The Complete Guide to India's DPDP Act 2023: Everything Enterprises Need to Know Before May 2027
Risk & Compliance

The Complete Guide to India's DPDP Act 2023: Everything Enterprises Need to Know Before May 2027

April 202624 min read
DPDPActcompliancechecklist2026

The Complete Guide to India's DPDP Act 2023: Everything Enterprises Need to Know Before May 2027

India's Digital Personal Data Protection Act, 2023 isn't just another compliance checkbox, it's the most significant regulatory shift for Indian enterprises since GST. With penalties reaching ₹250 crore and the final compliance deadline of May 13, 2027 approaching fast, most organizations are dangerously underprepared. The DPDP Rules notified in November 2025 have crystallized what seemed theoretical into hard legal obligations that will reshape how every Indian enterprise handles personal data.

Why May 2027 Changes Everything for Indian Enterprises

The DPDP Act represents India's first comprehensive data protection law, moving from a compliance vacuum to strict legal enforcement. Unlike sector-specific guidelines from RBI or SEBI, DPDP applies universally from neighborhood clinics maintaining patient records to global banks processing millions of transactions.

The timing is deliberate. The phased implementation gives enterprises breathing room, but the May 2027 deadline is non-negotiable. The Data Protection Board of India (DPBI) will have full enforcement powers, with penalty frameworks that dwarf most regulatory fines. A single data breach could trigger penalties exceeding ₹250 crore more than most companies' annual compliance budgets.

What makes DPDP particularly challenging is its departure from familiar compliance models. Unlike GDPR's principle-based approach or India's existing sectoral regulations, DPDP combines strict consent requirements with significant operational flexibility. Organizations that treat this as a legal exercise will fail. Those that recognize it as a fundamental business transformation will thrive.

The real shift isn't just legal, it's operational. DPDP forces enterprises to question every data touchpoint, from customer onboarding to employee records to vendor relationships. Organizations that get this right will have a competitive advantage in India's digital economy. — Sunil Kumar Gupta, Chairman, SARC

DPDP Act Timeline: From Law to Enforcement

The DPDP Act's phased implementation follows a carefully structured timeline that enterprises must track closely:

PhaseDateWhat HappensEnterprise Impact
Phase 1August 11, 2023DPDP Act receives Presidential assentPlanning and preparation begins
Phase 2November 13, 2025DPDP Rules notified by MeitY; DPBI establishedLegal framework becomes operational
Phase 3November 13, 2026Consent Manager framework goes liveConsent architecture must be DPDP-compliant
Phase 4May 13, 2027All substantive provisions effectiveFull compliance required; enforcement begins

Phase 1 (2023-2025): The preparation window. Smart organizations used this period for data discovery, gap analysis, and system design. Those who waited are now in catch-up mode.

Phase 2 (November 2025): The DPDP Rules provide operational clarity. The Data Protection Board gains legal standing and begins registration processes for Consent Managers and auditors. Organizations can no longer claim regulatory uncertainty.

Phase 3 (November 2026): The Consent Manager ecosystem launches. Any organization relying on consent must integrate with registered Consent Managers or build compliant consent infrastructure. This is the last checkpoint before full enforcement.

Phase 4 (May 2027): The enforcement cliff. All DPDP obligations become legally binding. The DPBI can investigate, issue directions, and impose penalties. Non-compliance shifts from regulatory risk to business-critical threat.

The gap most organizations miss is treating these as discrete phases rather than a continuous compliance journey. By May 2027, you need fully operational systems, trained staff, documented processes, and proven incident response capabilities.

Who Must Comply: Understanding DPDP's Scope

Data Fiduciary: The Primary Obligated Entity

A Data Fiduciary is any person who determines the purpose and means of processing personal data. This isn't limited to technology companies or large corporations. Examples include:

  • HDFC Bank collecting customer KYC data for account opening (determines why and how to process)
  • Apollo Hospitals maintaining patient records for treatment and billing
  • Infosys processing employee payroll and performance data
  • A neighborhood clinic storing patient appointment and medical history data
  • An e-commerce startup collecting customer shipping addresses and payment information

The key test isn't organizational size or sector — it's control over data processing decisions.

