The Digital Personal Data Protection Act 2023 (DPDP Act) is India’s first dedicated data privacy law, enacted on August 11, 2023. It sets binding rules on how businesses collect, use, store, and delete digital personal data of Indian residents, whether the business is based in India or abroad. The DPDP Rules 2025, notified by MeitY on November 13, 2025, made it fully operational with phased deadlines running through May 2027.
Before the DPDP Act, India had no standalone privacy law businesses operated under fragmented IT Act provisions and sector-specific RBI/SEBI/IRDAI guidelines. This law changes that entirely. Every digital touchpoint your business has with an Indian user a login form, a purchase, a support ticket now comes with legal obligations attached.
Any organisation, startup, SME, MNC, NGO, or government body that digitally processes personal data of Indian residents must comply. There is no minimum turnover threshold, no employee count exemption, and no SME carve-out anywhere in the Act. If you collect a customer’s name, phone number, or email address through a digital channel, you are a Data Fiduciary under this law.
Foreign companies are equally covered. A US-based SaaS company with Indian users, a UK e-commerce brand shipping to India, or a Singapore fintech onboarding Indian customers all fall under Section 3 of the DPDP Act. The law applies based on where the data belongs, not where your servers or offices sit.
Understanding DPDP compliance starts with getting the terminology right. These four definitions run through every obligation in the Act.
Data Principal: An individual whose personal data you hold. This includes your customers, app users, website visitors, employees, and job applicants. They have legally enforceable rights over their own data under the Act.
Data Fiduciary: An organisation decide why personal data is collected and how it is processed, which makes you the accountable party under DPDP. If something goes wrong, the DPBI comes to you first.
Data Processor: A third party that processes personal data on your behalf, such as cloud hosting providers, payroll software, CRM platforms, analytics tools, and email service providers.
Significant Data Fiduciary (SDF): A Data Fiduciary designated by the Central Government under Section 10 due to the volume, sensitivity, or systemic risk of its data processing.
MeitY structured compliance in three phases. The first has already passed if you haven’t started, you are behind.
| Deadline | What’s Required |
|---|---|
| November 13, 2025 | DPBI constituted, digital complaint filing live already active. |
| November 13, 2026 | Consent Manager API integration mandatory under Rule 4. |
| May 13, 2027 | Full compliance: consent, breach notification, security, rights, deletion. |
Penalties under the DPDP Act are per violation, not annual caps. Every unresolved obligation is a separate count. A single data breach could simultaneously trigger three different penalty rows in the table below.
| Violation | Maximum Penalty |
|---|---|
| Inadequate security safeguards leading to a breach | ₹250 Crore |
| Failing to notify DPBI of a data breach | ₹200 Crore |
| Children’s data obligations violated | ₹200 Crore |
| SDF non-compliance with additional obligations | ₹150 Crore |
| Failing to honour Data Principal rights | ₹50 Crore |
| Any other provision of the Act or Rules | ₹50 Crore |
Section 33 allows DPBI to impose twice the usual fine in case of serious or repeat offences that will result in an increase of the maximum fine to Rs. 500 crores for every violation. There are six considerations that are considered by the DPBI before imposing the fine, and those include the seriousness of the offence, the kind of data, whether there is financial gain from noncompliance, among others.
Consent must be purpose-specific, freely given, and collected separately from your Terms & Conditions. The notice must clearly explain what data is collected and how the Data Principal can withdraw consent.
Pre-ticked checkboxes, consent buried in onboarding flows, and blanket “by using this service you agree” language are all non-compliant. Each processing purpose needs its own consent a user agreeing to account creation is not automatically agreeing to marketing emails.
Withdrawing consent must be as easy as giving it: a visible toggle, a clear button, a one-step process. You cannot route withdrawal through a support ticket, a 7-day form review, or a phone call. Once withdrawn, processing for that purpose must stop without undue delay, and the data tied to that purpose must be deleted.
Personal data must be deleted once the purpose for which it was collected is fulfilled. There is no default right to store data indefinitely “just in case.” Processing logs and access records must be retained for a minimum of one year to support incident investigation and DPBI audits.
Rule 6 sets specific technical baselines that the DPBI will assess against. Encrypt personal data at rest using AES-256 and in transit using TLS 1.2 or higher. Enforce multi-factor authentication on all privileged accounts and remote access connections no exceptions. Segment personal data systems from your general IT network so a breach in one zone doesn’t automatically expose the other.
Stage 1: Notify the DPBI without delay as soon as you detect a breach, report the nature, scope, timing, and likely impact.
