Everything you need to know about DPDP compliance

India’s law governing processing of digital personal data, setting obligations for organisations and rights for individuals (Data Principals).

Personal data in digital form, and also personal data collected offline that is later digitised.

The individual to whom the personal data relates. For a child, it includes the parent or lawful guardian acting on the child’s behalf.

Any person or entity that determines the purpose and means of processing personal data (similar to a “controller” in other regimes).

Any person or entity that processes personal data on behalf of a Data Fiduciary, such as a vendor, SaaS provider, or outsourcer.

Yes, if you process digital personal data in India, including data that was collected offline and later digitised.

Yes, if it processes digital personal data outside India in connection with offering goods or services to individuals in India.

It does not apply to purely personal or domestic processing by individuals, and generally not to personal data made publicly available by the Data Principal or under a legal obligation to publish.

Not directly—unless those records are digitised later, after which DPDP applies.

No. Concepts overlap, but definitions, lawful bases, enforcement structure, and operational rules differ.

Only for a lawful purpose and on the basis of either consent or certain legitimate uses defined in the Act.

Consent must be free, specific, informed, unconditional, unambiguous, involve a clear affirmative action, and be limited to what is necessary for the specified purpose.

Yes—at any time, and withdrawing consent must be as easy as giving it. Processing must stop within a reasonable time unless another law permits or requires it.

Specific situations listed in the Act where processing can happen without consent, such as voluntarily provided data for a requested purpose, certain State functions, or emergencies.

Only if it is compatible with DPDP requirements—typically you should issue a fresh notice and obtain consent unless a legitimate use or other law supports the new purpose.

Yes. Requests for consent must be accompanied or preceded by a notice describing what data will be collected, for what purpose, and how rights or complaints can be exercised.

The Act requires you to offer the notice in English or any language listed in the Eighth Schedule of the Indian Constitution.

Your notice should include how the Data Principal can reach you for rights or grievances. Practically, this means adding contact information for your privacy team or DPO.

Only if they contain DPDP-required elements and appear at or near the point where consent/collection occurs.

You must provide a notice as soon as reasonably practicable describing the data, purpose, and how to exercise rights or complain once the relevant provisions commence.

Anyone under 18 years of age.

Yes, but you must obtain verifiable consent from the parent or lawful guardian, subject to any rules or exemptions that apply.

You must not undertake processing that is likely to cause a detrimental effect on the well-being of a child.

Implement age gating, parent or guardian verification, and child-specific notices and safeguards.

Yes, if they process digital personal data. They must follow notice, consent, rights, security, and retention obligations.

You must implement reasonable security safeguards to prevent personal data breaches. This includes technical and organisational measures proportionate to the risk.

It is unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access that compromises confidentiality, integrity, or availability.

Yes. Data Fiduciaries must notify the Board and affected Data Principals in the prescribed manner.

Timelines and procedures are governed by the Rules and official guidance. Treat breach notification as urgent and follow the prescribed format and timelines once those provisions are in force.

Processors’ duties flow contractually and through fiduciary obligations. Ensure vendor agreements require prompt breach reporting and cooperation.

Key rights include access to information about processing, correction, updating, erasure (subject to lawful retention), grievance redressal, and nomination where applicable.

Individuals can request correction, completion, updating, and erasure; fiduciaries must comply unless retention is necessary for the specified purpose or another law.

DPDP requires access to information about personal data and processing. Implementation can vary, but you need a workable process to respond to such requests.

Yes. They can first escalate to the fiduciary’s grievance channel and then to the Board if the issue isn’t resolved as required.

A Data Principal can nominate another person to exercise rights on their behalf in case of death or incapacity, following the Act’s provisions.

When consent is withdrawn or the purpose is no longer served, unless retention is necessary for a legal requirement or specified purpose.

Not by default. Retention needs a lawful basis and purpose limitation—ongoing analytics must be defensible and not indefinite without justification.

Yes. The Rules include a schedule prescribing retention periods for certain classes of Data Fiduciaries and purposes.

Design for eventual purge across systems, including backups, within reasonable operational constraints.

Logs that identify individuals are personal data. Keep them only as long as needed for security or compliance, with access controls.

The Data Protection Board of India is established to exercise powers and perform functions under the Act.

The Board’s head office is in the National Capital Region (NCR).

The Act provides monetary penalties that can go up to ₹250 crore depending on the type of breach, assessed by the Board using statutory factors.