Data Processor: The Service Provider

A Data Processor processes personal data on behalf of a Data Fiduciary. The relationship is contractual, with specific obligations:

  • Amazon Web Services hosting bank customer data (processes but doesn't determine purpose)
  • A BPO company handling customer service calls for a telecom operator
  • Razorpay processing payment transactions for e-commerce companies
  • A payroll outsourcing company managing salary processing for multiple clients

Processors have fewer direct obligations but must comply with Fiduciary instructions and maintain security safeguards.

Significant Data Fiduciary: Enhanced Obligations

The Central Government will designate certain Data Fiduciaries as "Significant" based on:

  • Volume of personal data processed
  • Sensitivity of data
  • Risk to rights and freedoms of Data Principals
  • Potential impact on sovereignty and integrity of India

Likely candidates include:

  • Large banks (SBI, ICICI, HDFC processing millions of accounts)
  • Telecom operators (Jio, Airtel with subscriber data)
  • Major e-commerce platforms (Amazon India, Flipkart)
  • Social media platforms with Indian users
  • Government entities processing citizen data at scale

SDFs face additional obligations:

  • Appoint a Data Protection Officer (DPO) based in India
  • Conduct Data Protection Impact Assessments (DPIAs)
  • Undergo independent data audits
  • Potentially comply with data localization requirements

Consent Managers: The New Intermediary

Consent Managers are a unique DPDP innovation - registered entities that help individuals manage consent across platforms. Requirements include:

  • Indian company incorporation
  • Minimum net worth of ₹2 crore
  • AES-256 encryption for data transmission
  • 7-year record retention
  • No conflicts of interest (can't be owned by Data Fiduciaries they serve)

The 10 Core DPDP Obligations Every Enterprise Must Meet

1. Lawful Basis for Processing (Section 5)

DPDP permits processing personal data only for:

  • Consent: Free, specific, informed, unconditional, and unambiguous
  • Legitimate Use: Specified purposes that don't require consent

Practical Example: A bank can process customer transaction data for fraud detection (legitimate use) but needs separate consent for marketing communications.

Common Mistake: Assuming "legitimate business interest" covers everything. DPDP's legitimate use categories are narrow and specific.

2. Consent Requirements (Section 6)

Valid consent must be:

  • Free: No coercion or negative consequences for refusal
  • Specific: Clear about what data and which purposes
  • Informed: Individual understands what they're agreeing to
  • Unconditional: Not bundled with other agreements
  • Unambiguous: Clear affirmative action, not silence or inactivity

Practical Example: An e-commerce platform cannot make account creation conditional on marketing consent. Payment processing consent and promotional email consent must be separate.

Common Mistake: Pre-checked boxes or consent buried in terms of service. DPDP requires explicit, granular consent for each purpose.

3. Purpose Limitation (Section 5)

Personal data can only be processed for the stated purpose. New purposes require fresh consent.

Practical Example: If Swiggy collects delivery addresses for order fulfillment, using that data for targeted advertising requires separate consent.

Common Mistake: Assuming broad consent covers future use cases. Purpose creep without fresh consent violates DPDP.

4. Data Minimization (Section 5)

Collect only personal data necessary and proportionate to the purpose.

Practical Example: A job portal collecting Aadhaar numbers for resume verification may be disproportionate if email verification suffices.

Common Mistake: "We might need it later" justification. DPDP requires current necessity, not future possibility.

5. Privacy Notice Requirements (Section 7)

Data Fiduciaries must provide clear notice about:

  • What personal data is being processed
  • Why it's being processed
  • How Data Principal rights can be exercised
  • Contact details for queries and complaints

Notices must be in English or scheduled Indian languages, easily accessible, and regularly updated.

Practical Example: Zomato's privacy notice must clearly explain why they collect location data, how long they keep it, and how users can request deletion.

Common Mistake: Legal jargon that ordinary users can't understand. DPDP emphasizes "clear and plain language."

6. Data Principal Rights (Sections 10-13)

Individuals have rights to:

  • Access: Know what personal data is processed
  • Correction: Fix inaccurate or incomplete data
  • Erasure: Request deletion when purpose fulfilled or consent withdrawn
  • Grievance Redressal: Complain to Data Fiduciary and DPBI
  • Nomination: Appoint someone to exercise rights posthumously

Practical Example: A bank customer can request to see all personal data held, correct outdated contact information, and delete data if they close their account.

Common Mistake: Making rights exercise difficult or time-consuming. DPDP requires "reasonable and practical" processes.

