Everything Indian businesses need to know about Digital Personal Data Protection Act compliance, obligations, timelines, and penalties.
All essential PDFs and notifications from Ministry of Electronics and Information Technology (MeitY) in one place.
The complete DPDP Act as passed by Parliament
Open PDFmeity.gov.in • PDF
Final notified rules with implementation details
Open PDFmeity.gov.in • PDF
Official gazette notification on phased implementation under DPDP Act
Open PDFmeity.gov.in • PDF
Establishment of DPB and operational framework
Open PDFmeity.gov.in • PDF
Important changes from January 2025 draft rules to the final notified version
Businesses have until May 13, 2027 to achieve full DPDP compliance. Systems for consent collection, privacy notices, data rights, and security safeguards must be operational.
All businesses must retain personal data, traffic logs, and processing logs for minimum one year, with exceptions for regulatory requirements and specific use cases.
Children can self-declare parent details to initiate consent. Verification through existing records or DigiLocker authentication is now clarified.
Maximum 90-day response window for user grievances. Ticketing systems and SLAs are mandatory for timely resolution.
Essential requirements every data fiduciary must implement under DPDP Rules 2025
Implement 6 security safeguards: encryption, access control, audit logs, backups, breach records, vendor contracts
Deploy compliant consent notices in vernacular languages with clear purpose descriptions
Verify parental consent for minors under 18 using government-authorized sources
Enable data principal rights: access, correction, withdrawal, erasure, and complaints
Meet Significant Data Fiduciary requirements: annual audits, algorithm assessments, transfer restrictions
Assess third-party vendor security and privacy readiness with Data Processing Agreements
Engage independent Consent Managers for consent records and user dashboards
Report data breaches to affected users immediately and Data Protection Board within 72 hours
Understand consent exemptions for research, voluntarily provided data, and legal obligations
Prepare comprehensive data mapping and Record of Processing Activities (RoPA)
Phased compliance checklist from now until May 13, 2027 deadline
Financial deterrents designed to ensure serious data privacy compliance
Quick answers to common DPDP compliance questions
Any business with physical presence in India processing personal data, or any business outside India offering goods/services to individuals in India. This includes Indian banks, foreign fintech apps with Indian users, and global companies with Indian branches.
Any digital data that can identify an individual including: PAN, Aadhaar, biometrics, transaction histories, bank statements, device IDs, IP addresses, user handles, and metadata used for profiling. Excludes data processed for purely personal/domestic purposes.
Yes, employee data is covered. However, consent isn't needed for data processed for legitimate employment purposes (payroll, attendance, performance reviews, tax filing). Consent IS required for non-employment purposes like wellness programs or social events.
Minimum 1 year for all businesses. Large platforms (e-commerce, gaming, social media) must retain for 3 years. Sectoral regulations (RBI, SEBI, IRDAI) take precedence if they require longer retention.
Full compliance is required by May 13, 2027 (18 months from notification). Consent Manager provisions activate at 12 months. Data Protection Board is already operational.
All organizations processing personal data should have a designated point of contact. Significant Data Fiduciaries (SDFs) must formally appoint a DPO and publish their contact details prominently.
Our AI-powered platform helps you implement consent management, data discovery, DSAR automation, and breach management — all in one integrated solution.