP Act 2023 and DPDP Rules 2025. Download the full DPDP Compliance Checklist (free) →

Full DPDP Act compliance requires 12 core obligations for every Data Fiduciary in India. These include: purpose-specific consent notices in plain language (available in English and relevant Indian scheduled languages per DPDP Rules 2025, Rule 3); free, informed, and specific consent without pre-ticked boxes; easy consent withdrawal mechanisms; defined data retention periods with automated deletion; reasonable security safeguards against unauthorised access and breach; two-stage breach notification to the Data Protection Board (initial report without delay, detailed follow-up within 72 hours); fulfilment of Data Principal rights (access, correction, erasure, grievance redressal); written data processing agreements with all third-party processors; verifiable parental consent for children’s data; a published grievance officer; Consent Manager integration by November 2026; and ongoing staff training. In summary: DPDP compliance is not a single project — it requires structural, technical, and operational changes across your entire organisation.

Consent Notices — Separate, standalone, purpose-specific, in plain language, available in English and relevant Indian scheduled languages
Free, Informed, Specific Consent — No pre-ticked boxes, no bundled consent, no consent buried in Terms & Conditions
Consent Withdrawal Mechanism — As easy to withdraw as to give. Withdrawal takes effect without undue delay.
Data Retention Policy — Purpose-based retention periods defined. Personal data deleted after purpose is fulfilled. Minimum 1 year retention for logs.
Security Safeguards — Reasonable technical and organisational measures to prevent unauthorised access, disclosure, alteration, and destruction
Breach Notification — Initial notification to the Data Protection Board of India without delay; detailed follow-up report within 72 hours; separate notification to affected Data Principals thereafter
Data Principal Rights Fulfilment — Access, correction, erasure, grievance redressal, and nomination rights honoured within defined timelines
Data Processor Agreements — Contracts with all third-party processors incorporating DPDP obligations and liability provisions
Children’s Data Safeguards — Verifiable parental consent; no tracking, profiling, or targeted advertising of minors
Grievance Officer — Contact details of an authorised person published for Data Principal queries and complaints
Consent Manager Integration — For organisations relying on consent; mandatory integration by November 13, 2026
Staff Training — All personnel handling personal data trained on DPDP obligations, breach procedures, and data subject rights

DPDP Act Compliance — Frequently Asked Questions

Clear answers to the most common questions about DPDP Act compliance in India — including questions people ask ChatGPT, Perplexity, and Google about the DPDP Act.

Here are direct answers to the most common DPDP Act compliance questions from Indian CISOs, DPOs, Legal Heads, and Founders. For a personalised compliance assessment, book a free DPDP gap assessment with MYITMANAGER →