7. Data Retention and Erasure (Section 8)

Personal data must be erased when:

  • Purpose of processing is fulfilled
  • Consent is withdrawn
  • Processing becomes unlawful
  • Retention is no longer necessary

Practical Example: Insurance companies must delete claim documents after regulatory retention periods expire, unless needed for ongoing legal proceedings.

Common Mistake: Indefinite data retention "just in case." DPDP requires active data lifecycle management.

8. Security Safeguards (Section 8)

Data Fiduciaries must implement reasonable technical and organizational measures to protect personal data.

Practical Example: Hospitals must encrypt patient data, restrict access to authorized personnel, and maintain audit logs of data access.

Common Mistake: Focusing only on technical security while ignoring organizational measures like staff training and vendor management.

9. Breach Notification (Section 8)

While DPDP doesn't specify timeframes, Data Fiduciaries must notify the DPBI and affected individuals of breaches that may cause harm.

Practical Example: If an ed-tech company's database is compromised exposing student personal data, they must notify both the DPBI and affected students/parents.

Common Mistake: Waiting for investigation completion before notification. Based on CERT-In precedent, 72-hour notification to authorities is emerging best practice.

10. Children's Data Protection (Section 9)

Processing personal data of individuals under 18 requires:

  • Verifiable parental consent
  • No behavioral tracking or targeted advertising
  • Extra care in processing decisions

Practical Example: Gaming platforms must obtain parental consent before collecting data from users under 18 and cannot use that data for targeted advertising.

Common Mistake: Age verification through self-declaration. DPDP requires "verifiable" parental consent, suggesting stronger verification mechanisms.

Significant Data Fiduciary: The Enhanced Compliance Tier

Organizations designated as Significant Data Fiduciaries face substantially higher obligations and scrutiny. The designation process is discretionary but predictable based on stated criteria.

Designation Criteria and Likely Candidates

The Central Government will consider:

  • Volume of personal data: Organizations processing data of millions of Indians
  • Sensitivity: Financial, health, biometric, or sensitive personal data
  • Risk to rights: Potential for significant harm from data misuse
  • Sovereignty impact: Strategic sectors or critical infrastructure

Almost Certain SDFs:

  • State Bank of India (processes data of 500+ million customers)
  • Reliance Jio (subscriber base exceeding 400 million)
  • UIDAI (Aadhaar data of 1.3+ billion Indians)
  • Major payment platforms like UPI ecosystem players

Likely SDFs:

  • Large private banks (ICICI, HDFC, Axis)
  • Major e-commerce platforms (Amazon India, Flipkart)
  • Healthcare aggregators processing sensitive health data
  • EdTech platforms with significant user bases

Additional SDF Obligations

Data Protection Officer (DPO)

SDFs must appoint a DPO who:

  • Is based in India
  • Acts as primary contact for DPBI
  • Monitors DPDP compliance
  • Conducts impact assessments
  • Reports directly to senior management

The DPO cannot be the same person responsible for marketing or business development — ensuring independence in privacy decisions.

Data Protection Impact Assessment (DPIA)

SDFs must conduct DPIAs for:

  • New data processing activities
  • Significant changes to existing processing
  • High-risk processing operations

A DPIA must assess:

  • Necessity and proportionality of processing
  • Risks to Data Principal rights
  • Mitigation measures
  • Alternatives considered

Practical Example: Before launching an AI-powered credit scoring system, a bank designated as SDF must conduct a DPIA evaluating algorithmic fairness, data accuracy requirements, and individual impact.

Independent Data Audit

SDFs must undergo regular audits by DPBI-registered auditors covering:

  • Compliance with DPDP obligations
  • Effectiveness of security measures
  • Data processing practices
  • Breach preparedness and response

Potential Data Localization

The Central Government may require SDFs to store certain categories of personal data within India. While specific requirements aren't yet announced, precedent from other sectors suggests:

  • Financial data (following RBI's data localization directive)
  • Health data (National Digital Health Mission requirements)
  • Critical personal data (to be defined by government)

Getting Consent Right: The Architecture That Will Make or Break Compliance

The Consent Challenge

Consent under DPDP isn't just a privacy notice and checkbox. It's an ongoing relationship requiring:

  • Granular choice: Separate consent for each processing purpose
  • Easy withdrawal: As simple as giving consent
  • Clear communication: No legal jargon or dark patterns
  • Documented proof: Audit trail of consent decisions

What Valid Consent Looks Like

Current Bank Practice (Non-Compliant): "By opening this account, you consent to HDFC Bank processing your personal data for account services, marketing, analytics, and sharing with partners as described in our privacy policy."

