What does DPDP Act compliance require?

DPDP Act compliance requires appointing a consent manager where applicable, establishing lawful bases for data processing, implementing a consent mechanism for personal data collection, creating a data principal rights fulfilment process (access, correction, erasure), implementing reasonable security safeguards, establishing breach notification procedures, and maintaining records of processing activities. Significant data fiduciaries face additional requirements including a Data Protection Officer and periodic audits.

What is a Significant Data Fiduciary under the DPDP Act?

A Significant Data Fiduciary (SDF) is a business designated by the Central Government based on the volume and sensitivity of data processed, risk to data principals, impact on national security, and other criteria. SDFs face enhanced obligations including appointment of a Data Protection Officer, independent data audits, and Data Protection Impact Assessments. Notification of SDF status comes from the government - but businesses in fintech, healthcare, and large consumer data processing should prepare for SDF designation.

What happens if we get a notice from the Data Protection Board?

The Data Protection Board of India has authority to investigate complaints, conduct inquiries, and impose fines. Receiving a notice requires a formal response with evidence of compliance efforts. Businesses with documented policies, consent mechanisms, and security safeguards in place are significantly better positioned than those with no compliance programme. Cyber Commandos includes DPDP documentation in all plans - so clients are never starting from zero.

DPDP Act Implementation · India

DPDP Act Compliance in India End-to-end implementation until your business is compliant with the DPDP Act. Your team stays focused on the business. We handle everything related to security compliance

Q: Is the DPDP Act in force in India?

Yes. The Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent and enforcement by the Data Protection Board of India began in 2026. Businesses processing personal data of Indian residents are now subject to compliance obligations and active enforcement.

The Digital Personal Data Protection Act is here! Starting 2026-27, obligations apply and fines up to ₹250Cr are prescribed for significant data breaches. We implement a DPDP compliance programme for your business end-to-end, including consent mechanisms, data principal rights, security safeguards, and breach notifications

Get Your Free Gap Analysis Talk to a Commando

DPDP Delivery

Phase 1 Data Mapping + Gap Assessment

Phase 2 Privacy Policy and Consent Framework

Phase 3 Rights Fulfilment Implementation

Phase 4 Breach Notification Procedures

Phase 5 Ongoing Monitoring + Board Readiness

₹250 Cr

Significant personal data breaches

₹200 Cr

Violations of data principal rights - access, correction, erasure

₹10–50 Cr

Failure to implement adequate security safeguards and other violations

Why DPDP compliance matters now

There is still some time left to prepare

The Act applies to every Indian business processing personal data. Here is what that means in practice

Every Indian Business Is Covered

The DPDP Act applies to any business that collects, stores, or processes personal data of Indian residents. Regardless of company size, sector, or whether you consider yourself a "non-personal data company" If you collect customer names, email addresses, phone numbers, or any other data point that identifies a person, the Act applies to you. There is no MSME exemption in the enforcement framework

Enterprise Contracts Now Require It

Large enterprises, banks, and regulated industry clients are updating their vendor questionnaires to include DPDP Act compliance as a qualification criterion. For B2B businesses with client lists that include large Indian enterprises, government entities, or regulated sector clients, DPDP documentation is becoming a contract prerequisite alongside ISO 27001. Failing a vendor questionnaire on this point blocks deals that would've otherwise closed

Data Processors Face Direct Obligations

If your business processes personal data on behalf of another company - a SaaS platform, BPO, IT services provider, or managed services firm - you are a data processor under the Act. And, you carry direct compliance obligations. The reason your clients are increasingly requesting evidence of DPDP compliance before sharing their customer data with you is because your breach = their fine exposure

A Breach Without Compliance Is Catastrophic

A business without a DPDP compliance programme faces the maximum potential fine exposure when breaches occur. A business with documented policies, implemented controls, and a functioning breach notification process demonstrates good faith and significantly reduces regulatory exposure.

