Products
dpdp act

DPDP Act Compliance in India: A Complete Guide (2026)

June 29, 2026 6 min read 125 views
SUMMARIZE WITH:
dpdp-act-compliance-services

What Is DPDP Act?

The Digital Personal Data Protection Act 2023 (DPDP Act) is India’s first dedicated data privacy law, enacted on August 11, 2023. It sets binding rules on how businesses collect, use, store, and delete digital personal data of Indian residents, whether the business is based in India or abroad. The DPDP Rules 2025, notified by MeitY on November 13, 2025, made it fully operational with phased deadlines running through May 2027.

Table of Contents

Before the DPDP Act, India had no standalone privacy law businesses operated under fragmented IT Act provisions and sector-specific RBI/SEBI/IRDAI guidelines. This law changes that entirely. Every digital touchpoint your business has with an Indian user a login form, a purchase, a support ticket now comes with legal obligations attached.

Which Businesses Must Follow the DPDP Act?

Any organisation, startup, SME, MNC, NGO, or government body that digitally processes personal data of Indian residents must comply. There is no minimum turnover threshold, no employee count exemption, and no SME carve-out anywhere in the Act. If you collect a customer’s name, phone number, or email address through a digital channel, you are a Data Fiduciary under this law.

Foreign companies are equally covered. A US-based SaaS company with Indian users, a UK e-commerce brand shipping to India, or a Singapore fintech onboarding Indian customers all fall under Section 3 of the DPDP Act. The law applies based on where the data belongs, not where your servers or offices sit.

Important Terms Under the DPDP Act:

Understanding DPDP compliance starts with getting the terminology right. These four definitions run through every obligation in the Act.

Data Principal: An individual whose personal data you hold. This includes your customers, app users, website visitors, employees, and job applicants. They have legally enforceable rights over their own data under the Act.

Data Fiduciary: An organisation decide why personal data is collected and how it is processed, which makes you the accountable party under DPDP. If something goes wrong, the DPBI comes to you first.

Data Processor: A third party that processes personal data on your behalf, such as cloud hosting providers, payroll software, CRM platforms, analytics tools, and email service providers.

Significant Data Fiduciary (SDF): A Data Fiduciary designated by the Central Government under Section 10 due to the volume, sensitivity, or systemic risk of its data processing.

DPDP Compliance Deadlines 2026–2027

MeitY structured compliance in three phases. The first has already passed if you haven’t started, you are behind.

DeadlineWhat’s Required
November 13, 2025DPBI constituted, digital complaint filing live already active.
November 13, 2026Consent Manager API integration mandatory under Rule 4.
May 13, 2027Full compliance: consent, breach notification, security, rights,
deletion.

DPDP Act Penalty Structure

Penalties under the DPDP Act are per violation, not annual caps. Every unresolved obligation is a separate count. A single data breach could simultaneously trigger three different penalty rows in the table below.

ViolationMaximum Penalty
Inadequate security safeguards leading to a breach₹250 Crore
Failing to notify DPBI of a data breach₹200 Crore
Children’s data obligations violated₹200 Crore
SDF non-compliance with additional obligations₹150 Crore
Failing to honour Data Principal rights₹50 Crore
Any other provision of the Act or Rules₹50 Crore

Section 33 allows DPBI to impose twice the usual fine in case of serious or repeat offences that will result in an increase of the maximum fine to Rs. 500 crores for every violation. There are six considerations that are considered by the DPBI before imposing the fine, and those include the seriousness of the offence, the kind of data, whether there is financial gain from noncompliance, among others.

DPDP Act Compliance Requirements:

1. Consent Notices

Consent must be purpose-specific, freely given, and collected separately from your Terms & Conditions. The notice must clearly explain what data is collected and how the Data Principal can withdraw consent.

Pre-ticked checkboxes, consent buried in onboarding flows, and blanket “by using this service you agree” language are all non-compliant. Each processing purpose needs its own consent a user agreeing to account creation is not automatically agreeing to marketing emails.

2. Consent Withdrawal

Withdrawing consent must be as easy as giving it: a visible toggle, a clear button, a one-step process. You cannot route withdrawal through a support ticket, a 7-day form review, or a phone call. Once withdrawn, processing for that purpose must stop without undue delay, and the data tied to that purpose must be deleted.

3. Data Retention and Deletion

Personal data must be deleted once the purpose for which it was collected is fulfilled. There is no default right to store data indefinitely “just in case.” Processing logs and access records must be retained for a minimum of one year to support incident investigation and DPBI audits.

4. Security Safeguards

Rule 6 sets specific technical baselines that the DPBI will assess against. Encrypt personal data at rest using AES-256 and in transit using TLS 1.2 or higher. Enforce multi-factor authentication on all privileged accounts and remote access connections no exceptions. Segment personal data systems from your general IT network so a breach in one zone doesn’t automatically expose the other.

5. Breach Notification

Stage 1: Notify the DPBI without delay as soon as you detect a breach, report the nature, scope, timing, and likely impact.

Stage 2: Within 72 hours, submit a detailed follow-up covering root cause, affected individuals, mitigation taken, and recurrence prevention.

Stage 3: CERT-In’s 6-hour reporting requirement runs in parallel. A ransomware attack or data breach is the same incident, but CERT-In wants it in 6 hours, and DPBI wants it without delay with a 72-hour detailed report.