DPDP-Compliant Approach: "We need your consent for specific uses of your personal data:

  • ✓ Account services (mandatory for account opening)
  • ☐ Promotional offers via email/SMS
  • ☐ Sharing with insurance partners for product offers
  • ☐ Analytics to improve our services

You can change these choices anytime in your account settings."

Consent Manager Framework

From November 2026, Consent Managers will facilitate consent across platforms. Think of it as "single sign-on for privacy consent."

How It Works:

  1. Individual registers with a Consent Manager
  2. When visiting a website/app, they're redirected to their Consent Manager
  3. Consent Manager presents standardized consent options
  4. Individual makes choices, which are cryptographically recorded
  5. Website/app receives consent proof and processes accordingly
  6. Individual can review and modify consent across all platforms from one dashboard

Registration Requirements for Consent Managers:

  • Indian company (no foreign ownership exceeding sectoral caps)
  • Minimum net worth of ₹2 crore
  • AES-256 encryption for data transmission and storage
  • 7-year record retention capability
  • Independent audit and security certification
  • No conflicts of interest (cannot be owned by Data Fiduciaries they serve)

Business Impact: Organizations must either:

  1. Integrate with registered Consent Managers (recommended for most)
  2. Build consent infrastructure meeting DPDP standards (complex and expensive)
  3. Rely only on legitimate use exceptions (limited applicability)

Cross-Border Data Transfers: India's Unique Approach

DPDP takes a "negative list" approach to international data transfers — fundamentally different from GDPR's adequacy model.

How It Works

Permitted by Default: Personal data can be transferred to any country unless the Central Government specifically restricts transfers to that country.

Government Powers: The Central Government can restrict transfers to countries that:

  • Don't provide adequate protection for personal data
  • Could harm India's sovereignty and integrity
  • Pose risks to public order or national security

No Restricted List Yet: As of 2026, the government hasn't published any restricted countries, making most transfers currently permissible.

Comparison with GDPR

AspectDPDP ActGDPR
Default PositionTransfers allowed unless restrictedTransfers prohibited unless adequate protection
MechanismGovernment restriction listsAdequacy decisions, SCCs, BCRs
Business CertaintyHigh (until restrictions imposed)Lower (complex compliance mechanisms)
Government ControlHigh (can restrict overnight)Lower (through EU institutions)

Practical Implications

Current State (2026): Most Indian companies can transfer personal data to global cloud providers, outsourcing partners, and international subsidiaries without additional compliance mechanisms.

Future Risk: The government could restrict transfers to specific countries with minimal notice, potentially disrupting existing business arrangements.

What Enterprises Should Do:

  1. Map all cross-border data flows — know where personal data goes
  2. Document legal basis for each transfer
  3. Develop contingency plans for potential restrictions
  4. Consider data residency options for critical processing
  5. Monitor government announcements on restricted countries

Sector-Specific Considerations

Financial Services: RBI's data localization requirements create additional complexity. Payment data must already be stored in India, but customer data for non-payment purposes may be transferable under DPDP (unless restricted).

Healthcare: No specific DPDP restrictions, but sector regulators may impose additional requirements for health data transfers.

IT/BPO: Significant advantage — processing personal data of individuals outside India for foreign clients remains largely exempted, preserving India's outsourcing competitiveness.

DPDP Act vs GDPR: Critical Differences for Global Organizations

Many Indian organizations assume GDPR compliance covers DPDP requirements. This is dangerous thinking — the frameworks differ substantially.