DPDP enforcement is Board-driven with penalties; separate remedies may exist under other laws or contracts depending on the facts.

DPDP focuses on fiduciary obligations and Board enforcement; personal liability questions depend on corporate law, contracts, and the specific conduct in question.

DPDP allows cross-border transfers unless the Central Government restricts specific countries or territories. Watch for the official “negative list.”

Include clear processing instructions, security controls, sub-processing limits, breach-reporting SLAs, audit rights, deletion/return terms, and assistance with DPDP rights requests.

A Consent Manager is a Board-registered entity that helps individuals manage consent. It is optional unless your product or ecosystem specifically requires integration.

A class of fiduciaries notified by the Government based on factors like data volume, sensitivity, or risk. SDFs must comply with extra obligations such as appointing a DPO and conducting DPIAs.

Rules were notified on 13 Nov 2025 with staggered commencement—some provisions immediately, some after one year, many after 18 months. India Code also notes 18-month commencement tranches from 13 Nov 2025.

Non-compliance with the DPDP Act carries severe financial risks. Penalties can reach up to ₹250 Crore for failures related to Data Fiduciary obligations and reasonable safeguards. Additionally, failing to provide breach notices can result in fines up to ₹200 Crore, while Significant Data Fiduciaries (SDF) face fines up to ₹150 Crore for missing additional obligations.

Comply DP utilizes a specialized Breach Notification Engine that replaces chaotic manual responses with structured playbooks. It facilitates immediate intimation to the Data Protection Board and affected individuals, followed by an automated workflow to generate the required detailed report within 72 hours, complete with evidence bundles and containment timelines.

Yes, the Consent & Notice Manager includes language support for English and all languages listed in the Eighth Schedule of the Indian Constitution. This ensures that consent requests are "free, specific, informed, and unambiguous" as required by law, presenting terms in clear, plain language that users can easily understand.

If notified as an SDF based on data volume or sensitivity, an organization must appoint an India-based Data Protection Officer (DPO) who reports to the Board. They must also appoint an independent data auditor and conduct periodic Data Protection Impact Assessments (DPIA). Comply DP offers specific modules to manage these elevated governance requirements.

The platform automates the fulfillment of Data Principal rights, reducing processing time from weeks to clicks. It handles requests for information access (summary of data and processing), correction, updating, and erasure. It also manages the grievance workflow, ensuring responses are provided within the statutory period (typically 90 days for grievances).

Yes. Every workflow, template, and control inside Comply DP is mapped to individual sections of the DPDP Act and forthcoming Rules. The product roadmap is aligned with MeitY notifications so customers stay audit-ready.

You can provision unlimited internal stakeholders, assign owners per compliance task, and generate traceable activity logs. This keeps DPDP initiatives multi-disciplinary without losing accountability.

Most midsize organizations complete their baseline DPDP program within 8 to 12 weeks using our pre-built controls, policy templates, and readiness workflows. The exact duration depends on data inventory maturity and processor coordination.

Yes. Each control is tagged to the relevant section (e.g., Section 8 for consent, Section 9 for Data Principal rights) so auditors and internal stakeholders can trace implementation evidence directly to legal obligations.

You can schedule automated breach simulations that route tasks to legal, IT, and communications teams. Each drill produces an evidence bundle proving you rehearsed your 72-hour response obligations.

Yes. The Breach Notification Engine stores jurisdiction-specific templates, lets you merge incident metadata, and exports submissions in the exact format the Data Protection Board expects.

Design notices with modular components: layered consent, just-in-time prompts, and embedded disclosures inside product flows. Export as hosted pages, embeddable widgets, or API responses for custom UIs.

Every consent capture is hashed, timestamped, and tied to the data principal identity. Auditors can view the exact screen or API payload the principal saw before approving.

You can document the appointed DPO, capture delegation notes, and maintain board-level reporting packs. Reminders ensure quarterly updates are filed, meeting Section 10 duties.

Yes. The DPIA workspace standardizes risk scoring, reviewer sign-offs, and remediation plans. Generated DPIA files can be shared with MeitY on demand.

Incoming requests are classified (access, correction, erasure, grievance) and routed to the right workflow with statutory SLA timers. Duplicate requests are detected to prevent repeated manual handling.

Each request generates an immutable timeline with requester identity proofs, actions taken, reviewer comments, and response payloads. Export the bundle as PDF/CSV during audits or disputes.