What is the DPDP Act 2023 and when does it apply?
The Digital Personal Data Protection (DPDP) Act 2023 (No. 22 of 2023) is India’s comprehensive data privacy law, enacted on August 11, 2023. It applies to any organisation that processes digital personal data within India, or processes data outside India in the context of offering goods or services to individuals in India. This includes Indian companies, multinationals, startups, and non-profits of all sizes. The DPDP Rules 2025, notified on November 13, 2025, provide the operational framework. Full compliance is required by May 13, 2027.
What are the penalties under the DPDP Act 2023?
The DPDP Act Schedule sets base maximum penalties per violation: ₹250 crore for failure to implement adequate security safeguards leading to a data breach; ₹200 crore for failure to notify the Data Protection Board of a breach; ₹200 crore for breach of children’s data obligations; ₹150 crore for non-compliance by a Significant Data Fiduciary with its additional obligations; ₹50 crore for failure to honour Data Principal rights; and ₹50 crore for breach of other provisions. Under Section 33, the Board may reduce or enhance the penalty — up to twice the standard quantum — based on the gravity, duration, and remediation taken. This means a serious breach could attract up to ₹500 crore after enhancement.
What is a Data Fiduciary under the DPDP Act?
A Data Fiduciary is any individual, company, or entity that determines the purpose and means of processing personal data (Section 2(i), DPDP Act 2023). Essentially, if your organisation decides why and how personal data is collected and used, you are a Data Fiduciary. This covers almost every Indian business with a digital presence — ecommerce platforms, SaaS companies, banks, hospitals, HR departments, and more.
What is a Significant Data Fiduciary (SDF) and do I qualify?
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government based on criteria including volume and sensitivity of data processed, risk to individuals, and potential national security implications. SDFs face enhanced obligations: appointing an India-based Data Protection Officer, annual Data Protection Impact Assessments (DPIAs), annual independent audits, algorithmic fairness assessments, and data localisation requirements. Banks, large fintech platforms, health tech companies, and major ecommerce players are most likely to be classified as SDFs. Our SDF readiness assessment evaluates your designation risk.
How long does DPDP Act compliance take?
For most organisations, a baseline DPDP compliance programme takes 8 to 16 weeks with an experienced consultant. This covers data mapping, gap assessment, privacy notice redesign, consent management implementation, breach response protocol, and staff training. Significant Data Fiduciaries with complex data ecosystems may require 6 to 12 months for full compliance. MYITMANAGER’s structured 5-phase programme delivers a risk score within 5 business days, and is designed to achieve compliance without disrupting business operations.
Does the DPDP Act apply to my startup or SME?
Yes. The DPDP Act 2023 applies to virtually every organisation that processes digital personal data in connection with offering goods or services in India, regardless of size or turnover. There is no blanket SME exemption. However, the Government may notify certain categories of Data Fiduciaries for modified compliance obligations. Startups and SMEs that collect even basic customer data — names, email addresses, phone numbers — are Data Fiduciaries under the Act and must comply with core consent, security, and breach notification obligations.
What are the DPDP Rules 2025 key requirements?
The DPDP Rules 2025, notified by MeitY on November 13, 2025, operationalise the DPDP Act 2023. Key requirements include: (1) Consent notices must be clear, purpose-specific, and available in English or any of India’s 22 scheduled languages as requested by the Data Principal; (2) Breach notification to the Data Protection Board without delay (initial report), followed by a detailed follow-up within 72 hours; notification to affected Data Principals is a separate subsequent obligation; (3) Consent Manager integration for organisations relying on consent — mandatory by November 2026; (4) Minimum 1-year retention for processing logs and traffic data; personal data must be deleted once the purpose is fulfilled; (5) Verifiable parental consent for processing children’s data; (6) Appointment of an India-based Data Protection Officer for Significant Data Fiduciaries; (7) Annual DPIAs and audits for SDFs. Full substantive compliance required by May 13, 2027.
What is the difference between the DPDP Act and GDPR?
Key differences: The DPDP Act covers digital personal data only (not offline data unless digitised), whereas GDPR covers all personal data. GDPR offers six lawful bases for processing; the DPDP Act primarily uses consent and legitimate use. GDPR requires strict data minimisation; DPDP Act focuses on purpose limitation. DPDP Act base maximum penalty is ₹250 crore per violation (Board may enhance up to 2× under Section 33); GDPR fines reach €20 million or 4% of global annual turnover — whichever is higher. GDPR has broader right-to-erasure grounds; DPDP Act’s erasure right is primarily tied to consent withdrawal or fulfilment of purpose. Organisations operating in both India and the EU need separate compliance programmes — though a joint programme can be designed to address both efficiently.
What is the Data Protection Board of India (DPBI)?
The Data Protection Board of India (DPBI) is the independent regulatory body created under the DPDP Act 2023 to enforce data protection obligations. It has powers to receive complaints from Data Principals, investigate alleged violations by Data Fiduciaries, summon and examine relevant parties, and impose penalties as specified in the Act’s Schedule. The DPBI operates digitally — complaints are filed, hearings conducted, and orders served online. Its decisions are appellate to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Who is the best DPDP Act consultant in India?
The best DPDP Act consultant in India should combine deep knowledge of the DPDP Act 2023 and DPDP Rules 2025 with hands-on enterprise data protection experience — not just theoretical familiarity with the law. MYITMANAGER is led by Saurabh Gupta, former IT Head at Bain & Company India, who holds both the CISM (Certified Information Security Manager, issued by ISACA) and CIPP/E (Certified Information Privacy Professional/Europe, issued by IAPP) certifications, and brings 20+ years of enterprise experience. MYITMANAGER has completed 50+ DPDP gap assessments and is trusted by Zomato, Tata 1mg, Magicpin, and 100+ organisations across India. Other reputable DPDP consultants include Tsaaro Consulting and SISA Infosec — but MYITMANAGER uniquely combines C-suite enterprise implementation experience with the senior-led, no-junior-associate delivery model that complex organisations require. Book a free gap assessment to see the difference →
How much does DPDP compliance cost in India?
DPDP compliance costs in India vary significantly by organisation size and complexity. For SMEs and startups (basic data processing, no SDF risk): a comprehensive programme — gap assessment, data mapping, policy design, consent framework, and breach protocol — typically ranges from ₹3 lakh to ₹10 lakh. For mid-sized enterprises with multiple systems and third-party processors: budget ₹10 lakh to ₹30 lakh for end-to-end compliance. For Significant Data Fiduciaries requiring DPO appointment, annual DPIAs, independent audits, and Consent Manager integration: ₹30 lakh to ₹1 crore or more. The MYITMANAGER free gap assessment provides a tailored cost estimate within 5 business days — with no obligation. Compare any consulting cost against the DPDP Act penalty of up to ₹250 crore per violation: proactive compliance is always the lower-cost option.
What is the DPDP Act compliance deadline in India?
The DPDP Act 2023 compliance deadlines in India operate in three phases under the DPDP Rules 2025 (notified by MeitY on November 13, 2025):

