Everything you need to know about DPDP compliance

India’s law governing processing of digital personal data, setting obligations for organisations and rights for individuals (Data Principals).

Personal data in digital form, and also personal data collected offline that is later digitised.

The individual to whom the personal data relates. For a child, it includes the parent or lawful guardian acting on the child’s behalf.

Any person or entity that determines the purpose and means of processing personal data (similar to a “controller” in other regimes).

Any person or entity that processes personal data on behalf of a Data Fiduciary, such as a vendor, SaaS provider, or outsourcer.

Yes, if you process digital personal data in India, including data that was collected offline and later digitised.

Yes, if it processes digital personal data outside India in connection with offering goods or services to individuals in India.

It does not apply to purely personal or domestic processing by individuals, and generally not to personal data made publicly available by the Data Principal or under a legal obligation to publish.

Not directly - unless those records are digitised later, after which DPDP applies.

No. Concepts overlap, but definitions, lawful bases, enforcement structure, and operational rules differ.

Only for a lawful purpose and on the basis of either consent or certain legitimate uses defined in the Act.

Consent must be free, specific, informed, unconditional, unambiguous, involve a clear affirmative action, and be limited to what is necessary for the specified purpose.

Yes - at any time, and withdrawing consent must be as easy as giving it. Processing must stop within a reasonable time unless another law permits or requires it.

Specific situations listed in the Act where processing can happen without consent, such as voluntarily provided data for a requested purpose, certain State functions, or emergencies.

Only if it is compatible with DPDP requirements - typically you should issue a fresh notice and obtain consent unless a legitimate use or other law supports the new purpose.

Yes. Requests for consent must be accompanied or preceded by a notice describing what data will be collected, for what purpose, and how rights or complaints can be exercised.

The Act requires you to offer the notice in English or any language listed in the Eighth Schedule of the Indian Constitution.

Your notice should include how the Data Principal can reach you for rights or grievances. Practically, this means adding contact information for your privacy team or DPO.

Only if they contain DPDP-required elements and appear at or near the point where consent/collection occurs.

You must provide a notice as soon as reasonably practicable describing the data, purpose, and how to exercise rights or complain once the relevant provisions commence.

Anyone under 18 years of age.

Yes, but you must obtain verifiable consent from the parent or lawful guardian, subject to any rules or exemptions that apply.

You must not undertake processing that is likely to cause a detrimental effect on the well-being of a child.

Implement age gating, parent or guardian verification, and child-specific notices and safeguards.

Yes, if they process digital personal data. They must follow notice, consent, rights, security, and retention obligations.

You must implement reasonable security safeguards to prevent personal data breaches. This includes technical and organisational measures proportionate to the risk.

It is unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access that compromises confidentiality, integrity, or availability.

Yes. Data Fiduciaries must notify the Board and affected Data Principals in the prescribed manner.

Timelines and procedures are governed by the Rules and official guidance. Treat breach notification as urgent and follow the prescribed format and timelines once those provisions are in force.

Processors’ duties flow contractually and through fiduciary obligations. Ensure vendor agreements require prompt breach reporting and cooperation.

Key rights include access to information about processing, correction, updating, erasure (subject to lawful retention), grievance redressal, and nomination where applicable.

Individuals can request correction, completion, updating, and erasure; fiduciaries must comply unless retention is necessary for the specified purpose or another law.

DPDP requires access to information about personal data and processing. Implementation can vary, but you need a workable process to respond to such requests.

Yes. They can first escalate to the fiduciary’s grievance channel and then to the Board if the issue isn’t resolved as required.

A Data Principal can nominate another person to exercise rights on their behalf in case of death or incapacity, following the Act’s provisions.

When consent is withdrawn or the purpose is no longer served, unless retention is necessary for a legal requirement or specified purpose.

Not by default. Retention needs a lawful basis and purpose limitation - ongoing analytics must be defensible and not indefinite without justification.

Yes. The Rules include a schedule prescribing retention periods for certain classes of Data Fiduciaries and purposes.

Design for eventual purge across systems, including backups, within reasonable operational constraints.

Logs that identify individuals are personal data. Keep them only as long as needed for security or compliance, with access controls.

The Data Protection Board of India is established to exercise powers and perform functions under the Act.

The Board’s head office is in the National Capital Region (NCR).

