DPDP Compliance Guide for Indian Businesses 2026: Complete Checklist and Deadlines

DPDP compliance means meeting the requirements of India's Digital Personal Data Protection Act 2023 — a law that applies to every company that collects, stores, or processes personal data of Indian residents, regardless of where the company is based. Non-compliance carries penalties up to ₹250 crore per incident. The compliance window is open now: full enforcement is expected by November 2027, and the government is already issuing notices.

What Is the DPDP Act?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law. It was passed by Parliament in August 2023 and received Presidential assent in the same month. Rules under the Act are being finalized, with enforcement expected in phases through 2027.

The DPDP Act is India's answer to GDPR (Europe), CCPA (California), and PDPA (Singapore). It establishes:

1. Rights for individuals (Data Principals) over their personal data
2. Obligations for businesses (Data Fiduciaries) that handle this data
3. A regulatory body — the Data Protection Board of India — to enforce it
4. A consent framework for how data can be collected and used
5. Strict penalties for non-compliance

Who Is Covered?

The DPDP Act covers any entity that:

1. Processes digital personal data within India, or
2. Processes personal data outside India in connection with goods/services offered to individuals in India

What Is "Personal Data" Under the DPDP Act?

Personal data means any data about an identifiable individual. Unlike some laws that have narrow definitions, the DPDP Act is broad:

1. Name, address, phone number, email
2. Government IDs: Aadhaar, PAN, passport, driving licence
3. Financial data: bank account, card numbers, UPI IDs
4. Health data: medical records, prescriptions, test results
5. Biometric data: fingerprints, face scans, iris scans
6. Location data, browsing history, device identifiers
7. Inferred data: credit scores, risk profiles

The 7 Core Obligations for Data Fiduciaries

1. Obtain Free, Specific, Informed, and Unconditional Consent

Before processing personal data, you must have valid consent. Under DPDP, consent must be:

1. Free — not coerced or bundled with service access
2. Specific — for a named purpose, not blanket consent for "all uses"
3. Informed — user must know what data is collected and why
4. Unconditional — not made a condition for receiving a service (unless processing is necessary for that service)
5. Revocable — individuals can withdraw consent at any time

1. Pre-ticked checkboxes are no longer valid consent
2. "By continuing to use this app, you agree to our Privacy Policy" does not constitute valid consent
3. You need a Consent Management Platform (CMP) or in-app consent mechanism

2. Provide a Clear Privacy Notice

At the time of collecting personal data (or before), you must give individuals:

1. What personal data is being collected
2. The purpose for which it is being processed
3. How they can exercise their rights (access, correction, erasure)
4. How they can file a complaint with the Data Protection Board
5. Contact details of the Data Protection Officer (for Significant Data Fiduciaries)

3. Ensure Data Quality and Accuracy

You must take reasonable steps to ensure personal data is accurate, complete, and up-to-date — particularly when processing for consequential decisions (loan approvals, insurance claims, employment decisions).

Action: Implement periodic data quality checks and a process for users to update their information.

4. Limit Data to What Is Necessary (Data Minimisation)

Collect and retain only the personal data that is necessary for the stated purpose. You cannot collect "extra" data speculatively.

Action: Audit your data collection points. Remove fields that you collect but never use. Set data retention policies.

5. Implement Security Safeguards

You must implement reasonable security safeguards to prevent breaches. The Act does not prescribe specific controls but the CERT-In and industry standards (ISO 27001, SOC 2) give guidance on what "reasonable" means.

This is where VAPT comes in: running regular vulnerability assessments and penetration tests on systems handling personal data is the most widely accepted way to demonstrate you have taken reasonable security measures.

Action required:

1. Run VAPT on all systems handling personal data (web apps, APIs, databases, mobile apps)
2. Implement access controls and encryption
3. Maintain security audit logs
4. Train employees on data security

6. Notify Breaches Within 72 Hours

If a personal data breach occurs, you must notify:

1. The Data Protection Board within 72 hours
2. Affected data principals within a reasonable time

Action: Establish an incident response plan with specific steps for data breach scenarios, including who is responsible for DPB notification.

7. Process Data of Children With Additional Care

If you process data of children (under 18) or persons with disabilities:

1. Obtain verifiable consent from a parent or lawful guardian
2. Do not process data for tracking, behavioural monitoring, or targeted advertising
3. Age-gate your services if children's data is collected

Significant Data Fiduciaries: Additional Obligations

The government will designate certain entities as Significant Data Fiduciaries (SDF) based on volume of data processed, sensitivity, national security implications, and potential harm from breach.

SDFs must:

1. Appoint a Data Protection Officer (DPO) — an Indian resident who reports to the board
2. Appoint an independent data auditor to conduct periodic audits
3. Conduct Data Protection Impact Assessments (DPIA) for high-risk processing
4. Comply with restrictions on cross-border data transfer to specific countries

Cross-Border Data Transfer

Under the DPDP Act, personal data of Indian residents can be transferred internationally unless the Central Government notifies that a specific country or territory is restricted. This is an "allowlist by default" model — different from GDPR's "blocklist by default."

Until the restricted countries list is notified, international transfers are generally permitted. However, SDF rules may add stricter requirements for certain sectors.

The Penalty Framework

The Data Protection Board can impose penalties after an inquiry process. Penalties are per-incident and can be cumulative:

However, if you have systemic violations — no security controls, no consent mechanism, no breach notification process — the DPB can and will stack multiple violation counts.

DPDP Compliance Checklist for 2026

Use this checklist to assess your current state. Each item maps to a specific DPDP obligation.

Consent and Notice

1. [ ] Identify every data collection touchpoint (website forms, mobile apps, APIs, CRMs, HR systems)
2. [ ] Implement a consent mechanism that captures free, specific, informed, unconditional consent
3. [ ] Display privacy notice at the point of data collection (not buried in terms)
4. [ ] Build a consent withdrawal mechanism (users can say "stop using my data")
5. [ ] Translate privacy notice into regional languages if serving non-English speakers
6. [ ] Remove all pre-ticked consent boxes

Data Inventory and Governance

1. [ ] Create a data inventory: what personal data do you hold, where is it stored, who has access
2. [ ] Map data flows: how does data move between systems, third parties, and geographies
3. [ ] Set retention schedules: how long do you keep different data types, and when is it deleted
4. [ ] Document the legal basis for each processing activity (consent, contract, legal obligation)
5. [ ] Appoint an internal privacy lead (DPO mandatory for SDFs, recommended for others)

Security Safeguards

1. [ ] Run VAPT on all systems handling personal data — at minimum annually
2. [ ] Implement encryption at rest and in transit for sensitive data
3. [ ] Enable MFA for admin access to systems with personal data
4. [ ] Implement access controls: minimum privilege, role-based access
5. [ ] Maintain access logs and audit trails
6. [ ] Conduct annual security awareness training for employees

Breach Response

1. [ ] Document an incident response plan covering personal data breaches
2. [ ] Define who notifies the DPB (72-hour requirement)
3. [ ] Define who communicates with affected individuals
4. [ ] Test the breach response plan at least once a year (tabletop exercise)

Data Principals' Rights

1. [ ] Build a mechanism for users to request access to their data
2. [ ] Build a mechanism for users to correct inaccurate data
3. [ ] Build a mechanism for users to request erasure ("right to be forgotten")
4. [ ] Define how you handle data principal grievances (response timeline: 30 days)
5. [ ] Publish contact details for data principal rights requests

Third-Party and Vendor Management

1. [ ] Identify all third-party processors (cloud providers, analytics tools, marketing platforms)
2. [ ] Review and update contracts to include data processing agreements
3. [ ] Ensure third parties have adequate security controls

Timeline: When Do You Need to Be Compliant?

The DPDP Act was passed in August 2023. Rules are being finalized by the Ministry of Electronics and IT (MeitY). The expected timeline:

How Automated VAPT Supports DPDP Compliance

DPDP Section 8(5) requires "reasonable security safeguards to prevent personal data breach." VAPT is the industry standard for demonstrating this obligation is met. Here's how automated VAPT maps to DPDP requirements:

Start your free VAPT scan to see your current security posture before completing your DPDP compliance checklist.

DPDP vs Other Indian Regulations: What Is Already Covered

If your business already complies with other Indian regulations, here is what you can reuse:

Frequently Asked Questions

Does the DPDP Act apply to B2B businesses?

Yes, if you process personal data of individuals in India — including your employees, contractors, or customers' employees. B2B companies often overlook this because their "customers" are businesses, but they process personal data of the individuals within those businesses.

Is there a DPDP penalty for small businesses?

The DPDP Act does not have a separate SMB exception. However, the Data Protection Board is expected to use graduated enforcement, focusing first on large data processors. That said, non-compliance is a legal risk regardless of company size — especially after a breach.

Does our existing privacy policy cover DPDP compliance?

Almost certainly no. Most existing privacy policies were written for general compliance and do not meet DPDP's specific requirements on consent, data principal rights, and the information notice format. You need a DPDP-specific privacy notice and consent mechanism.

What is the difference between DPDP and GDPR?

GDPR is Europe's data protection regulation. Key differences: GDPR has six legal bases for processing; DPDP primarily uses consent + legitimate uses. GDPR applies to automated decisions; DPDP has no equivalent provision yet. DPDP's cross-border transfer rules are simpler (allowlist model vs. GDPR's complex transfer mechanism). If you are GDPR compliant, you have a strong starting point but DPDP requires additional India-specific steps.

Can we use a consent banner like GDPR cookie banners?

For cookie/tracking consent, yes — but DPDP consent requirements go beyond cookies. You need consent for all personal data collection, not just analytics cookies. Your existing cookie consent banner likely does not cover DPDP consent obligations for your core product data.

How do we handle data principal rights requests?

You need a process — typically a web form, email address, or in-app mechanism — where individuals can submit requests to access, correct, or erase their data. You have 30 days to respond. If you use third-party services (CRM, analytics), you need to be able to retrieve, correct, and delete data from those systems too.

Bachao.AI helps businesses achieve DPDP compliance through automated VAPT, consent management tooling, and compliance reporting. View our DPDP compliance service or contact us for a compliance assessment.