DPDP Act 2023 Compliance Guide for Indian Businesses — What You Must Do in 2026

DPDP Act 2023 Compliance Guide for Indian Businesses — What You Must Do in 2026

India’s Digital Personal Data Protection Act (DPDP Act) 2023 is the country’s first comprehensive data privacy legislation, fundamentally changing how Indian businesses — and foreign organisations handling Indian citizens’ data — must collect, process, and protect personal information. In 2026, with the Data Protection Board of India (DPBI) operationalising and enforcement machinery taking shape, organisations that have not yet initiated compliance programmes face significant penalty exposure.

This guide covers what the DPDP Act requires, who it applies to, the six core obligations every data fiduciary must meet, the penalty structure, and a practical 8-step implementation roadmap.

What Is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential assent in August 2023. It establishes the framework for lawful processing of digital personal data — any data about an identifiable individual that is in digital form or converted to digital form. The Act covers personal data collected online and offline (if subsequently digitised).

The Act is modelled on global frameworks including the EU’s GDPR, but with India-specific provisions reflecting the country’s demographic scale, the government’s data localisation priorities, and the recognition of legitimate state functions. Unlike GDPR, the DPDP Act does not have a general prohibition on data transfer — transfers are permitted except to countries notified as restricted by the central government.

Who Does the DPDP Act Apply To?

The Act applies to Data Fiduciaries — any person, company, or body that determines the purpose and means of processing personal data. If you collect email addresses, phone numbers, customer names, health data, financial information, or any data that can identify an individual, you are a data fiduciary under the Act.

Scope includes:

• Indian companies processing data of Indian citizens
• Foreign companies offering goods or services to individuals in India
• Companies processing data that was collected in India even if stored outside India
• Startups, SMEs, and large enterprises — there is no employee count threshold for applicability (though the Act empowers the government to exempt certain categories)

Significant Data Fiduciaries (SDFs): The government may designate certain data fiduciaries as SDFs based on the volume and sensitivity of data processed, potential national security implications, or public order considerations. SDFs face additional obligations including mandatory appointment of a Data Protection Officer (DPO) located in India, mandatory data protection impact assessments, and periodic audits.

The 6 Core Obligations Under the DPDP Act

1. Consent — Lawful Basis for Processing

The DPDP Act requires that personal data be processed only on the basis of free, specific, informed, unconditional, and unambiguous consent — expressed through a clear affirmative act. Pre-ticked boxes, bundled consent, and consent obtained by withdrawing a service are prohibited.

Consent notice requirements:

• Must be in plain language (and in any of the 22 scheduled languages upon request)
• Must describe the specific personal data being collected and the purpose
• Must include a link to the data fiduciary’s contact details and the process for withdrawing consent
• Must be provided before or at the time of collection

The Act also recognises “legitimate uses” — certain processing activities that do not require consent, including employment-related processing, public health emergencies, and processing for state functions.

2. Purpose Limitation

Personal data can only be processed for the specific purpose for which consent was obtained. Using customer data collected for order fulfilment to send unsolicited marketing communications — without separate, explicit consent for marketing — is a violation. Secondary use of data requires fresh consent unless it falls within a permitted legitimate use category.

3. Data Minimisation

Collect only the personal data that is necessary and relevant to the stated purpose. Collecting date of birth when only age verification is needed, or collecting full address when only city is required, violates the data minimisation principle. This obligation has direct implications for product design — privacy by design must be embedded into data collection forms and system architectures.

4. Data Principal Rights

Individuals (called “data principals” in the Act) have the following rights, which data fiduciaries must operationalise:

• Right to access information: Upon request, the data fiduciary must provide a summary of personal data being processed and the processing activities.
• Right to correction and erasure: Data principals can request correction of inaccurate data and erasure of data when the processing purpose is fulfilled or consent is withdrawn.
• Right to grievance redressal: Data fiduciaries must establish a readily accessible grievance redressal mechanism with defined timelines for response.
• Right to nominate: An individual can nominate another person to exercise rights on their behalf in the event of death or incapacity.

Operationalising these rights requires building data subject request (DSR) handling processes, connecting them to backend data stores, and maintaining response timelines. This is a significant implementation effort for organisations with complex data architectures.

5. Personal Data Breach Notification — 72-Hour Window

In the event of a personal data breach, the data fiduciary must notify both the Data Protection Board of India (DPBI) and the affected data principals “in the manner and form as may be prescribed.” Breach notification must occur promptly — draft rules indicate this window is 72 hours from discovery, aligned with GDPR norms and CERT-In’s existing 6-hour reporting requirement for cyber incidents.