The Act provides monetary penalties that can go up to ₹250 crore depending on the type of breach, assessed by the Board using statutory factors.

DPDP enforcement is Board-driven with penalties; separate remedies may exist under other laws or contracts depending on the facts.

DPDP focuses on fiduciary obligations and Board enforcement; personal liability questions depend on corporate law, contracts, and the specific conduct in question.

DPDP allows cross-border transfers unless the Central Government restricts specific countries or territories. Watch for the official “negative list.”

Include clear processing instructions, security controls, sub-processing limits, breach-reporting SLAs, audit rights, deletion/return terms, and assistance with DPDP rights requests.

A Consent Manager is a Board-registered entity that helps individuals manage consent. It is optional unless your product or ecosystem specifically requires integration.

A class of fiduciaries notified by the Government based on factors like data volume, sensitivity, or risk. SDFs must comply with extra obligations such as appointing a DPO and conducting DPIAs.

Rules were notified on 13 Nov 2025 with staggered commencement - some provisions immediately, some after one year, many after 18 months. India Code also notes 18-month commencement tranches from 13 Nov 2025.

Non-compliance with the DPDP Act carries severe financial risks. Penalties can reach up to ₹250 Crore for failures related to Data Fiduciary obligations and reasonable safeguards. Additionally, failing to provide breach notices can result in fines up to ₹200 Crore, while Significant Data Fiduciaries (SDF) face fines up to ₹150 Crore for missing additional obligations.

Comply DP utilizes a specialized Breach Notification Engine that replaces chaotic manual responses with structured playbooks. It facilitates immediate intimation to the Data Protection Board and affected individuals, followed by an automated workflow to generate the required detailed report within 72 hours, complete with evidence bundles and containment timelines.

Yes, the Consent & Notice Manager includes language support for English and all languages listed in the Eighth Schedule of the Indian Constitution. This ensures that consent requests are "free, specific, informed, and unambiguous" as required by law, presenting terms in clear, plain language that users can easily understand.

If notified as an SDF based on data volume or sensitivity, an organization must appoint an India-based Data Protection Officer (DPO) who reports to the Board. They must also appoint an independent data auditor and conduct periodic Data Protection Impact Assessments (DPIA). Comply DP offers specific modules to manage these elevated governance requirements.

The platform automates the fulfillment of Data Principal rights, reducing processing time from weeks to clicks. It handles requests for information access (summary of data and processing), correction, updating, and erasure. It also manages the grievance workflow, ensuring responses are provided within the statutory period (typically 90 days for grievances).

Yes. Every workflow, template, and control inside Comply DP is mapped to individual sections of the DPDP Act and forthcoming Rules. The product roadmap is aligned with MeitY notifications so customers stay audit-ready.

You can provision unlimited internal stakeholders, assign owners per compliance task, and generate traceable activity logs. This keeps DPDP initiatives multi-disciplinary without losing accountability.

Most midsize organizations complete their baseline DPDP program within 8 to 12 weeks using our pre-built controls, policy templates, and readiness workflows. The exact duration depends on data inventory maturity and processor coordination.

Yes. Each control is tagged to the relevant section (e.g., Section 8 for consent, Section 9 for Data Principal rights) so auditors and internal stakeholders can trace implementation evidence directly to legal obligations.

You can schedule automated breach simulations that route tasks to legal, IT, and communications teams. Each drill produces an evidence bundle proving you rehearsed your 72-hour response obligations.

Yes. The Breach Notification Engine stores jurisdiction-specific templates, lets you merge incident metadata, and exports submissions in the exact format the Data Protection Board expects.

Design notices with modular components: layered consent, just-in-time prompts, and embedded disclosures inside product flows. Export as hosted pages, embeddable widgets, or API responses for custom UIs.

Every consent capture is hashed, timestamped, and tied to the data principal identity. Auditors can view the exact screen or API payload the principal saw before approving.

You can document the appointed DPO, capture delegation notes, and maintain board-level reporting packs. Reminders ensure quarterly updates are filed, meeting Section 10 duties.

Yes. The DPIA workspace standardizes risk scoring, reviewer sign-offs, and remediation plans. Generated DPIA files can be shared with MeitY on demand.