Businesses with mandatory compliance exposure

SaaS and Software Fintech and Payments IT Services and BPO Healthcare and MedTech E-commerce HR Technology EdTech Manufacturing Exporters Financial Services Professional Services

What the Act requires

What DPDP Act compliance actually means for your business

Eight obligations every data fiduciary must fulfil

(this is a bit technical)

Lawful Basis for Processing

Every collection of personal data must have a defined lawful basis, typically consent or a legitimate use. Consent must be specific, informed, and freely given. Bundled or pre-ticked consent is not valid. This means auditing every data collection point in your product and operations

Consent Notice

Before collecting personal data, you must give the data principal a clear notice in plain language explaining what data is being collected, the purpose, how they can exercise their rights, and how to withdraw consent. This applies at every data collection point: web forms, mobile apps, sales calls, and offline channels

Data Principal Rights Fulfilment

Every individual whose data you hold has the right to access their data, correct it, erase it, and withdraw consent. You must have functioning processes to respond to these requests within the timeframes prescribed. For this, an operational system that must be built and tested

Purpose Limitation

Personal data collected for one purpose cannot be used for another. This requires documenting exactly what data is collected, for what purpose, and ensuring it is not repurposed without fresh consent. Most businesses discover multiple purpose-limitation violations during a gap assessment

Data Minimisation

You may only collect personal data that is necessary for the stated purpose. If your current data collection practices gather more information than required, the excess collection itself becomes a compliance gap. This frequently requires changes to product, onboarding, and CRM workflows

Reasonable Security Safeguards

The Act requires "reasonable security safeguards" to protect personal data. The standard is not defined as a specific technical control, but the Data Protection Board will assess whether your safeguards were appropriate to the risk level. Businesses with ISO 27001 or SOC 2 have documented, independently audited safeguards - a very strong case for reasonable security

Breach Notification

Any breach of personal data must be notified to the Data Protection Board and to affected data principals. The notification must happen without undue delay and must contain prescribed information. This requires having an incident response process already in place before a breach occurs, not after

Data Retention and Erasure

Personal data must not be retained beyond the purpose for which it was collected. Once the purpose is fulfilled and there is no legal requirement to retain, data must be erased. This requires a documented data retention policy and a functioning data deletion process

Are you a Significant Data Fiduciary?

The Central Government designates certain businesses as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed. Businesses in fintech, healthcare, large-scale B2C platforms, and any company processing sensitive personal data at scale should prepare for this designation regardless of whether they have been notified. Also, the government has the authority to designate retroactively.

Mandatory Data Protection Officer appointment

Annual independent data audit

Data Protection Impact Assessment for high-risk processing

Additional data localisation requirements where prescribed

Heightened consent management standards

Enhanced breach reporting timelines

What to expect

From first assessment to a functioning compliance programme

Phase 1

Data Mapping and Gap Assessment

We map every data collection point, identify all personal data being processed, document the lawful basis for each, and produce a gap assessment against the full Act obligations. We exit this phase with an accurate picture of your current exposure

Phase 2

Privacy Policy and Consent Framework

We write your privacy notice in the plain language required by the Act, design your consent mechanism, and document your processing activities register. Every clause is specific to your business and data obligations under the Act

Phase 3

Rights Fulfilment Implementation

We build the operational processes for responding to data principal requests - access, correction, erasure, and withdrawal. This includes the workflow, the response templates, the escalation process, and the documentation trail

Phase 4

Security Safeguards and Breach Procedures

We implement or document the reasonable security safeguards required by the Act and build your breach identification and notification procedure.

Phase 5

Ongoing Monitoring and Board Readiness

Compliance is not a project with an end date. We monitor for regulatory updates, maintain your documentation as the Act evolves, and keep your programme current

Unlike ISO 27001 or SOC 2, DPDP compliance does not end with a certificate from an independent body, it's a continuous operational state

Full cost transparency

DPDP compliance plans for your business

Starter

DPDP and [ISO 27001 or SOC 2 Type 1 or SOC 2 Type 2]

Leader

DPDP + ISO 27001 + SOC 2 Type 1 (upgradeable to SOC 2 Type 2)

Elite

All services + all add-ons. Fully managed

See complete plan details and add-ons >>>

Note: No certificate is issued for DPDP compliance. Standard procedure is to review operational compliance, document evidence of fulfilment, and assess maintenance programs.

