Most Indian companies have DPDP compliance filed under "next year's problem." The date in everyone's calendar is 13 May 2027, the full-compliance deadline. But the enforcement machinery switches on earlier: the Data Protection Board gains its penalty powers on 13 November 2026, six months before that deadline.
The Digital Personal Data Protection Act, 2023 (DPDPA) is already law, and the DPDP Rules 2025 were notified on 13 November 2025. If your organisation processes digital personal data of anyone in India, this guide covers what applies to you, when each obligation bites, and what to fix first.
Who Does the DPDP Act Apply To?
The Act applies to any organisation processing digital personal data within India: data collected digitally, or collected on paper and later digitised. It also has extraterritorial reach. A company based outside India that offers goods or services to people in India and collects their data is covered, with no physical presence required.
"Processing" under the DPDP Act is defined broadly. It covers collection, storage, use, sharing, disclosure, and deletion: essentially anything you do with personal data in digital form.
Two narrow exemptions exist:
- Personal use: an individual maintaining a personal contact list is not covered.
- Publicly available data: data the individual voluntarily made public themselves (for example, on social media), or that someone else was legally required to make public.
Everyone else falls under the Act: startups, enterprises, government bodies, and foreign companies serving Indian users.
The Four Roles That Decide Your Obligations
- Data Fiduciary: your organisation, if it decides why and how personal data is processed. Most companies reading this are Data Fiduciaries.
- Data Principal: the individual whose data you process. Your customers, employees, and users.
- Data Processor: any third party processing data on your behalf, such as cloud providers, payroll vendors, or analytics platforms. You stay liable for what they do.
- Significant Data Fiduciary (SDF): a Data Fiduciary the Central Government specifically designates based on data volume, sensitivity, or risk. Designation adds a Data Protection Officer, an independent data auditor, and annual impact assessments.
Key Takeaway
If your company determines why and how personal data is processed, you are a Data Fiduciary, and the full set of obligations below applies to you directly. This is a legal classification, not a choice. The only question is whether you will also be designated Significant, which adds obligations on top.
The 8 Obligations, In the Order Auditors Check Them
1. Obtain Valid Consent
Before processing personal data, you need consent that is free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Pre-ticked boxes and silence do not count. In practice:
- Give a clear notice in plain language explaining what data you collect, why, and how it will be used
- Give the Data Principal the option to read the notice in English or any of the 22 languages in the Eighth Schedule of the Constitution
- Make withdrawing consent as easy as giving it
- Never bundle consent: each purpose needs its own consent
If you hold personal data collected before the Act came into force, you must issue the same notice to those Data Principals as soon as reasonably practicable.
2. Process Data Only for the Stated Purpose
Data collected for one purpose cannot be repurposed without fresh consent. Email addresses collected for order confirmations cannot be used for marketing. Once the stated purpose is served, you must delete the data, unless another law requires you to retain it.
3. Keep Data Accurate and Complete
When your processing decisions affect the Data Principal, or when you share data with another Data Fiduciary, you must make reasonable efforts to keep the data complete, accurate, and consistent.
4. Implement Reasonable Security Safeguards
Section 8(5) requires reasonable security safeguards to prevent breaches. The Act does not prescribe specific technologies; "reasonable" means appropriate to the nature and volume of data you handle.
This is the single most expensive obligation to fail. Inadequate security safeguards carry the Act's highest penalty: up to ₹250 crore. Budget accordingly.
5. Report Data Breaches
A breach must be notified to both the Data Protection Board and every affected Data Principal: an initial intimation without delay, and a detailed report to the Board within 72 hours. There is no harm threshold and no exemption for encrypted data. Our breach notification guide covers the timelines, including the separate 6-hour CERT-In clock that runs in parallel.
6. Honour Data Principal Rights
Data Principals hold four statutory rights:
- Access: a summary of their personal data and every Data Fiduciary and Data Processor it has been shared with
- Correction and erasure: fix inaccurate data; delete data no longer needed for the stated purpose
- Grievance redressal: a working complaints channel with a defined response time
- Nomination: naming someone to exercise their rights in case of death or incapacity
7. Manage Your Data Processors
You remain responsible for personal data handled by your processors. A valid contract must be in place, and their security safeguards are your problem too.
8. Handle Children's Data With Extra Care
For anyone under 18, you need verifiable parental consent before processing. Tracking, behavioural monitoring, and targeted advertising directed at children are banned outright, and no consent can buy you out of that ban.
EdTech and Children's Data
The under-18 threshold applies to school management systems, learning platforms, and any app a minor can actually sign up for. "Our product is for adults" is not a defence if a 16-year-old can complete your onboarding.
The Enforcement Timeline: Three Dates, Not One
The Act commences in three phases, set by gazette notifications dated 13 November 2025. The full timeline is in our DPDP Rules 2025 enforcement timeline chapter; here is the short version:
| Phase | Effective | What switches on |
|---|---|---|
| Phase 1 | 13 November 2025 | Data Protection Board established, all definitions in force |
| Phase 2 | 13 November 2026 | Board's enforcement and penalty machinery, Consent Manager registration |
| Phase 3 | 13 May 2027 | Core obligations (consent, notice, security, breach reporting), Data Principal rights, all operational rules. Full compliance required |
Key Takeaway
Read the table as a countdown, not a deferral. The regulator exists today, its penalty powers arrive 13 November 2026, and every obligation above is enforceable from 13 May 2027. The consent, security, and data-mapping work takes quarters to complete. Companies starting in early 2027 will be rebuilding their data architecture under live enforcement.