RequirementDPDP ActGDPRCompliance Gap
Lawful BasesConsent + Legitimate Use only6 bases including legitimate interestsGDPR's legitimate interests ≠ DPDP's legitimate use
DPO RequirementSignificant Data Fiduciaries onlyBroader requirement based on processing typeMay need DPO for GDPR but not DPDP (or vice versa)
Consent AgeUnder 18 (parental consent required)13-16 depending on member stateDifferent age thresholds
Data PortabilityNot explicitly providedExplicit right under Article 20GDPR systems may be over-engineered for DPDP
Transfer MechanismsNegative list (restricted countries)Adequacy + safeguards (SCCs, BCRs)Completely different compliance approaches
Breach NotificationTo DPBI + individuals (no timeframe specified)72 hours to authority + individualsDifferent notification requirements
PenaltiesUp to ₹250 crore (absolute amounts)Up to €20M or 4% revenue (whichever higher)Different penalty calculations
Consent ManagersUnique DPDP institutionNo equivalentNew compliance infrastructure needed

Why GDPR Compliance Isn't Enough

Consent Architecture: GDPR allows "legitimate interests" for many processing activities. DPDP's "legitimate use" categories are narrower, requiring consent for activities that might be permissible under GDPR.

Example: A European retailer can process customer data for fraud prevention under "legitimate interests." The same company operating in India needs either explicit consent or must qualify fraud prevention as "legitimate use" (which may require regulatory clarification).

Organizational Requirements: A multinational bank might need a DPO in Europe under GDPR but not require one for Indian operations unless designated as SDF. Conversely, an Indian digital platform might need a local DPO under DPDP while not meeting GDPR's DPO thresholds.

Transfer Compliance: SCCs and BCRs developed for GDPR compliance become irrelevant under DPDP's negative list approach. Organizations need parallel transfer impact assessments.

The biggest mistake global organizations make is treating DPDP as "GDPR for India." While both are privacy laws, the compliance architectures are fundamentally different. You need parallel, not integrated, compliance programs. — SARC Data Protection Practice

Penalties and Enforcement: The DPBI's Expanding Powers

Data Protection Board of India (DPBI)

The DPBI operates as both regulator and adjudicator, with powers to:

  • Investigate complaints and suo moto violations
  • Issue directions for compliance and remedial action
  • Impose penalties up to ₹250 crore
  • Register and regulate Consent Managers and auditors
  • Monitor cross-border transfer restrictions

Penalty Framework

DPDP specifies penalty ranges for different violations:

Violation CategoryMaximum PenaltyKey Triggers
Security Safeguards Failure₹250 croreData breaches, inadequate security measures
Breach Notification Failure₹200 croreFailing to notify DPBI and affected individuals
Children's Data Violations₹200 croreProcessing children's data without proper consent
SDF Obligation Breach₹150 croreDPO failures, DPIA non-compliance, audit violations
DPBI Direction Non-Compliance₹50 croreIgnoring Board orders and directions
General Violations₹50 croreOther DPDP breaches not specifically categorized

Penalties are absolute amounts (not revenue-based like GDPR), making them particularly significant for smaller organizations.

Enforcement Process

Stage 1: Complaint/Investigation

  • Individual complaints to DPBI
  • Suo moto investigations
  • Regulatory referrals from other agencies

Stage 2: Notice and Response

  • Show cause notice to alleged violator
  • Opportunity for written submissions
  • Hearing before DPBI (if requested)

Stage 3: Adjudication

  • DPBI issues reasoned order
  • Penalty imposition and/or compliance directions
  • Publication of order (with redactions)

Stage 4: Appeals

  • Appeal to appropriate High Court
  • Stay on penalty (if granted by court)
  • Final judicial determination

Enforcement Scenario: Major Bank Data Breach

Day 1: Cyberattack compromises customer database of a large private bank Day 3: Bank discovers breach during routine monitoring Day 5: Bank notifies DPBI and affected customers (potential delay penalty: up to ₹200 crore) Week 2: DPBI initiates investigation, requests detailed breach report Month 1: Investigation reveals inadequate encryption and access controls (potential security penalty: up to ₹250 crore) Month 3: DPBI issues show cause notice combining both violations Month 6: After bank's response and hearing, DPBI imposes ₹75 crore penalty plus compliance directions Month 9: Bank appeals to High Court, seeking stay on penalty payment

Total Potential Exposure: ₹450 crore (₹200 crore + ₹250 crore) Actual Penalty: ₹75 crore (considering bank's cooperation and remedial measures)

No Criminal Liability

Unlike some data protection laws globally, DPDP creates only civil penalties. No individual can be criminally prosecuted solely for DPDP violations, though related offenses under IT Act 2000 or IPC may still apply.