Incoming requests are classified (access, correction, erasure, grievance) and routed to the right workflow with statutory SLA timers. Duplicate requests are detected to prevent repeated manual handling.

Each request generates an immutable timeline with requester identity proofs, actions taken, reviewer comments, and response payloads. Export the bundle as PDF/CSV during audits or disputes.

ComplyDP is purpose-built for India's DPDP Act 2023, unlike generic global tools that treat India as an afterthought. We offer vernacular consent in 22 Indian languages, 72-hour breach reporting automation aligned with Data Protection Board requirements, and pricing designed for Indian startups. Our platform includes DPDP-specific modules like Significant Data Fiduciary (SDF) compliance and India-centric DPIA templates - features competitors often lack or charge enterprise prices for.

For DPDP Act 2023 compliance specifically, ComplyDP offers advantages: India-native architecture (no data residency concerns), 22 Indian language support for consent, and a one-time fee of ₹40,000 for complete DPDP disclosure requirements and resolution vs OneTrust's enterprise-only subscription pricing. OneTrust excels at multi-jurisdiction (GDPR, CCPA) but requires expensive customization for DPDP-specific requirements like 72-hour breach reporting to the Indian Data Protection Board and vernacular notice management.

The best DPDP compliance software depends on your needs. For startups and SMEs, ComplyDP offers the best value with a one-time fee of ₹40,000 for complete DPDP disclosure requirements and resolution. For enterprises needing multi-jurisdiction coverage (GDPR + CCPA + DPDP), OneTrust or TrustArc may be preferable despite higher costs. For developers needing API-first solutions, ComplyDP's webhook-based DSR automation and pre-built React components offer faster integration than legacy GRC tools.

ComplyDP offers a one-time fee of ₹40,000 for complete DPDP disclosure requirements and resolution, covering consent management, DSR workflows, breach reporting, and compliance documentation. Competitors like OneTrust and Securiti typically require custom enterprise quotes starting at $30,000-$50,000/year with lengthy procurement. BigID and similar platforms charge per-record fees that become expensive at scale. ComplyDP offers transparent, public pricing designed for Indian market realities, with no hidden data processing fees.

Yes, ComplyDP supports multi-jurisdiction compliance including DPDP (India), GDPR (EU), and other frameworks. Our platform maps overlapping requirements - like consent management and data subject rights - while handling jurisdiction-specific nuances. For example, DPDP's 72-hour breach reporting and GDPR's 72-hour breach notification to supervisory authorities are both automated, but follow different templates and recipient workflows. Data residency controls ensure Indian data stays in India while EU data remains in EU regions.

DPDP compliance software ROI is substantial when you factor in penalty avoidance. Non-compliance fines range from ₹50 crore to ₹250 crore. ComplyDP's one-time fee of ₹40,000 pays for itself many times over if it prevents even a minor violation. Additionally, automation reduces manual DSR processing time by 80%, saving 15-20 hours/month for a mid-sized company. The platform also accelerates sales cycles - enterprise buyers increasingly require DPDP compliance proof, and having automated systems in place can close deals 30% faster.

For startups, DPDP compliance costs vary by approach. DIY (templates + manual processes) costs ₹0-50,000 upfront but requires 20-40 hours of legal review and ongoing manual work. ComplyDP costs a one-time fee of ₹40,000 and includes complete DPDP disclosure requirements resolution: automated consent management, DSR workflows, breach reporting, and compliance documentation. Enterprise GRC tools cost ₹2-5L/year minimum, often requiring additional implementation fees. The cheapest long-term option is usually automated software that prevents violations rather than manual compliance that risks ₹250 crore penalties.

You can handle DPDP compliance manually, but the risk increases significantly. Manual processes struggle with 72-hour breach reporting deadlines, tracking consent across touchpoints, and handling DSR requests within 30 days. The DPDP Board has already issued notices to companies for delayed breach intimation and inadequate consent mechanisms. Software like ComplyDP provides audit trails, automated workflows, and documentation that prove compliance intent - which can reduce penalties if a violation occurs. The cost of software is minimal compared to potential fines up to ₹250 crore.

ComplyDP offers a free DPDP Risk Snapshot - a 10-minute assessment that returns a compliance coverage score and prioritized gap list. We also offer a consultation call to discuss your DPDP disclosure requirements and how our one-time ₹40,000 service resolves them. This includes complete setup of consent management, DSR workflows, breach notification templates, and compliance documentation. No recurring fees or subscriptions required.