What Non-Compliance Costs
The Act's Schedule caps penalties per category of breach:
| Violation | Maximum penalty |
|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore |
| Failure to notify the Board and Data Principals of a breach | ₹200 crore |
| Breach of children's data obligations | ₹200 crore |
| Breach of Significant Data Fiduciary obligations | ₹150 crore |
| Any other breach of the Act or Rules | ₹50 crore |
| Data Principal filing a false complaint | ₹10,000 |
These are maximums. The Board sets the actual amount using the seven factors in Section 33(2), including the gravity of the breach, whether it is repeated, and what mitigation you took. The Central Government can also double any of these caps by notification. The full framework, including how penalties stack across categories, is in our DPDP penalties breakdown.
Beyond fines, two consequences matter for digital businesses:
- Blocking orders: penalised two or more times, and the Board can advise the Central Government to block public access to your platform in India. For a digital business, that is existential.
- Public orders: Board decisions are a matter of public record. A penalty is also a published finding that you failed to protect personal data.
When You Don't Need Consent: The Section 7 List
Section 7 defines certain legitimate uses where processing is lawful without consent:
- Voluntary provision: the individual provided the data themselves for a specific purpose and has not objected
- State functions: subsidies, benefits, services, licences, permits
- Court orders: compliance with a judgement or order
- Medical emergencies: threats to life or health
- Employment: processing necessary for employment purposes
- Public interest: sovereignty, security, prevention of offences
Section 7 is a closed list, and there is no GDPR-style "legitimate interests" ground. If your processing is not on this list, you need consent. Marketing, analytics, and cross-selling are not on this list. The legitimate uses chapter covers each ground's exact conditions.
Your DPDP Compliance Roadmap, In Priority Order
Start now
- Map your data. Every category of personal data you collect, why, where it lives, who it is shared with, and how long you keep it. Every other obligation depends on this map existing.
- Audit your consent flows against the statutory test: free, specific, informed, unconditional, unambiguous, affirmative action, withdrawable as easily as given.
- Rewrite your privacy notice in plain language: what you collect, why, who you share with, and how to exercise rights.
Next 3 to 6 months
- Close the security gap. Encryption, access controls, monitoring, incident response. The ₹250 crore maximum sits on this obligation; spend here first.
- Build the breach playbook before the breach. Who reports what, to whom, on which clock. Notification templates for the Board and for individuals, drafted in advance.
- Stand up grievance redressal. A dedicated channel and a defined response time.
Before 13 May 2027
- Upgrade processor contracts. Every third party touching personal data needs DPDP-grade contractual obligations.
- Deal with legacy data. Issue notices for data collected before the Act. If you cannot justify still holding it, delete it.
- Train the people who touch data. Customer-facing, HR, and IT teams first.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessThe Bottom Line
The DPDP Act is current law with a live regulator, not a future concern. It creates clear roles, clear obligations, and penalties up to ₹250 crore backed by service-blocking powers for repeat offenders.
The work is sequenced, not mysterious: map your data, fix consent, invest in security. Everything else builds on those three foundations, and all three take longer than the time most companies are budgeting.
Frequently Asked Questions
What is the deadline for DPDP Act compliance?+
Full compliance is required by 13 May 2027, when the core obligations and Data Principal rights come into force. The Data Protection Board's enforcement and penalty machinery activates earlier, on 13 November 2026, and the Board itself has existed since 13 November 2025.
Who does the DPDP Act apply to?+
Any organisation processing digital personal data within India, plus organisations outside India that offer goods or services to people in India. The only exemptions are purely personal use and data the individual made publicly available themselves.
Does the DPDP Act apply to small businesses and startups?+
Yes. There is no turnover or headcount threshold for the core obligations. Penalty maximums are also fixed amounts rather than revenue-linked, so the ₹250 crore security-safeguards cap applies to a startup and a multinational alike.
What are the main obligations under the DPDP Act?+
Valid consent with plain-language notice, purpose limitation and erasure, data accuracy, reasonable security safeguards, breach notification to the Board and affected individuals, honouring Data Principal rights, processor contracts, and verifiable parental consent for anyone under 18.
What is the penalty for not complying with the DPDP Act?+
Up to ₹250 crore for failing to implement reasonable security safeguards, the highest cap in the Act. Other categories range from ₹50 crore to ₹200 crore, the government can double any cap by notification, and organisations penalised twice or more risk having public access to their services blocked in India.
Is consent always required to process personal data?+
No. Section 7 lists specific legitimate uses where consent is not needed, including voluntary provision by the individual, certain State functions, court orders, medical emergencies, and employment purposes. The list is closed: anything not on it, including marketing and analytics, requires consent.
For a complete section-by-section breakdown of the Act and Rules, see our DPDP Act 2023 complete guide.
Legal Disclaimer: This article is for informational purposes only and does not constitute legal advice. Laws and regulations may change; for advice specific to your organisation's situation, consult a qualified legal professional. While every effort has been made to ensure accuracy, Vratex makes no representations as to the completeness or currency of the information contained herein.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness