DPDP Compliance in 2026: The Complete Guide for Tech Leaders

If you run engineering, security, or compliance at an Indian tech company, DPDP compliance is knocking at your door fresh and clean in less than a year. Our aim is not to present scary statistics but to help you recognize the urgency of the matter and become DPDP compliant at the earliest. 

Since this law safeguards a nation’s data, the DPBI can thus stack penalties across multiple contraventions in a single incident. So stop debating whether the law applies to you; it almost certainly does. Focus on mapping your data, redesigning your consents, and tightening security controls. 

In this guide, we walk you through:

• What is the DPDP Act
• The DPDP Rules 2025, you actually require
• What the maximum penalty for non-compliance with the DPDP Act looks like
• How DPDP compares to GDPR
• A practical roadmap that enables your team to start this quarter

What is DPDP Compliance?

DPDP compliance is India’s act that governs how your firm collects, processes, stores, shares, and deletes the digital personal data of Indian residents. The obligations and rules are laid down in the Digital Personal Data Protection Act, 2023, and the DPDP rules, 2025.

In plain English, if your product touches the personal data of an Indian citizen in digital form, you are now legally bound to handle it transparently, securely, and only for the purposes you said you would. Oh, and of course, with clear and not concealed consent.

This act is a culmination of over 2 years of drafting efforts, public consultations, and inputs from north of 6900 stakeholders. After receiving the President of India’s assent in August 2023, MeitY (Ministry of Electronics and Information Technology) notified the final DPDP Rules via a gazette notification G.S.R. 846(E) on 13 November 2025. 

The provisions under DPDP come into force via three phases:

• Administrative provisions: already in effect. 
• Consent Manage: rules switch on in November 2026
• Operational obligations: notice, consent, security, rights, breach reporting, cross-border transfers to become enforceable from 14 May 2027.

As of May 2026, the DPBI has been constituted, but staffing is still in progress,  leading most experts to describe 2026 as a “soft enforcement” year. So regulators are monitoring, but the legal crackdowns will begin a year down the line. 

Who Needs to Comply With the DPDP Act?

The DPDP Act has put out a remarkably wide scope. Below, we summarize the major buckets this act covers:

• Data Fiduciaries: any person or entity that decides the purpose and means of processing digital personal data. This is roughly equivalent to the “controller” under GDPR. Most Indian businesses and SaaS providers fall into this category.
• Significant Data Fiduciaries (SDFs): a subset of Data Fiduciaries that the Central Government will notify based on volume and sensitivity of data, risk to Data Principals, sovereign and security implications, and impact on electoral democracy. SDFs face additional obligations under Section 10 and Rule 13.
• Data Processors: vendors who process data on behalf of a Data Fiduciary. You remain contractually bound to your fiduciary client and must implement equivalent safeguards.
• Foreign entities: the Act applies extraterritorially. If you sit in San Francisco, Singapore, or Stockholm but offer goods or services to Data Principals in India, you are squarely within scope.

The Act explicitly excludes processing for purely personal or domestic purposes, and publicly available data made public by the individual or under a legal obligation. Beyond that, assume you are in.

One important nuance for engineering leaders: the Data Fiduciary is liable for the actions of its Data Processors. You cannot outsource the risk by pointing at your cloud vendor. If your KYC partner mishandles data, the regulator will come knocking at your door first.

DPDP Act Compliance Requirements

These DPDP act compliance requirements are the core of what your engineering, product, legal, and security teams need to operationalize. Most of the DPDP act compliance requirements below are already final, so you can start designing against them right away.

Lawful purpose and valid consent

You can process personal data only for a “lawful purpose” (that is, a purpose not expressly forbidden by law) and only with consent or for a defined set of “legitimate uses” under Section 7 (such as employment, medical emergencies, or compliance with law).

Where consent is your basis, Section 6 sets a high bar. It must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. Pre-ticked boxes, bundled consent buried under T&Cs, and dark patterns will not pass the buck.

Notice requirements

Under Section 5 and Rule 3, every Data Fiduciary needs to issue a standalone notice before or at the time of seeking consent. 