6. Data Principal Rights

Develop workflows for five rights, which include the right to access personal data you store; the right to rectification of incomplete or inaccurate data; the right to erasure of data after serving its purpose; the right to name another person as a representative in exercising the above rights; and the right to lodge a complaint to your grievance officer. The response times need to be set and adhered to.

7. Grievance Officer

Each Data Fiduciary, irrespective of its size, has to appoint an individual as the Grievance Officer whose contact information has to be posted prominently on the website and the mobile application. He handles all complaints made by Data Principals and serves as the first point of contact for any queries raised by the DPBI.

8. Data Processing Agreements (DPAs)

Every third-party vendor that touches your personal data cloud providers, payroll platforms, CRM tools, analytics services, email marketing tools must have a signed Data Processing Agreement in place.

9. Children’s Data

You must obtain verifiable parental consent before processing their data. A checkbox asking the user to confirm their age does not satisfy this verification must be genuine. Behavioral tracking, profiling, and targeted advertising directed at minors are prohibited outright, regardless of parental consent.

DPDP vs GDPR: Exactly Where the Gaps Are

If your organisation already has a GDPR compliance programme, you are roughly 60–70% of the way to DPDP compliance. The data mapping, privacy-by-design practices, DPA frameworks, and breach response protocols all transfer. But GDPR compliance does not equal DPDP compliance.

FactorDPDP Act 2023GDPR
Data coveredDigital personal data onlyAll personal data, including paper
Lawful basesPrimarily consent + defined legitimate uses6 bases including legitimate interests
Language requirement22 Indian scheduled languages on request.Member state language only.
Consent ManagerMandatory API integration by November 2026No equivalent mechanism
Penalty modelFixed ₹ ceiling per violation% of global annual turnover

DPDP Compliance Checklist 2026

Use this to track status across both live deadlines.

By November 13, 2026 — Consent Manager Deadline

1. Map every system, team, and vendor that holds personal data.

2. Personal data inventory complete: all systems, teams, and vendors mapped.

3. Consent notices redesigned purpose-specific, plain language, 22-language ready

4. Separate consent capture for each processing purpose with timestamped audit trail

5. Consent withdrawal mechanism built and live, one-step, user-facing.

6. Consent Manager API integration built, tested, and connected to a DPBI-registered Consent Manager

7. Grievance Officer designated and contact details published on website and app

By May 13, 2027 — Full Compliance Deadline

1. Data Processing Agreements signed with all third-party vendors.

2. Encryption active at rest (AES-256) and in transit (TLS 1.2+) across all personal data stores.

3. MFA enforced on all privileged accounts and remote access zero exceptions.

4. Network segmentation between personal data systems and general IT estate.

5. SIEM deployed with one-year log retention and data exfiltration alert rules.

6. Two-stage breach response playbook documented, tested, covering both DPBI and CERT-In.

7. Data Principal rights workflows built in product, HR, and CRM functional, not just policy.

8. Data retention schedules defined; automated deletion active once purpose is fulfilled.

9. All staff handling personal data trained on their DPDP obligations.

10. Children’s data flow with verifiable parental consent built (if applicable).

For Significant Data Fiduciaries — Before Designation Arrives

1. India-based DPO identified, appointed, and reporting to the Board of Directors.

2. First DPIA designed, completed, and ready to submit to DPBI.

3. Independent annual audit process established with a qualified external firm.

4. Algorithmic fairness assessment framework built for all automated decision-making systems.

5. Cloud data residency controls assessed and ready for Section 16 notification.

How Long Does DPDP Compliance Take?

For most standard organisations, a properly scoped DPDP compliance programme runs 8 to 16 weeks. This covers the full gap assessment, personal data inventory, consent framework redesign, breach response playbook, Data Principal rights workflow implementation, DPA updates with all vendors, and staff training.

Significant Data Fiduciaries, or any organisation with a complex multi-system data environment, should plan 6 to 12 months. Hiring and onboarding an India-based DPO, building the annual DPIA process, scoping and running the first independent audit, and developing a Consent Manager API integration all require real lead time that can’t be compressed.

Conclusion:

Star Systems helps Indian businesses achieve full DPDP Act Compliance Services from initial gap assessment and data mapping to consent framework design, breach playbook, vendor DPAs, and ongoing compliance monitoring. Whether you are a startup starting from scratch or an enterprise closing GDPR gaps for India, we cover the full compliance journey end-to-end.

BLOG

Need Expert Guidance for your Next Projects?

Latest Blogs

Hybrid Cloud for AI: Combining On-Premises Infrastructure with Cloud AI Platforms
cloud Home › Blogs › combining hybrid cloud and on premises infrastructure Hybrid Cloud for AI: Combining On Premises Infrastructure...
Outsource Mobile App Development in 2026: Business Guide
app development Home › Blogs › Outsource Mobile App Development: Complete Guide How to Outsource Mobile App Development in 2026:...
Enterprise Business Intelligence: Guide for CIOs, CTOs, and IT Leaders
Business Intelligence Home › Blogs › Enterprise Business Intelligence Guide Enterprise Business Intelligence: Guide for CIOs, CTOs, and IT Leaders...
top