SarangThe Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules 2025 were formally notified on 14 November 2025. MeitY has set three enforcement dates: 14 November 2025, 14 November 2026, and 14 May 2027 with full operational compliance required by 13 May 2027.
Most day-to-day compliance obligations, including notice and consent operations, breach notification, and individual rights handling, become enforceable during an 18-month implementation phase, with full compliance required by mid-May 2027.
That makes 2026 a critical build year. It’s the window to move from awareness to execution, putting the right processes, controls, and accountability in place before enforcement tightens.
In this blog, we break down how the DPDP Act compares to GDPR, walk you through a practical step-by-step compliance approach, outline the penalties and enforcement risks, and give you a clear checklist to build and validate your DPDP compliance program.
Mitigata – Your Partner for DPDP Compliance
Mitigata supports 800+ businesses with a structured approach to DPDP compliance, combining data visibility, risk assessment, and operational controls.
What we help you with:
- Identify compliance gaps across systems, policies, and workflows
- Map end-to-end data flows across applications, vendors, and business units
- Review consent, notice, and data collection practices
- Assess high-risk areas like sensitive data use and cross-border transfers
- Set up clear ownership, documentation, and audit readiness
- Implement controls that align with compliance without affecting operations
DPDP Phase One Readiness Starts Here
Get a free CRQ report to understand requirements and prioritise compliance actions today.
What Is the DPDP Act?
The DPDP Act is India’s first comprehensive data protection law, governing the collection, processing, storage, and transfer of digital personal data of individuals in India.
It applies to organisations outside India if they process personal data in connection with offering goods or services to Data Principals in India, or if they profile individuals in India.
Two key categories of organisations:
Data Fiduciary: Any organisation that determines the purpose and means of processing personal data
Significant Data Fiduciary (SDF): Organizations designated by the government based on data volume, sensitivity, or risk; subject to additional obligations including mandatory Data Protection Officers, Data Protection Impact Assessments (DPIAs), and annual audits
If you’re in retail, here’s how DPDP impacts your data flows across stores and online channels.
DPDP Compliance Checklist: 5 Steps to Meet the May 2027 Deadline
The Ministry of Electronics and Information Technology (MeitY) has proposed a potentially accelerated 12-month timeline for Significant Data Fiduciaries (SDFs), making 2026 a critical “build year”. Here is your data protection impact assessment checklist.
Step 1: Data Mapping and Classification
Before protecting data, know where it lives. Create a complete inventory of all personal data your organisation collects, processes, stores, and shares.
- Identify every data source: websites, apps, POS systems, HR databases, third-party integrations
- Classify data by type: standard personal data vs. sensitive categories (health, financial, biometric)
- Document who processes data on your behalf (cloud vendors, payroll providers, marketing platforms)
- Map cross-border data flows, especially if you use global cloud infrastructure
Step 2: Build a Consent Management Framework
Consent is the cornerstone of the DPDP Act. Unlike in the past, pre-ticked boxes are illegal. Your consent management system must capture free, specific, informed, and unambiguous consent for each purpose separately.
- Every processing purpose requires separate, specific consent such as marketing, which cannot be bundled with analytics
- Consent must be freely given, informed, and unambiguous
- Withdrawing consent must be as easy as giving it
- Maintain a Consent Artefact – a verifiable digital record of exactly what each user agreed to and when
Looking for a DPDP compliance provider? Here’s what actually separates the right ones from the rest.
Step 3: Implement Security Safeguards & Breach Protocols
The DPDP Act mandates “reasonable security safeguards.” This requires implementing technical and organisational measures, such as encrypting data at rest and in transit, access controls, and pseudonymization.
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.3)
- Role-based access controls limiting who can reach what data
- Pseudonymization of sensitive records where feasible
- Breach notification: You must notify the DPBI within 72 hours of discovering a personal data breach. Failure carries penalties up to ₹250 crore
- Appoint a Grievance Officer and resolve Data Principal complaints within 30 day
Buying Cyber Insurance? Start with the Right Partner.