The notice has to state the personal data that is being collected, the specific purpose, how the person can withdraw consent, how to exercise the said rights, and how to file a complaint with the Board. 

Secondly, the said notice must be available in English and any of the 22 scheduled Indian languages the user prefers. 

Bundling it into broader service agreements will attract rigid scrutiny. 

Purpose Limitation, Data Minimization, Accuracy, Storage Limitation

You must process data only for the specific purpose stated in the notice, collect only what you need, keep it accurate, and erase the data when the purpose has been fulfilled or when consent is withdrawn. 

Rule 8 prescribes specific retention rules. For example, large e-commerce platforms, social media, and online gaming intermediaries listed in the 3rd schedule must erase a Data Principal’s (user, consumer, basically that gives consent) data 3 years after the last interaction with a 48-hour pre-erasure notice.

Reasonable security safeguards under Section 8(5)

This is the heart of the law for any technical leader. It requires you to implement security safeguards to prevent any personal data breaches, in respect of all data in your possession or control, whether held by you or your data processor.

Rule 6 sets a minimum floor:

• Encryption, obfuscation, masking, or use of virtual tokens for personal data, in transit and at rest
• Access controls over the computer resources where personal data is processed
• Logs, monitoring, and review to detect, investigate, and prevent unauthorized access
• Reasonable measures for continued processing (backups, business continuity) in case of confidentiality, integrity, or availability events
• Retention of logs and personal data for at least one year, unless another law requires longer or shorter
• Technical and organizational measures to ensure that processors comply with the same standards
• Contractual provisions requiring processors to implement these safeguards

Rule 6 is the single most important page in the entire DPDP framework for engineering and security leaders. Print it, pin it, and audit against it.

Breach notification

Under Section 8(6) and Rule 7, you must intimate the Board and every affected Data Principal of a personal data breach without delay once you become aware of it, and submit a detailed report to the Board within 72 hours (can be extended via a written request). The detailed report needs to cover the events, the people responsible, mitigation steps, remedial actions, and notifications sent.

Data Principal rights

Chapter III gives Data Principals 5 core rights:

• Right to access information about personal data being processed
• Right to correction, completion, updating, and erasure
• Right to grievance redressal, with a published response timeline not exceeding 90 days
• Right to nominate someone to exercise these rights on death or incapacity
• Right to readily available means to withdraw consent, which must be as easy as giving it

Notably, DPDP does not include a GDPR-style right to data portability.

DPO, DPIA, and SDF obligations

Under Section 10 and Rule 13, every Significant Data Fiduciary must:

• Appoint a Data Protection Officer (DPO) based in India and accountable to the board of directors
• Carry out a Data Protection Impact Assessment (DPIA) and an independent audit annually, and file significant observations with the Board
• Scan and screen your algorithms and other ML and AI systems, so they do not pose a risk to the Data Principal’s rights
• Comply with any data-localization directions issued by a government-constituted committee

Cross-border transfers

DPDP adopts a “negative list” approach. 

Cross-border transfers are permitted unless the Central Government specifically restricts transfers to a notified country. SDFs may face additional restrictions, including a prohibition on transferring certain categories of personal data and related traffic data outside India.

DPDP Compliance Checklist

Use this DPDP compliance checklist as a working document with your engineering, legal, and security leads. 

The strength of any DPDP compliance checklist lies in tying every item to an owner and a verifiable control, so tick each item only once you have a documented, repeatable process in place.

Consent management

• Replace bundled consent with granular, purpose-specific consent flows
• Capture consent in English plus the user’s preferred scheduled Indian language
• Log every consent event with timestamp, version of notice, and IP or device metadata
• Build a “withdraw consent” journey as easily as the “give consent” journey
• Prepare to integrate with registered Consent Managers from November 2026

Data mapping and inventory

• Maintain a full register of personal data: where it is collected, why, who it is shared with, where it is stored, and when it is deleted
• Map both customer-facing and internal data flows (HR, vendor, marketing, support)
• Tag each data element to a specific lawful basis (consent or Section 7 legitimate use)

