DPDPA(India)
DPDPA-Ready by November 2026. Audit-Proof by May 2027.
India's Digital Personal Data Protection Act is now enforceable law: DPDP Rules notified November 2025, soft enforcement ends November 2026, hard enforcement lands 13 May 2027 with penalties up to ₹250 crore. Run DSRs, breach response, notices, training, and audit readiness on one platform.
Who needs it: Every Indian Data Fiduciary processing digital personal data — and any global company serving Indian users. Healthcare, fintech, and SaaS face the highest scrutiny.
What is DPDPA (India)?
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data protection law. It applies to the processing of digital personal data within India, and to processing outside India connected with offering goods or services to Data Principals in India. Obligations fall on Data Fiduciaries — the entities that determine the purpose and means of processing — with heightened duties for Significant Data Fiduciaries (SDFs).
The DPDP Rules were notified on 14 November 2025, turning the Act into an operational regime: consent and notice requirements (with notices available in all 22 scheduled languages), Consent Manager interoperability, data subject rights with grievance redressal, breach notification to the Data Protection Board and affected individuals, reasonable security safeguards, and — for SDFs — a Data Protection Officer based in India, periodic Data Protection Impact Assessments, and independent audits.
Enforcement is phased: the soft-enforcement window closes in November 2026, and hard enforcement of the full obligation set lands on 13 May 2027, with monetary penalties up to ₹250 crore per breach category. The Data Protection Board took its first enforcement actions in early 2026 — the grace period is already over in practice.
Enforcement timeline
Where the regulation stands today — and the deadlines your program has to beat.
DPDP Act enacted
India's comprehensive data protection law receives presidential assent.
DPDP Rules notified
The operational regime arrives: consent, notice, breach, DSR, and SDF obligations take concrete form.
First DPB enforcement actions
The Data Protection Board acts against app developers over invalid consent — enforcement is no longer theoretical.
Consent Manager framework operationalized
Interoperable Consent Manager APIs go live. Fiduciaries should be preparing integration and consent-records hygiene now.
Soft-enforcement window closes
The Board shifts to active supervision. Legacy-data consent comes under scrutiny. Be operational before this date.
Hard enforcement
Full obligation set enforced: consent, notices, security safeguards, breach protocol, DSR infrastructure, SDF duties, DPIA, DPO. Penalties up to ₹250 crore.
What you'll need to satisfy.
The core categories DPDPA (India) auditors evaluate — and what we ship to cover each one.
Consent & Notice
- Free, specific, informed, unconditional and unambiguous consent
- Plain-language notice available in all 22 scheduled languages
- Consent withdrawal as easy as giving it
- Consent Manager interoperability readiness
- Verifiable parental consent for children's data
Data Principal Rights (DSRs)
- Right to access a summary of processed personal data
- Right to correction, completion and updating
- Right to erasure when purpose is served
- Grievance redressal within statutory timelines
- Right to nominate
Breach Notification
- Notify the Data Protection Board of every personal data breach
- Notify affected Data Principals without delay
- Document breach response and remediation
- Coordinate with CERT-In 6-hour incident reporting where applicable
Security Safeguards
- Reasonable security safeguards: encryption, access control, logging, monitoring
- Data backups and recovery capability
- Processor (Data Processor) contracts with security obligations
- Retention limits — erase when purpose is served
Significant Data Fiduciary (SDF)
- Appoint a Data Protection Officer based in India
- Periodic Data Protection Impact Assessments
- Independent data audits
- Algorithmic due-diligence obligations
The problem we solve.
Why teams pick Compliance Enablers for DPDPA (India) compliance.
Common challenges
- Hard enforcement lands 13 May 2027 with penalties up to ₹250 crore — and the Data Protection Board has already taken enforcement action in 2026
- The Consent Manager framework is being operationalized right now; legacy-data consent comes under scrutiny from November 2026
- DPDPA point solutions cover consent alone at ₹15–40 lakh per year and leave DSRs, breach response, and audits unsolved
- No global GRC platform is DPDPA-deep, and no Indian point tool covers your full ISMS — teams are stitching both together
What we provide
- Privacy module operational today: data subject request handling, ROPA, and privacy impact assessments
- Incident management with breach workflows — manage Data Protection Board notification duties alongside CERT-In 6-hour reporting timelines
- Document management with notice and policy templates, version-controlled for audits
- Security awareness training to evidence the human side of "reasonable security safeguards"
- Audit module for DPDPA readiness assessments and internal audits, with findings tracked to closure
- DPDPA Operations Suite — consent-record registry, DSR SLA clocks, breach-clock workflows, DPIA templates, and SDF obligation tracker — rolling out ahead of the November 2026 deadline
- Cross-framework mapping: your ISO 27001 / SOC 2 control work counts toward DPDPA security safeguards
From kickoff to
audit-ready.
Step-by-step, exactly how we'll get you there.
Applicability & Gap Assessment
Determine your Data Fiduciary obligations and SDF likelihood, then run a gap assessment against the full DPDPA obligation set with prioritized remediation.
Privacy Operations Setup
Stand up DSR intake and workflows, your records of processing (ROPA), and privacy impact assessments in the Privacy module.
Notices & Consent Readiness
Deploy notice and policy templates from Document Management, and prepare for Consent Manager interoperability as the framework operationalizes.
Breach Response Wiring
Configure incident playbooks with Data Protection Board notification duties and CERT-In 6-hour reporting timelines built into the workflow.
Safeguards Evidence
Map your ISO 27001 / SOC 2 controls onto "reasonable security safeguards" via the SCF crosswalk and collect evidence continuously.
SDF Obligations
Track DPO records, DPIA cadence, and independent audit scheduling so Significant Data Fiduciary duties never slip.
framework
Running ISO 27001 already? Your ISMS controls map directly onto DPDPA's "reasonable security safeguards" — the SCF crosswalk shows exactly what carries over.
DPDPA point solutions focused on consent management alone are pricing at ₹15–40 lakh per year. Compliance Enablers gives you privacy operations (DSRs, ROPA, PIAs), incident and breach workflows, notice and document management, training, and audit readiness — your entire GRC program — at transparent pricing below what point tools charge for a single capability.
Key modules for DPDPA (India).
Everything these modules ship, included in every tier.
DPDPA (India) FAQ
Get DPDPA (India)
audit-ready.
Readiness assessment in days; operational privacy program in weeks. 513 pre-generated policies. 50+ evidence collectors. Everything you need to pass DPDPA (India), out of the box.