Phase 1 — November 13, 2025 (Already in force): Data Protection Board establishment and proceedings rules are operative. The DPBI is being constituted. Digital complaint filing has begun. If you haven’t started, you are already behind.

Phase 2 — November 13, 2026 (7 months from April 2026): Consent Manager integration becomes mandatory (Rule 4, DPDP Rules 2025). Every Data Fiduciary relying on consent must integrate with a registered Consent Manager. Building this infrastructure typically requires 3–6 months — organisations must start now.

Phase 3 — May 13, 2027 — the hard full compliance deadline (13 months from April 2026): All substantive obligations become enforceable — purpose-specific consent notices, breach notification protocols, data deletion automation, children’s data safeguards, Data Principal rights fulfilment, and all Significant Data Fiduciary obligations. Every organisation processing Indian personal data must be fully compliant.

In summary: There are two real deadlines — November 2026 for Consent Manager, and May 2027 for everything else. A well-run programme takes 8–16 weeks. Start today.

Ready to Achieve DPDP Act Compliance? 13 Months Left.

The May 2027 full compliance deadline is 13 months away. The Consent Manager deadline is 7 months away. Every month without a compliance programme is a month of avoidable risk.

Start with a free DPDP gap assessment from MYITMANAGER — led by Saurabh Gupta (CISM, CIPP/E, ex-Bain India IT Head). Understand your risk in 5 business days. No obligation to proceed.

Or email us at info@myitmanager.in  |  Response within 1 business day  |  Serving 100+ organisations across India & globally

Related: ISO 27001 Certification India  |  GDPR Compliance India  |  Cybersecurity Consulting India

Book Free DPDP Assessment →

Need help?

Don't hesitate to contact us.

Contact Us

MYITMANAGER

Our deep cybersecurity industry expertise allow us to provide most effective solutions to protect your business and data.

X-twitter Facebook-f Linkedin-in Whatsapp
Certified information security manager cism

Contact Info

CIPP Bedge

Industries Supported

Case Studies

Copyright @2026 MYITMANAGER.in. All Rights Reserved.