Industry-Specific DPDP Impact Analysis

Banking and Financial Services

Unique Challenges:

  • Dual Compliance: RBI data localization + DPDP requirements create overlapping obligations
  • SDF Designation: Large banks almost certainly qualify as Significant Data Fiduciaries
  • KYC Complexity: Customer onboarding requires extensive personal data collection
  • Third-Party Sharing: Insurance, investment, and lending partnerships need consent review

Key DPDP Impacts:

  • Account Opening: Cannot bundle marketing consent with account services
  • Credit Scoring: May require consent for alternative data sources
  • Cross-Selling: Each product offering needs separate consent
  • Data Retention: Must delete customer data after account closure (subject to RBI retention rules)

Compliance Priority:

  1. Segregate consent for banking services vs. marketing
  2. Review all third-party data sharing agreements
  3. Implement granular consent management for digital banking
  4. Prepare for SDF designation (DPO appointment, DPIA processes)

Healthcare and Pharmaceuticals

Unique Advantages:

  • Legitimate Use: Medical treatment and emergencies qualify for consent exemptions
  • Regulatory Backing: Existing health data protection frameworks provide foundation

Key DPDP Challenges:

  • Patient Consent: Elective procedures and wellness programs need explicit consent
  • Health Insurance: Data sharing with insurers requires careful consent design
  • Telemedicine: Digital health platforms face complex consent requirements
  • Research: Clinical trials and medical research need specific consent frameworks

Critical Considerations:

  • Medical emergencies allow processing without consent, but notice obligations remain
  • Health data sharing with family members needs careful consent architecture
  • Pharmaceutical marketing to patients requires opt-in consent

Information Technology and Business Process Outsourcing

Major Relief:

  • Outsourcing Exemption: Processing personal data of individuals outside India for foreign clients remains largely exempt
  • Competitive Advantage: Indian IT/BPO industry retains cost advantages without additional compliance burdens

Domestic Obligations:

  • Employee Data: Indian employees' personal data subject to DPDP
  • Local Clients: Domestic outsourcing contracts need DPDP compliance clauses
  • Vendor Role: When acting as Data Processor, must comply with client instructions

Implementation Focus:

  1. Separate compliance frameworks for domestic vs. international operations
  2. Update Data Processing Agreements for domestic clients
  3. Implement employee data protection measures
  4. Consider SDF risk for large domestic-focused operations

E-commerce and Digital Platforms

High Impact Areas:

  • User Profiling: Behavioral tracking and personalization need granular consent
  • Targeted Advertising: Each advertising partner requires separate consent
  • Recommendation Systems: AI-driven suggestions may need consent or legitimate use justification
  • Payment Data: Integration with UPI and payment providers creates data sharing complexity

SDF Risk Factors:

  • Large user bases make e-commerce platforms likely SDF candidates
  • Cross-platform data sharing increases sovereignty risk assessment
  • Integration with foreign platforms may trigger restrictions

Government and Public Sector

Legitimate Use Authority:

  • Government entities can process citizen data for:
    • Providing subsidies, benefits, services
    • Issuing certificates, licenses, permits
    • Compliance with legal obligations

DPDP Obligations Still Apply:

  • Security Safeguards: Government databases need robust protection
  • Breach Notification: Must notify DPBI of security incidents
  • Data Retention: Cannot keep citizen data indefinitely
  • Individual Rights: Citizens can request access and correction

Special Considerations:

  • Aadhaar processing has separate regulatory framework but DPDP principles apply
  • Inter-department data sharing needs legal basis documentation
  • Digitization initiatives must build in privacy-by-design

The 90-Day DPDP Readiness Playbook for Enterprises

With May 2027 approaching, organizations need structured preparation. This playbook provides actionable steps for comprehensive DPDP compliance.

Month 1: Assessment and Foundation (Days 1-30)

Week 1: Project Setup

  • Appoint DPDP Project Lead: Senior executive with cross-functional authority
  • Form Core Team: Legal, IT, Compliance, Business heads
  • Board Briefing: Present DPDP implications and budget requirements
  • Budget Allocation: Technology, consultancy, training, ongoing compliance costs

Week 2: Data Discovery

  • Data Mapping Exercise: Identify all personal data across systems
    • Customer databases, employee records, vendor information
    • Email systems, CRM platforms, analytics tools
    • Cloud storage, backup systems, archived data
  • Data Flow Documentation: Map how personal data moves through the organization
    • Collection points (web forms, apps, offline)
    • Processing systems (core applications, analytics)
    • Storage locations (databases, cloud, physical files)
    • Sharing arrangements (vendors, partners, subsidiaries)

Week 3: Legal Basis Assessment

  • Current Practices Review: How is personal data currently collected and used?
  • Consent Audit: What consents exist? Are they DPDP-compliant?
  • Legitimate Use Mapping: Which processing activities qualify for consent exemptions?
  • Gap Analysis: Where do current practices fall short of DPDP requirements?