Stage 2: Within 72 hours, submit a detailed follow-up covering root cause, affected individuals, mitigation taken, and recurrence prevention.
Stage 3: CERT-In’s 6-hour reporting requirement runs in parallel. A ransomware attack or data breach is the same incident, but CERT-In wants it in 6 hours, and DPBI wants it without delay with a 72-hour detailed report.
Develop workflows for five rights, which include the right to access personal data you store; the right to rectification of incomplete or inaccurate data; the right to erasure of data after serving its purpose; the right to name another person as a representative in exercising the above rights; and the right to lodge a complaint to your grievance officer. The response times need to be set and adhered to.
Each Data Fiduciary, irrespective of its size, has to appoint an individual as the Grievance Officer whose contact information has to be posted prominently on the website and the mobile application. He handles all complaints made by Data Principals and serves as the first point of contact for any queries raised by the DPBI.
Every third-party vendor that touches your personal data cloud providers, payroll platforms, CRM tools, analytics services, email marketing tools must have a signed Data Processing Agreement in place.
You must obtain verifiable parental consent before processing their data. A checkbox asking the user to confirm their age does not satisfy this verification must be genuine. Behavioral tracking, profiling, and targeted advertising directed at minors are prohibited outright, regardless of parental consent.
If your organisation already has a GDPR compliance programme, you are roughly 60–70% of the way to DPDP compliance. The data mapping, privacy-by-design practices, DPA frameworks, and breach response protocols all transfer. But GDPR compliance does not equal DPDP compliance.
| Factor | DPDP Act 2023 | GDPR |
|---|---|---|
| Data covered | Digital personal data only | All personal data, including paper |
| Lawful bases | Primarily consent + defined legitimate uses | 6 bases including legitimate interests |
| Language requirement | 22 Indian scheduled languages on request. | Member state language only. |
| Consent Manager | Mandatory API integration by November 2026 | No equivalent mechanism |
| Penalty model | Fixed ₹ ceiling per violation | % of global annual turnover |
Use this to track status across both live deadlines.
By November 13, 2026 — Consent Manager Deadline
1. Map every system, team, and vendor that holds personal data.
2. Personal data inventory complete: all systems, teams, and vendors mapped.
3. Consent notices redesigned purpose-specific, plain language, 22-language ready
4. Separate consent capture for each processing purpose with timestamped audit trail
5. Consent withdrawal mechanism built and live, one-step, user-facing.
6. Consent Manager API integration built, tested, and connected to a DPBI-registered Consent Manager
7. Grievance Officer designated and contact details published on website and app
By May 13, 2027 — Full Compliance Deadline
1. Data Processing Agreements signed with all third-party vendors.
2. Encryption active at rest (AES-256) and in transit (TLS 1.2+) across all personal data stores.
3. MFA enforced on all privileged accounts and remote access zero exceptions.
4. Network segmentation between personal data systems and general IT estate.
5. SIEM deployed with one-year log retention and data exfiltration alert rules.
6. Two-stage breach response playbook documented, tested, covering both DPBI and CERT-In.
7. Data Principal rights workflows built in product, HR, and CRM functional, not just policy.
8. Data retention schedules defined; automated deletion active once purpose is fulfilled.
9. All staff handling personal data trained on their DPDP obligations.
10. Children’s data flow with verifiable parental consent built (if applicable).
For Significant Data Fiduciaries — Before Designation Arrives
1. India-based DPO identified, appointed, and reporting to the Board of Directors.
2. First DPIA designed, completed, and ready to submit to DPBI.
3. Independent annual audit process established with a qualified external firm.
4. Algorithmic fairness assessment framework built for all automated decision-making systems.
5. Cloud data residency controls assessed and ready for Section 16 notification.
For most standard organisations, a properly scoped DPDP compliance programme runs 8 to 16 weeks. This covers the full gap assessment, personal data inventory, consent framework redesign, breach response playbook, Data Principal rights workflow implementation, DPA updates with all vendors, and staff training.
Significant Data Fiduciaries, or any organisation with a complex multi-system data environment, should plan 6 to 12 months. Hiring and onboarding an India-based DPO, building the annual DPIA process, scoping and running the first independent audit, and developing a Consent Manager API integration all require real lead time that can’t be compressed.
Star Systems helps Indian businesses achieve full DPDP Act Compliance Services from initial gap assessment and data mapping to consent framework design, breach playbook, vendor DPAs, and ongoing compliance monitoring. Whether you are a startup starting from scratch or an enterprise closing GDPR gaps for India, we cover the full compliance journey end-to-end.