ComplyDP pricing is a one-time fee of ₹40,000 with no per-user fees, hidden costs, or recurring subscription fees. This includes: DPDP Act disclosure requirements assessment, consent management setup, DSR workflow automation, breach notification templates, compliance documentation, and resolution of all disclosure gaps. The service also includes 22 Indian language support, DPDP Act references, and automatic updates when rules change. No setup fees or implementation charges.

SaaS companies must comply with DPDP if they process digital personal data of Indian users - whether B2B (employee data of customers) or B2C (end-user data). Key requirements: consent management for data collection, 72-hour breach reporting, DSR handling for access/correction/deletion requests, and cross-border data transfer safeguards if using foreign servers. SaaS companies acting as Data Processors must ensure contracts with Data Fiduciaries (customers) include DPDP-mandated security and processing clauses. Significant Data Fiduciaries (high volume/sensitivity) have additional obligations.

B2B SaaS products processing personal data of Indian employees or customers must implement: (1) Consent capture for admin-level access to employee data, (2) Data Processing Agreements with enterprise customers defining DPDP-compliant security measures, (3) 72-hour breach notification workflows, (4) Cross-border transfer mechanisms if data leaves India, (5) DSR automation for employee rights requests. Many enterprise buyers now require DPDP compliance proof in vendor security assessments. ComplyDP's B2B module includes enterprise-grade audit trails and Data Fiduciary-contract templates.

Multi-tenant SaaS platforms need customer-configurable consent management. Each tenant (customer) may have different consent requirements based on their industry and use case. ComplyDP supports multi-tenant consent through: customizable consent notice templates per tenant, role-based access controls separating tenant data, audit logs isolated by customer, and DSR workflows routed to the correct tenant admin. The platform also provides APIs for SaaS vendors to embed consent capture directly into their product flows, maintaining consistent UX while ensuring DPDP compliance.

SaaS providers only need a DPO if designated as a Significant Data Fiduciary (SDF) by the government. SDF criteria include volume of data processed, sensitivity of data, risk to data principals, and potential impact on India's sovereignty. Most early-stage SaaS won't initially qualify as SDFs. However, if you process health data, financial data at scale, or operate critical infrastructure SaaS, monitor SDF notifications. Even without DPO requirements, appointing a privacy lead and documenting compliance processes is recommended for enterprise sales.

Using international cloud providers (AWS, GCP, Azure) requires attention to DPDP's data transfer requirements. Solutions: (1) Use India regions (AWS Mumbai, Azure Central India) for primary data storage, (2) Implement Standard Contractual Clauses (SCCs) or approved transfer mechanisms for any data leaving India, (3) Ensure cloud provider contracts include DPDP-mandated security requirements, (4) Document data flows for audit purposes. ComplyDP integrates with cloud providers via APIs to automate data mapping and residency controls, ensuring you can prove where Indian user data resides.

Fintech companies handling financial data face elevated DPDP requirements and are likely to be designated Significant Data Fiduciaries (SDFs) due to sensitive data processing. Requirements: (1) Appoint a Data Protection Officer (DPO) resident in India, (2) Conduct Data Protection Impact Assessments (DPIA) for high-risk processing, (3) Implement enhanced security safeguards for financial data, (4) 72-hour breach reporting to the Data Protection Board, (5) Consent mechanisms for data use in credit scoring and lending decisions. Additionally, fintechs must reconcile DPDP with RBI's existing data localization and cybersecurity guidelines.

Fintech companies are not automatically SDFs, but they have high probability of designation. SDF criteria include: volume of personal data processed, sensitivity of data (financial data is considered sensitive), risk to data principals (financial harm), and impact on state security/sovereignty. Most digital lending platforms, payment aggregators, and neobanks serving significant Indian user bases will likely be notified as SDFs. Until formal designation, fintechs should voluntarily implement SDF obligations (DPO, DPIA, audits) as both compliance preparation and competitive positioning for enterprise partnerships.