Breach notification obligations require organisations to have:

• Incident detection and classification capability (SIEM, EDR, anomaly detection)
• Documented incident response procedures
• Breach assessment processes to determine notification scope
• Pre-approved notification templates for the DPBI and affected individuals
• Contact information for the DPBI and data principal notification channels

6. Data Protection Officer (DPO) Appointment

Significant Data Fiduciaries must appoint a DPO based in India who is responsible to the Board of Directors or the governing body. The DPO serves as the point of contact for data principals and the DPBI. For other data fiduciaries, while a DPO is not mandated, designating a responsible person for data protection governance is a practical compliance requirement.

DPDP Act Penalty Structure

Penalties are imposed by the Data Protection Board of India after conducting an inquiry. The Act also empowers the DPBI to impose a single penalty covering multiple violations arising from the same processing activity.

DPDP Compliance Implementation Roadmap — 8 Steps

Step 1: Data Inventory and Mapping

Identify every category of personal data your organisation collects, the source of collection, purpose of processing, storage location, retention period, and third-party processors you share it with. This data map is the foundation of your compliance programme and is required to respond to data principal requests.

Step 2: Consent Mechanism Audit and Redesign

Review all data collection touchpoints — web forms, mobile apps, paper forms, call recordings, cookies — and assess whether current consent mechanisms meet DPDP Act standards. Redesign consent flows to meet the Act’s requirements for explicit, specific, and withdrawable consent.

Step 3: Privacy Notice Update

Draft or revise your privacy notice to meet DPDP Act disclosure requirements. Ensure it is in plain language, covers all processing activities, describes data principal rights, and provides grievance redressal contact information.

Step 4: Data Principal Rights Infrastructure

Build or configure systems to receive, track, and respond to data principal requests for access, correction, and erasure. Define response timelines and assign ownership to specific roles.

Step 5: Data Processor Agreements

Review all contracts with third-party vendors, cloud providers, and processors who handle personal data on your behalf. Ensure contracts include data processing clauses requiring processors to comply with the DPDP Act.

Step 6: Security Controls Assessment and Uplift

Implement “reasonable security safeguards” — which the Act requires but does not prescribe specifically. Industry interpretation is that this aligns with ISO 27001 Annex A controls. Conduct a VAPT to identify technical vulnerabilities and remediate them before they become breach vectors. This is where cybersecurity assessment directly supports DPDP compliance.

Step 7: Incident Response Plan

Document an incident response plan that includes personal data breach identification, severity classification, DPBI notification procedures (within 72 hours), data principal notification procedures, and post-incident review. Run tabletop exercises to validate the plan.

Step 8: DPO Appointment and Governance

Designate a Data Protection Officer (mandatory for SDFs, recommended for all data fiduciaries). Establish a data protection governance committee with representation from legal, IT, HR, and business units. Conduct annual DPDP compliance reviews.

Common DPDP Compliance Mistakes to Avoid

• Treating DPDP compliance as a legal-only exercise: The Act’s security safeguard requirement means IT and security teams must be central to compliance — not just legal counsel.
• Copying GDPR compliance programmes verbatim: The DPDP Act has important differences from GDPR, including different consent standards, no data portability right, and different breach notification timelines.
• Ignoring children’s data obligations: Processing personal data of minors (under 18) requires verifiable parental consent and prohibits behavioural targeting. This is among the most heavily penalised categories.
• Not auditing third-party processors: Your liability extends to how your processors handle data. Ensure vendor contracts and practices are reviewed.
• Waiting for enforcement before acting: The DPBI is now operationalising. Organisations that wait for a breach or regulatory action before initiating compliance will face significantly higher penalties than those with documented compliance efforts in place.

How Cybersecurity Assessment Supports DPDP Compliance

The DPDP Act’s requirement for “reasonable security safeguards” creates a direct link between cybersecurity posture and data protection compliance. Specifically:

• VAPT identifies technical vulnerabilities that, if exploited, could result in a personal data breach triggering DPBI notification and penalty exposure
• ISO 27001 implementation establishes the governance framework and technical controls that constitute documented “reasonable security safeguards”
• SOC services provide continuous monitoring to detect breaches within the narrow 72-hour notification window
• Security awareness training addresses the human factor — accidental data exposure by employees — which is a major breach vector

How MDIT Services Supports DPDP Compliance

MDIT Services provides an integrated DPDP compliance service combining legal-technical gap assessment, data mapping, security controls evaluation, VAPT, and ISO 27001 implementation support. Our CERT-In empanelled team helps organisations build and document the “reasonable security safeguards” required under the Act — creating a defensible compliance record that demonstrates good-faith effort to the DPBI.

Start Your DPDP Compliance Programme

Contact MDIT Services to schedule a DPDP readiness assessment. We will map your data flows, identify compliance gaps, and provide a prioritised remediation roadmap.

Visit: mditservices.in/contact | Email: info@mditservices.in | Call: +91-11-XXXX-XXXX