The Digital Personal Data Protection Act, 2023 is now in force, with the DPDP Rules 2025 notified on November 13, 2025. It establishes a clear, present-day obligation for organisations handling personal data. Every organisation processing the personal data of individuals in India, regardless of size or sector, must comply. The penalties are substantial, reaching up to INR 250 crore for serious violations. Beyond financial impact, non-compliance can weaken customer trust at a time when data practices increasingly influence brand decisions.
Enforcement is being implemented in phases. Phase 1 (November 2025) established the Data Protection Board of India (DPBI). Phase 2 (November 2026) will operationalise the consent manager framework. Phase 3 (May 2027) will bring the remaining provisions into force, including consent requirements, data principal rights, breach notification obligations, and significant data fiduciary duties.
The timeline is already underway. Organisations that delay preparation risk facing operational and compliance challenges as deadlines approach.
Who Must Comply: Scope and Applicability
The Act applies to any individual, company, or government body — referred to as a Data Fiduciary, that determines the purpose and means of processing personal data. Critically, the Act has extraterritorial reach: foreign entities offering goods or services to individuals in India fall within scope.
Unlike some global regulations, the DPDP Act does not exempt small businesses. A five-person startup handling customer data bears the same fundamental obligations as a multinational corporation. The only exemptions are narrow: personal or domestic data processing, and certain government processing for national security purposes.
The Compliance Roadmap: Nine Steps to Get Ready
Achieving compliance with the Digital Personal Data Protection (DPDP) Act requires a structured, organisation-wide approach. The following nine steps outline a practical roadmap to help businesses build readiness and reduce regulatory risk.
1. Conduct a Data Inventory
Begin by identifying and mapping all personal data across the organisation. This includes data collected, processed, stored, and shared across structured databases, unstructured file systems, cloud environments, email systems, and endpoint devices. A comprehensive data inventory forms the foundation of all compliance efforts, as visibility is essential for control.
2. Implement a Consent Management Framework
Under the Act, consent must be free, specific, informed, unconditional, and unambiguous. Organisations must ensure that every consent request is accompanied by a clear and concise notice, available in English or any Eighth Schedule language, outlining the purpose and scope of data collection.
3. Establish Data Principal Rights Management
The Act grants individuals (data principals) the right to access their personal data, correct inaccuracies, request erasure, and withdraw consent. Organisations must implement processes and systems capable of fulfilling such requests within the stipulated ninety-day timeframe.
4. Build a Breach Notification Capability
In the event of a personal data breach, organisations are required to notify the Data Protection Board of India (DPBI) and affected individuals without delay. A detailed report must be submitted within seventy-two hours, covering the nature of the breach, mitigation measures undertaken, and steps to prevent recurrence.
5. Define Data Retention and Erasure Policies
Personal data must be deleted once the specified purpose has been fulfilled or consent has been withdrawn, unless retention is mandated by law. Certain entities, including large e-commerce platforms, social media intermediaries, and online gaming platforms, are subject to defined erasure timelines of up to three years.
6. Ensure Reasonable Security Safeguards
Organisations must implement appropriate technical and organisational measures to safeguard personal data. This includes encryption, access controls, monitoring and logging mechanisms, regular backups, and contractual safeguards with data processors. Additionally, access logs and personal data should be retained for at least one year to support breach detection and investigation.
7. Appoint a Data Protection Officer (If Applicable)
Entities classified as Significant Data Fiduciaries (SDFs) are required to appoint a Data Protection Officer. These organisations must also conduct periodic Data Protection Impact Assessments (DPIAs) and annual audits to ensure ongoing compliance.
8. Address Cross-Border Data Transfer Requirements
The DPDP Act permits cross-border data transfers unless explicitly restricted by the Central Government. Organisations should closely monitor regulatory notifications and ensure compliance with any jurisdiction-specific restrictions that may be introduced.
9. Implement a Grievance Redressal Mechanism
A robust grievance redressal framework is essential for compliance. Organisations must publish clear timelines for resolving complaints (not exceeding ninety days) and provide easily accessible communication channels through their website or application.
This structured approach enables organisations to move beyond ad hoc compliance efforts and build a sustainable, audit-ready data protection framework aligned with regulatory expectations.
Beyond Compliance: Building a Trust Advantage
Compliance sets the baseline, not the benchmark for excellence. Organisations that treat data privacy as a strategic pillar, not merely a legal checkbox, will differentiate themselves in the market. According to global surveys, over ninety percent of consumers factor data privacy into their purchasing decisions. In a data-driven economy, trust is the ultimate competitive advantage.
The most forward-thinking businesses are integrating privacy by design into their products, automating consent and rights workflows, and investing in privacy-enhancing technologies. They are not just avoiding penalties; they are earning loyalty.