Week 4: SDF Risk Assessment

  • Volume Analysis: How much personal data is processed?
  • Sensitivity Review: Any sensitive personal data categories?
  • Risk Profile: Potential for significant harm or sovereignty impact?
  • SDF Preparation: If likely designation, begin DPO planning and DPIA frameworks

Month 2: Build and Implement (Days 31-60)

Week 5-6: Privacy Infrastructure

  • Privacy Notice Redesign: Create DPDP-compliant notices in plain language
    • What data is collected and why
    • How individual rights can be exercised
    • Contact information for queries and complaints
  • Consent Management System: Build or procure technology for granular consent
    • Separate consent for each processing purpose
    • Easy withdrawal mechanisms
    • Audit trail for consent decisions
  • Data Subject Rights Portal: Enable individuals to access, correct, and delete personal data

Week 7: Vendor and Partner Review

  • Data Processing Agreements: Update contracts with vendors and partners
    • Define Data Fiduciary vs. Processor responsibilities
    • Include DPDP compliance obligations
    • Address cross-border transfer requirements
  • Vendor Risk Assessment: Evaluate third-party DPDP compliance capabilities
  • Data Sharing Reviews: Ensure all personal data sharing has proper legal basis

Week 8: Security and Breach Response

  • Security Measure Review: Implement reasonable safeguards for personal data
    • Encryption for sensitive data
    • Access controls and authentication
    • Regular security assessments
  • Breach Response Plan: Develop procedures for detecting and responding to data breaches
    • Internal escalation processes
    • DPBI notification procedures
    • Individual communication templates
  • Children's Data Framework: If applicable, implement age verification and parental consent processes

Month 3: Test and Launch (Days 61-90)

Week 9: System Testing

  • Consent Flow Testing: Verify granular consent mechanisms work correctly
  • Rights Request Testing: Test access, correction, and deletion processes
  • Breach Simulation: Conduct tabletop exercise for data breach response
  • Performance Testing: Ensure privacy controls don't impact business operations

Week 10: Training and Communication

  • Employee Training: Educate all staff on DPDP requirements and their role
    • Legal and compliance teams (detailed training)
    • IT and security teams (technical implementation)
    • Business teams (consent and data handling)
    • Customer service (individual rights requests)
  • Vendor Communication: Notify partners and vendors of new requirements
  • Customer Communication: Inform customers about privacy enhancements

Week 11: Documentation and Governance

  • Processing Records: Document all personal data processing activities
  • Policy Updates: Revise privacy policies, data handling procedures
  • Audit Trail: Ensure all consent decisions and rights requests are logged
  • Ongoing Monitoring: Implement processes for continuous DPDP compliance

Week 12: Final Preparations

  • Board Final Briefing: Present implementation status and residual risks
  • Compliance Certification: If SDF, arrange independent audit
  • Contingency Planning: Prepare for potential DPBI inquiries or complaints
  • Launch: Activate new privacy processes and communications

Beyond 90 Days: Ongoing Compliance

  • Monthly Reviews: Monitor consent withdrawal rates, rights requests, vendor compliance
  • Quarterly Assessments: Review processing activities for new DPDP obligations
  • Annual Audits: Comprehensive compliance review, especially for SDFs
  • Regulatory Monitoring: Track DPBI guidance, penalty decisions, and regulatory updates

The organizations that succeed with DPDP won't be those with the biggest compliance budgets they'll be those that integrate privacy thinking into every business decision. Start with your customer onboarding journey and work backwards through every data touchpoint. — SARC Risk & Compliance Practice

SARC's Data Protection Practice has guided enterprises through privacy law compliance across sectors. From SDF readiness assessments to consent architecture design, we help you turn regulatory requirements into competitive advantages.

Our advisory team is ready to help.

Contact Us
Back to Insights
Share: