Article

India’s DPDP Act: what it means for your business systems

India's data protection law is now operational on a phased clock that runs into 2027. The legal text is short; the systems work is not. Here is what actually changes in how you design and run your software.

Key takeaways

  • The Act passed in 2023 but became operational only with the DPDP Rules, 2025 (notified 13 November 2025); core duties take effect around 13 May 2027 (per EY India), so mid-2026 is the build window, not live enforcement.
  • Most DPDP work is systems work: consent capture and withdrawal, data mapping, minimisation, retention and erasure, access control and logging, and breach workflows.
  • Breach notification is mandatory for every breach regardless of risk, with a detailed report to the Board within 72 hours of awareness (per MediaNama).
  • Penalties are maximum caps set in the Schedule, with the Board fixing the actual amount under Section 33; the security (up to Rs 250 crore) and breach-reporting (up to Rs 200 crore) duties carry the largest exposure (per dpdpa.com) and can stack.
  • The Fiduciary stays accountable for its processors, so vendor and processor contracts must require equivalent safeguards and breach cooperation.

If you run the systems for a mid-sized business in India or the GCC, you have probably been told that India now has a data protection law and that you need to do something about it. That is correct, but the framing usually sent to IT teams is wrong. The Digital Personal Data Protection Act is treated as a legal document to be read once and filed. In practice it is a set of constraints on how your applications collect, store, share and delete personal data, and most of the work it creates lands on the people who design and operate systems, not on the people who draft policies.

The useful news is that you are not late. The Act was passed in 2023, but it only became operational when the DPDP Rules, 2025 were notified on 13 November 2025, and the Rules deliberately stagger the obligations rather than switching everything on at once. According to EY India, the Data Protection Board provisions took effect immediately on notification, consent-manager registration follows at the twelve-month mark, and the core duties most teams care about, notice, security safeguards, breach notification and data principal rights, take effect eighteen months after notification, around 13 May 2027. As of mid-2026 you are in the build-and-remediate window, not under live enforcement of those core duties. This article is about how to use that window well.

The vocabulary you actually need

The Act is short on jargon, but three terms drive everything else. EY India’s reading of the Act sets them out plainly. A Data Principal is the individual the data is about. A Data Fiduciary is the entity that decides why and how personal data is processed, which is your business in most cases, equivalent to a controller under other regimes. A Data Processor handles data on the Fiduciary’s instructions, which is typically your vendor, your payroll bureau or your cloud-hosted SaaS.

Two scoping points matter for how widely this applies to you. Per the interpretation published at dpdpa.com, the Act covers personal data in digital form, including data collected on paper and later digitised, and it applies extraterritorially to processing done outside India where that processing relates to offering goods or services to people in India. A firm in the GCC serving Indian customers is therefore in scope even with no servers in India. And lawful processing rests on either the Data Principal’s consent or one of the Act’s defined legitimate uses, such as data a person voluntarily provided for a stated purpose, or employment-related processing, as EY India notes. Consent is not the only basis, but it is the one that forces the most system changes.

What the law asks of you, in plain terms

Strip away the section numbers and the obligations fall into a handful of buckets that map directly onto system behaviour.

  • Consent and notice. Per DLA Piper’s country guide, consent must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action, and limited to the data needed for the stated purpose. Every consent request must be preceded or accompanied by a notice that states what data is collected and why, how to exercise rights, and how to complain to the Board.
  • Data principal rights. As summarised by Matters.ai, individuals can ask to access their data, correct or complete or erase it, seek grievance redress, withdraw consent as easily as they gave it, and nominate someone to act for them on death or incapacity. Each of these is an operation your systems must be able to perform on request.
  • Security safeguards. Rule 6 of the 2025 Rules, as set out by Lexology, prescribes specific measures: encryption, obfuscation, masking or tokenisation; access control; logging, monitoring and review to detect unauthorised access; backups; and a contractual duty on processors to maintain equivalent safeguards.
  • Breach notification. This is stricter than many teams expect. As MediaNama reports, notification is mandatory for every personal data breach regardless of assessed risk, unlike the risk-based trigger under GDPR, and the Fiduciary must inform the Board and each affected individual without delay, with a detailed report to the Board within 72 hours of becoming aware, extendable on request.
  • Accountability for processors. Per Section 8 as reproduced at dpdpa.com, the Fiduciary stays responsible for processing carried out on its behalf, regardless of any contract to the contrary, and data minimisation, processing only what the stated purpose requires, is mandatory.

The numbers that should focus the mind

Penalties under the Act are not fixed fines. They are maximum caps set in the Schedule, and the Data Protection Board determines the actual amount under Section 33 by weighing factors such as the nature, gravity and duration of the breach. With that framing, the ceilings are still large. As listed at dpdpa.com, the Schedule sets a maximum of up to Rs 250 crore for a failure to take reasonable security safeguards that leads to a breach, up to Rs 200 crore for failing to notify a breach, up to Rs 200 crore for breaching children’s-data obligations, and up to Rs 150 crore for an SDF’s breach of its enhanced duties, with a residual cap up to Rs 50 crore.

Two points temper and sharpen that at once. The Board sets the figure, so good-faith remediation and prompt notification can matter to the outcome. But commentary from DPO India notes that exposure is cumulative across distinct violations, so an organisation that both fails to secure data and then fails to report the resulting breach is looking at the relevant caps in combination, not just the largest single one. The practical reading is that the security and breach-reporting duties are the two you cannot afford to get wrong, and they are both systems problems before they are legal ones.

What this changes in how you build and run systems

Here is the part most legal summaries skip. Translate the duties into engineering work and a clear list of changes emerges. Treat the following as a remediation checklist for the window between now and May 2027, drawn from the build-phase guidance set out by Fisher Phillips.

  • Map where personal data lives. You cannot minimise, secure or delete what you have not inventoried. Build a data map across applications, databases, logs, backups, spreadsheets and third-party SaaS before anything else.
  • Rework consent capture. Consent has to be specific and itemised, tied to a notice, and as easy to withdraw as to give. That usually means a real consent record, with timestamp, purpose and version, not a single pre-ticked box. From the twelve-month mark you may also choose to route consent through a registered Consent Manager, which the National Law Review notes must be a company incorporated in India meeting a minimum net-worth threshold.
  • Enforce data minimisation by design. Stop collecting fields you do not use. Every form and API that captures personal data should justify each field against a stated purpose.
  • Implement retention and erasure schedules. Decide how long each category of data is kept and build automated deletion. Large platforms face a default three-year rule under the 2025 Rules, per Tsaaro, and where that retention rule applies the Fiduciary must, as MediaNama reports, give the individual at least 48 hours’ notice before erasing, so your deletion pipeline needs a notify-then-delete step, not a silent purge.
  • Tighten access control and logging. Rule 6’s measures, encryption or tokenisation, least-privilege access, and monitoring that can actually detect unauthorised access, need to be real and auditable, not aspirational.
  • Stand up a breach workflow that meets the clock. The 72-hour report runs from awareness, not from the end of your investigation, so you need detection, an escalation path, a notification template for affected individuals, and a report format covering causes, mitigation, responsible parties and prevention steps, all rehearsed in advance.
  • Fix your vendor and processor contracts. Because security responsibility cannot be contracted away, every processor agreement needs to oblige equivalent safeguards and breach cooperation, and you need to know which sub-processors touch the data.

If you might be a Significant Data Fiduciary

Some organisations carry heavier duties. The Government can designate a business a Significant Data Fiduciary based on the volume and sensitivity of data it handles and related risk factors. Per EY India, an SDF must appoint a Data Protection Officer based in India, run annual Data Protection Impact Assessments, undergo annual independent data audits, and carry out algorithmic transparency and fairness assessments. Separately, children’s data carries its own stricter rules: as Secure Privacy notes, processing personal data of those under 18 requires verifiable parental consent and identity and age verification, and behavioural monitoring and targeted advertising aimed at children are prohibited. If you operate at scale or process children’s data, scope these in early, because they involve hiring, recurring assessments and design constraints rather than a one-off configuration change.

The bottom line

The DPDP Act is short to read and long to implement, and the phased timeline is a gift you should not waste. Use the window before May 2027 to do the unglamorous groundwork: map your data, rebuild consent and retention as system features, harden security and logging to Rule 6, and rewrite the processor contracts that currently assume the problem is someone else’s. Do that and breach notification becomes a process you can actually execute rather than a 72-hour scramble. The way we think about it at Zenith Tech Works is that this is mostly a systems-design exercise wearing a legal label, and the businesses that treat it that way now will have far less to fix when enforcement begins.

One caution before you act on any single figure here: the exact gazette timings and Schedule mappings should be confirmed against the official MeitY text, and the obligations above are a planning guide, not legal advice. Have counsel review your specific position.

Sources

Talk to us about your project.

A short conversation is usually enough to tell whether we are the right fit for the work. We will be straight with you either way.

Message us on WhatsApp Or send an enquiry