Save more with Mitigata and get exclusive tools to monitor your digital footprint proactively.
Step 4: Master Cross-Border Data Transfer (For SDFs & Global Firms)
For Indian subsidiaries of foreign companies or firms that use global cloud services, this is crucial. The government plans to enforce cross-border transfer restrictions immediately on Significant Data Fiduciaries (SDFs).
- Data may only be transferred to countries whitelisted by the Central Government
- SDFs may face mandatory data localisation for specific sensitive categories
- Review all vendor contracts and data processing agreements for compliance with transfer restrictions
Step 5: Appoint Key Roles and Conduct Audits
- Data Protection Officer (DPO): Mandatory for SDFs; strongly recommended for all organisations
- Independent Data Auditor: Mandatory for SDFs to validate compliance annually
- Privacy Policy: Must be a standalone document, separate from Terms & Conditions, written in plain language in English and 8th Schedule languages
- Retention Schedule: Delete data when the processing purpose is fulfilled. Storage limitation is now a legal requirement
- Employee Training: All staff handling personal data must understand data minimisation principles and how to respond to Data Principal requests (access, correction, erasure)
Penalties and Enforcement: The Cost of DPDP Non-Compliance
The penalties under the DPDP Act are intended to serve as a deterrent. The Data Protection Board has the authority to levy fines based on the severity of the failure.
- ₹250 crore ($30 million USD): Failure to take reasonable security safeguards to prevent a breach.
- ₹200 crore ($25 million USD): Failure to notify the Board or affected individuals of a breach.
- ₹150 crore ($18 million USD): Violation of duties regarding children’s data.
- ₹50 crore ($6 million USD): Other violations of fiduciary duties.
Building Your DPDP Compliance Program (Checklist)
To ensure you are ready for the May 2027 deadline (or sooner), integrate these data protection best practices:
- Publish a Standalone Privacy Policy: Your privacy policy must be separate from your Terms & Conditions, be written in plain language (English and 8th Schedule languages), and clearly explain data flows.
- Vendor Management: Review contracts with all data processors. Ensure they agree to DPDP standards regarding data retention and security.
- Retention Schedule: Delete data once the purpose is complete. Unlike older IT rules, “storage limitation” is now a legal requirement.
- Training: Conduct employee training on data minimisation and handling Data Principal requests (Access, Correction, Erasure).
Get DPDP Ready Before Deadlines Catch Up.
Work with Mitigata to assess gaps, fix risks, and build a compliance program that holds up.
DPDP vs. GDPR: Key Differences
The data protection regulation framework requires a complete understanding to meet its requirements. The table below outlines the key divergences based on the latest enforcement guidelines.
| Feature | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Legal Basis | Consent + legitimate uses | Multiple bases, including contract and legal obligation |
| Data Principal Rights | Access, correction, erasure, grievance | Access, correction, erasure, portability, restriction |
| Full Compliance Deadline | 13 May 2027 | Enforceable since 2018 |
| Breach Notification | 72 hours to DPBI | 72 hours to Supervisory Authority |
| Children’s Data | Parental consent required under 18 | Parental consent required under 16 |
| Cross-Border Transfers | Whitelisted countries only | Adequacy decisions + SCCs |
Choosing a DPDP consent manager? Here’s what you need to check before making a decision.
Conclusion
The businesses that treat DPDP Act compliance requirements as a foundation for customer trust, rather than a cost centre, will emerge with lasting competitive advantage. Mitigata helps you build that foundation efficiently and defensibly.
Mitigata combines expert-led Smart Compliance & Consultancy, including data protection impact assessments (DPIA) and step-by-step DPDP Act guidance.
The Mitigata Console is a unified dashboard that delivers real-time breach detection, a customizable security checklist, and automated security findings with severity ratings.
Book a free call with Mitigata now!
akshit k
areena g
deepthi s