Security safeguards

• Encrypt personal data in storage and in transit
• Apply masking, tokenization, or pseudonymization wherever it does not impair the purpose
• Enforce least-privilege access, MFA, and RBAC
• Keep access and processing logs for at least one year
• Run continuous vulnerability scans and at least one annual third-party penetration test
• Maintain offline or immutable backups and a tested disaster-recovery plan

Breach response

• Define a breach response runbook with named owners and SLAs
• Build detection through SIEM, EDR, or SOC monitoring
• Pre-draft DPBI notification and Data Principal communication templates
• Run at least one tabletop drill against the 72-hour clock each year

Data Principal rights

• Publish a clear grievance redressal channel with response timelines
• Build an authenticated rights portal for access, correction, and erasure requests
• Define internal SLAs (most counsel advise 7 to 30 days, well within the 90-day cap)
• Capture nomination details and verify entitlement before fulfillment

Governance

• Appoint a designated officer (or DPO if you are an SDF)
• Make a board-level executive accountable for DPDP outcomes
• Maintain a record of processing activities and a Section 7 legitimate-use register

Vendor management

• Update every Data Processing Agreement to include Rule 6 safeguards, breach notification clauses, audit rights, and erasure obligations
• Maintain a current list of all sub-processors

Training

• Run mandatory DPDP awareness training for all employees handling personal data
• Provide deep-dive sessions for engineering, support, marketing, and HR teams
• Refresh training annually and on every major regulatory clarification

Astra Security offers agile pentests for the modern engineering teams and AI-powered threat intelligence for scanning across APIs, AI systems, Cloud, IoT, and mobile and web applications. Start your $7 trial for a week today

Maximum Penalty for Non-Compliance with the DPDP Act

The Schedule to the DPDP Act sets the maximum penalty for non-compliance with the DPDP Act, and the numbers are devised so as to keep the boardroom hooked.

A few important points before you walk into your meeting with the CFO:

• Penalties are per instance, not per incident. A single breach can simultaneously trigger the ₹250 crore safeguards penalty and the ₹200 crore notification penalty.
• There is no overall statutory cap on cumulative penalties. The DPDP Act does not aggregate exposure across contraventions, so the maximum penalty for non-compliance of the DPDP Act on a single bad day can run well above ₹250 crore for a complex breach.
• Unlike GDPR, DPDP uses fixed monetary ceilings rather than a percentage of turnover. For very large enterprises, it may be peanuts, but for Indian startups and mid-market SaaS firms, it can be their entire food stock.
• First-time, well-mitigated breaches are unlikely to attract the maximum fine, but precedents are still being built.
• All penalties are credited to the Consolidated Fund of India. They do not flow to victims as compensation.
• Penalties are imposed by DPBI, a 4-member adjudicatory body based in the National Capital Region. Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days.

How to Achieve DPDP Compliance (Step-by-Step Framework)

There is no certified “DPDP compliant” stamp yet, but the path to a defensible DPDP act compliance is well-lit. Here is a practical, sequential, and hopefully positively consequential roadmap for your team to begin execution in the next sprint.

1. Discover and map your data. Build a complete inventory of every system, table, log, third-party tool, and SaaS instance that holds personal data of Indian residents.
2. Classify and prioritize. Tag data by sensitivity, volume, source, and processing purpose. Focus first on data elements where loss or misuse would cause the most harm.
3. Assess gaps. Compare your current controls against Sections 4 to 10 of the Act and Rules 3 to 13. Be brutal about where you have policy without enforcement.
4. Design your consent framework. Rewrite notices in plain language, design granular consent flows, build a withdrawal UX, and capture immutable consent logs.
5. Implement security safeguards. This includes encryption, IAM hardening, log retention, network segmentation, secure SDLC, and VAPT. These are table stakes under Rule 6. Trusted security partners like Astra Security run continuous pentests against your web apps, APIs, and cloud workloads to make sure the safeguards you claim on paper actually hold up under attack.