₹1Cr+ Big Four annual minimum - reports only; no implementation; no guarantee

Cost-optimized End-to-end implementation

Quick connect

Leave your number or email

Share your contact and we will reach out within an hour

What we do

We build a functioning compliance programme

What Cyber Commandos handles

Complete data mapping across all your systems, products, and operations
Privacy notice and consent mechanism written to the Act's plain language requirement
Records of Processing Activities (ROPA) documentation
Operational rights fulfilment process - access, correction, erasure, grievance
Data retention schedule and deletion procedures
Breach identification, internal escalation, and Board notification procedure
Vendor and data processor agreements aligned to the Act
Employee data handling training and awareness session each month
Ongoing regulatory monitoring and programme maintenance as the Act evolves

What other firms deliver

Generic privacy policy templates dumped into your data drives, a readiness report that lists your gaps without fixing them, a consultant who disappears after the document is delivered, and a privacy policy on your website that has no operational process behind it.

If the Data Protection Board sends a notice, a policy document is not going to cut it. You need a process and operational evidence.

DPDP and ISO 27001 work together

The "reasonable security safeguards" obligation in the DPDP Act can be demonstrated by an ISO 27001 certification from an independent body. Our Leader plan combines - ISO 27001 + DPDP + SOC 2 into a single integrated programme. You don't need to implement three separate systems, just one comprehensive security and privacy programme.

Common questions

Questions we hear before every DPDP engagement

Is the DPDP Act in force in India right now?

What are the fines under the DPDP Act?

The DPDP Act prescribes fines up to ₹250 crore for significant personal data breaches, up to ₹200 crore for violations of data principal rights (access, correction, erasure, withdrawal), and ₹10–50 crore for various other violations including failure to implement adequate security safeguards.

The Board has discretion in determining the fine amount within these ceilings, taking into account the nature of the violation, the harm caused, and the compliance history of the business. A documented compliance programme is the most material factor in demonstrating good faith.

Which businesses need to comply with the DPDP Act?

Any business that collects, stores, or processes personal data of individuals in India must comply. This includes businesses based outside India if they offer goods or services to individuals in India. There is no size threshold, the Act applies regardless of company revenue or employee count.

In practice, every B2C business, every B2B business with customer data in its CRM, every SaaS platform with Indian users, and every data processor handling Indian residents' data is within scope. The fastest way to confirm your specific obligations is to complete the free gap analysis. Try it here

What is a Significant Data Fiduciary and how do I know if I am one?

A Significant Data Fiduciary (SDF) is a business formally designated by the Central Government based on criteria including the volume and sensitivity of personal data processed, risk to data principals, impact on national security or public order, and other factors. SDFs face enhanced compliance obligations, including mandatory Data Protection Officer appointment, independent data audits, and Data Protection Impact Assessments.

Designation is formal, you may receive a government notification. However, businesses in fintech, healthcare, large-scale consumer platforms, and data-intensive B2B services should prepare for SDF designation proactively. Building a compliance programme that meets baseline obligations now is significantly less expensive than retrofitting SDF requirements under enforcement pressure.

Does a privacy policy on our website mean we are DPDP compliant?

No, a privacy policy is one document among many obligations. The Act requires a functioning operational programme - consent mechanisms that work at each data collection point, a working process for data principal rights requests, implemented security safeguards, a tested breach notification procedure, and records of processing activities. A policy without the operational processes behind it provides limited protection if the Board initiates an inquiry.

The gap analysis will identify which specific operational gaps your business currently has beyond a privacy policy. Most businesses are surprised by how many there are.

What happens if we receive a notice from the Data Protection Board?

A Data Protection Board notice triggers a formal inquiry process. You are required to respond with evidence of your compliance efforts. Businesses with a documented compliance programme like records of processing activities, consent logs, implemented rights fulfilment processes, breach procedures, etc. can demonstrate good faith and substantive compliance. Businesses with no programme face the full fine exposure.

Ready to start?

When clients ask if you're DPDP Act compliant, you'll be ready

Start with the free 15-minute gap analysis. Receive your readiness report by email and we can take it from there

Get Your Free Gap Analysis Talk to a Commando instead

15 minutes · Results emailed instantly