Digital lending platforms face specific DPDP requirements: (1) Granular consent for different data uses - credit bureau checks, alternative data analysis, and marketing must be separately consented, (2) Clear notice before accessing device data (contacts, location) often used in alternative credit scoring, (3) Right to explanation when credit decisions are automated or AI-driven, (4) Data minimization - collect only data necessary for lending decision, (5) Retention limits - delete data after loan closure per regulatory requirements. Aggressive data collection practices common in some loan apps now carry ₹250 crore penalty risk.

Fintechs must satisfy both RBI guidelines and DPDP Act requirements. Key overlaps and differences: (1) Data localization - RBI requires domestic storage for payment data; DPDP allows transfers with approved safeguards. Comply with the stricter RBI requirement for payment data. (2) Consent - DPDP's consent requirements align with RBI's customer consent norms, but DPDP is more detailed on notice content. (3) Breach reporting - both require reporting, but timelines differ. ComplyDP's fintech module maps both requirements, ensuring a single breach notification workflow satisfies both regulators. (4) DPO - RBI suggests designated contact; DPDP mandates DPO for SDFs. Consider appointing a DPO who handles both.

Payment apps and UPI platforms must obtain specific consent for: (1) Transaction processing (primary purpose), (2) VPA (Virtual Payment Address) resolution and mapping, (3) Transaction history storage and analysis, (4) Marketing and promotional use of transaction patterns, (5) Data sharing with merchants and payment partners. Each purpose must be clearly separated in consent notices. The DPDP Act's 'clear and plain language' requirement means fintechs must move beyond dense T&Cs to concise, multi-language explanations. ComplyDP's vernacular consent manager supports 22 Indian languages for payment app onboarding flows.

Ecommerce and D2C brands processing customer data must comply with DPDP requirements including: consent collection during checkout and account creation, cookie and tracking consent for analytics and retargeting, data minimization (collect only necessary order information), 72-hour breach notification if customer data is compromised, and DSR handling for access, correction, and deletion requests. Key touchpoints requiring consent: checkout forms, newsletter signups, abandoned cart emails, and loyalty programs. Brands using WhatsApp Business, Instagram Shops, or D2C platforms must ensure consent flows are tracked across all channels.

Ecommerce checkout requires consent for data processing beyond the core transaction. Required without explicit consent: name, address, phone, email for order fulfillment. Requires separate consent: marketing emails, SMS promotions, WhatsApp updates, data sharing with logistics partners for non-delivery purposes, analytics and tracking pixels, and sale of anonymized purchase patterns. Best practice: checkbox-based granular consent on checkout page with clear language like 'I agree to receive order updates via WhatsApp' and 'I consent to marketing emails (optional)'. Pre-ticked boxes or bundled consent likely violates DPDP's 'free and specific' requirement.

Returns and refunds involve extended data processing that requires attention: (1) Data retention - keep return request details and communication history for legal/tax purposes, but define retention periods, (2) Reverse logistics - ensure return shipping labels don't expose customer data, (3) Refund processing - payment data must be securely handled during reversals, (4) Analytics - avoid using return reasons data for profiling without consent, (5) Third-party logistics - contracts with return partners must include DPDP security clauses. Implement clear privacy notices in return policy pages explaining how return-related data is used and stored.

Personalized marketing using customer data requires specific consent under DPDP. Practices requiring consent: email/SMS marketing based on purchase history, retargeting ads using customer email/phone matching, personalized product recommendations using browsing behavior, and sale of customer segments to partners. Practices allowed without additional consent: transactional emails (order confirmation, shipping updates), internal analytics using anonymized data, and recommendations based solely on current session behavior. D2C brands should implement preference centers where customers can granularly control marketing channels and data uses. ComplyDP's Consent Manager supports granular purpose-based consent for marketing use cases.

Shopify and WooCommerce stores must layer DPDP compliance on top of platform capabilities: (1) Privacy policy - update to DPDP-compliant language covering Indian customers, (2) Consent - use cookie consent apps that support DPDP's granular requirements, not just GDPR-style banners, (3) Data subject rights - implement manual or automated workflows for access/deletion requests (Shopify Privacy API helps), (4) Third-party apps - audit app permissions and data sharing, ensuring contracts include DPDP clauses, (5) Cross-border - if using Shopify's global infrastructure, document data flows and transfer mechanisms. ComplyDP offers Shopify and WooCommerce plugins that embed DPDP-compliant consent collection directly into checkout flows and manage DSR requests from the same dashboard.