6. Establish breach response. Build detection, runbooks, communication templates, and Board notification workflows. Run drills against the 72-hour clock.
7. Operationalize Data Principal rights. Stand up a rights portal, identity verification, and SLA-driven workflows for access, correction, and erasure.
8. Update vendor and processor contracts. Refresh DPAs, lock down sub-processor lists, and add audit rights.
9. Train your people. Role-specific training for engineering, product, marketing, support, and HR. Most breaches start with a human, not a zero-day.
10. Document, monitor, and conduct DPIAs. Maintain a record of processing activities, run periodic DPIAs (mandatory yearly for SDFs), and treat compliance as a continuous program, not an audit project.

DPDP Compliance Services: Do You Need External Help?

Not every organization needs the same level of outside help. Use this as a quick decision framework when scoping DPDP compliance services for your business.

You can probably handle most of DPDP in-house if:

• You are a small or early-stage team with a tightly scoped product
• You already have mature security, legal, and engineering functions
• You process a limited volume of personal data and are unlikely to be designated an SDF

You should bring in external DPDP compliance services if:

• You operate in a regulated sector such as BFSI, healthcare, or edtech serving minors
• You expect to be notified as a Significant Data Fiduciary
• Your stack spans multiple cloud providers, regions, and third-party integrations
• You have legacy data, undocumented systems, or unclear retention practices
• Your last serious penetration test was more than a year ago, or never happened

A typical mix of external help looks like:

• Legal counsel for Act interpretation, contracts, notices, and DPIAs
• Security testing firms (such as Astra Security for VAPT, cloud configuration reviews, API testing, and continuous security validation aligned with Section 8(5) and Rule 6
• DPO-as-a-service providers for ongoing governance, especially for SDFs
• Consent management platforms that will integrate with registered Consent Managers from November 2026

The smart move is to scope your in-house lift first, then bring in specialists for the gaps. Please avoid signing a single “end-to-end DPDP partner” without checking whether they actually have the legal and technical depth. Given that DPDP is just about to debut, there’ll be many gimmicks running around to fool you. 

Common DPDP Compliance Challenges (and Solutions)

Even well-resourced teams hit the same recurring obstacles. Here are seven you will likely face, with practical responses.

1. Legacy data with no clean consent trail. Most organizations carry years of data collected under vague T&Cs. Solution: vet by sensitivity and business value, re-consent where you can, anonymize where you must, and erase the rest before May 2027.
2. Third-party and vendor compliance gaps. You are liable for what your processors do. Solution: refresh DPAs with Rule 6 safeguards, conduct vendor security reviews, and require attestations or independent test reports.
3. Consent management at scale. Granular, withdrawable, multilingual consent is hard to engineer. Solution: invest in a consent management platform now, and design APIs that can plug into registered Consent Managers when that ecosystem matures.
4. Cross-border data flows. The negative list approach opens room for multiple fines and ambiguity in the penalization basis. Solution: maintain a current map of where data lives, design for portability, and keep a hawk eye on MeitY’s notifications.
5. Training across distributed teams. A single misconfigured S3 bucket or pasted Slack export can become a ₹250 crore problem. Solution: role-specific training, security champions in each team, and engineering guardrails (SAST, DAST, secret scanning) that prevent mistakes before code ships.

6. Breach detection within 72 hours. The detailed report clock starts when you become “aware”, and regulators will scrutinize how long that took. Solution: invest in detection (SIEM, EDR,etc), automate alerting, and table-top your runbook quarterly.
7. Balancing data minimization with business needs. Product, marketing, and ML teams will push to keep more data. Solution: anchor every dataset to a documented purpose, enforce retention through automation, and bring data protection by design into your PRDs.

DPDP Compliance vs GDPR: Key Differences

For Indian companies serving global users, DPDP act compliance does not replace GDPR; it stacks on top of it. The two regimes share DNA but differ in important ways.

If you already run a mature GDPR program, you are roughly 60-70% DPDP-proof. The remaining 30 to 40% is mostly bilingual notices, the no-legitimate-interests rule, India-specific retention schedules, consent withdrawal UX, Indian DPO and DPIA obligations for SDFs, and the breach communication template, which is what will demand real engineering work.

DPDP Compliance Timeline & What Businesses Should Do Now

The rules are notified, the Board is staffed, and May 2027 is closer than it looks. Here is how the timeline actually breaks down…

Important Events Timeline

• 3 January 2025. Draft DPDP Rules released for public consultation.
• 13 to 14 November 2025. Final DPDP Rules notified via G.S.R. 846(E). Provisions on the Data Protection Board (Rules 1, 2, 17 to 21 and corresponding Act sections) take effect immediately.
• May 2026 (current state). DPBI was established in the NCR with a four-member structure, most operational obligations are not yet enforceable, and regulators are in “soft enforcement” and guidance mode.
• 14 November 2026. Rule 4 commences. Consent Managers must begin registering with the Board, and their obligations and supervisory powers go live.
• 14 May 2027. The big bang. Rules 3, 5 to 16, 22, and 23, and the corresponding substantive provisions of the Act (Sections 3 to 17, 27 to 34, 36 to 37) come into force. Notices, consent, security safeguards, Data Principal rights, breach reporting, cross-border transfers, SDF obligations, and the full penalty schedule are enforceable.

In the next 6 to 12 months, the priorities for any Indian Data Fiduciary should be:

• Complete data discovery and classification across all systems
• Appoint a designated officer (and a DPO if you anticipate SDF designation)
• Rebuild notices, consent flows, and grievance redressal
• Tighten security with continuous VAPT, cloud configuration reviews, and log retention
• Update every vendor contract
• Run at least one end-to-end breach simulation
• Build a board-level reporting cadence on DPDP risk

How Can Astra Help?

DPDP compliance is not a paperwork exercise. The most expensive penalty in the entire schedule, ₹250 crore, is reserved for a single failure: not having reasonable security safeguards in place under Section 8(5). The regulator does not need to wait for a breach to happen; demonstrable negligence is enough.

That is where Astra fits naturally into your DPDP program with key features such as:

• Scanner Capacity: Unlimited continuous scans
• Coverage: Mobile app, web app, Cloud, IoT, Network, APIs, AI
• Manual pentest: Yes
• Accuracy: Zero false positives
• Vulnerability management: Offers a dynamic vulnerability management dashboard 
• Compliance: PCI-DSS, HIPAA, ISO27001, GDPR, and SOC2
• Integration:  Slack, Jira, GitHub, GitLab, Jenkins, and more
• Price:  Trials start at just $7 a week. Unlock tailored pricing

We stand out as a premier and comprehensive cybersecurity tool that delivers continuous, AI-enhanced (and soon autonomous) hacker-styled pentesting and DAST scanning capabilities for both startups and global enterprises.

At its core, our platform runs over 15,000+ test cases against target assets and scans AWS, Azure, and GCP for misconfigs, IAM risks, and vulnerabilities, validating every finding before it reaches you 

Plus, our reports are vetted by expert pentesters adept in manual penetration testing services and remediation assistance to best help you shift left as you grow. Next, our products can seamlessly map discovered vulnerabilities to major local and global compliances ( e.g., GDPR, HIPAA, PCI-DSS, and ISO 27001)

Over the past year, we’ve added ICICI, UN, and Dream 11 as our clients, building on an already strong customer base that features brands like Ford, Gillette, and GoDaddy

We’d like for you to think of us as the people you bring in to stress-test the security narrative your privacy program is telling. We do not write your privacy notices or run your DPO function. We make sure the technical floor underneath them is solid.

Final Thoughts

DPDP compliance is a long game played in short sprints. The Act has been on the books since August 2023, the Rules since November 2025, and the substantive enforcement date, 14 May 2027, is not far off. Treat 2026 as your build year, not your wait-and-see year.

The teams that come out of this transition in good shape will not be the ones with the thickest privacy policy. They will be the ones who quietly invested in data discovery, consent engineering, vendor governance, and continuous security validation while the rest of the market debated definitions.

You do not need to solve all of it this quarter. You do need a sequenced plan, owners, and accountability against the May 2027 clock. Start with the highest-risk obligations — security safeguards under Section 8(5), breach response, and consent — and let the rest fall into place around them.

FAQs

Note: This article is for general informational purposes only and does not constitute legal advice. DPDP interpretations are evolving, and specific obligations will depend on your facts and circumstances. Please consult a qualified legal counsel and security advisor before taking any compliance-related decisions with respect to the DPDP Act.