May 13, 2027 is the full compliance deadline under India’s DPDP Act. Penalties up to ₹250 crore apply from that date. No grace period.
The Digital Personal Data Protection Rules were notified in November 2025, giving businesses 18 months to get compliant. Sounds like enough. It rarely is. Data mapping alone takes longer than teams expect. Then come consent redesigns, vendor contract reviews, security audits, and staff training.
The goal here is simple – get the sequence right so you’re not fixing foundational things in April 2027.
Does the DPDP Act Actually Apply to Your Business?
Probably yes. But let’s confirm.
The Digital Personal Data Protection Act covers any business that collects or processes digital personal data in India. It also covers foreign companies offering goods or services to people in India – even if the company itself is based elsewhere. Indian SaaS firms with global clients fall under it. So do US companies with Indian users.
There are two roles worth understanding early. If you decide what data gets collected and why, you’re a Data Fiduciary. If you process data on someone else’s behalf, you’re a Data Processor. Fiduciaries carry the heavier compliance load.
One thing businesses get wrong here: assuming that US data privacy compliance or GDPR certification already covers them. It doesn’t. The Data Protection Act India has its own requirements around consent structure, breach reporting timelines, and children’s data that neither GDPR nor US state laws replicate. Being compliant elsewhere gives you a head start on mindset – not on obligation.
Start With Data Mapping. Everything Else Depends On It
Most companies do this in the wrong order. They update their privacy policy first, then discover they’ve missed whole categories of data they’re actually collecting. Then they rewrite it again.
Run the audit before touching any documentation.
Go system by system – your product, your CRM, your analytics tools, your support platform. For every category of personal data you find, write down why you collect it, where it sits, who can access it, and when you delete it. Don’t skip the edge cases. Third-party vendors who process data on your behalf carry compliance obligations too, and most older contracts with them don’t include the security clauses the DPDP Act requires.
This step is tedious. It’s also the one that makes everything downstream faster and more accurate. Our Risk Assessment & Management service is built around exactly this kind of structured discovery work.
Consent Under the DPDP Act Is a Different Animal
India’s Digital Personal Data Protection Act doesn’t accept the kind of consent language most businesses currently use.
Bundled consent – one checkbox that covers multiple purposes is not valid here. Each processing purpose needs its own specific consent. The language used must be plain enough that an ordinary user understands it. And withdrawing consent has to be as simple as giving it was.
What this means for your current setup
Your existing privacy notice is almost certainly non-compliant as written. It needs to become a standalone document, not a section buried inside terms and conditions. It needs to list each purpose individually. And your backend systems need to actually honour consent withdrawal – which in most cases requires engineering work, not just a policy change.
The Consent Manager framework is another piece of this. It goes live in November 2026, about a year from now. Registered consent managers will act as intermediaries between your platform and your users. If you have a digital product with a significant user base, integrating with this framework isn’t optional and building in a rush late 2026 is a bad plan.
Security Controls: The Gap Between Policy and Practice
The Act uses the phrase “reasonable security safeguards.” It sounds open to interpretation. The penalties for getting it wrong are not.
Encryption matters – for data at rest and in transit. So do role-based access controls, audit logs, regular backups, and a documented process for detecting and containing breaches. These aren’t new concepts, but many businesses have them partially rather than fully implemented.
Breach reporting is where things get especially strict. Under India’s framework, every breach gets reported to the Data Protection Board – without delay. Compare that to some US data privacy laws, which only require notification above a certain risk threshold. India draws no such line. If a breach happens, the Board hears about it, and so do the affected individuals.
An Incident Response plan that’s actually been tested is not optional here. If you already hold an ISO 27001 certification, a large portion of these controls may already be in place – which makes DPDP alignment significantly less work.
Handling Data Principal Rights Requests
Under the Data Protection Act India, individuals can ask to see their data, have it corrected, or request deletion in certain situations. They can also nominate someone else to exercise those rights – that last part is specific to India’s law.
Your business needs an end-to-end process for this. Receive the request, verify who’s asking, fulfil it within 90 days, and document what you did. A named contact point – person or team – must be listed on your website or app before May 2027.
It takes longer to build than most teams expect, particularly when requests touch multiple internal systems before resolution.
Getting Your Teams Ready
Compliance frameworks don’t run themselves. The people who touch customer data every day – support agents, developers, marketing teams, operations – need to know what the rules are and what their part in them looks like.
That’s not a one-hour slide deck situation. It requires role-specific training, clear internal guidelines, and leadership that treats this as an operations priority rather than a legal formality. Our Security Awareness Training programmes are designed around that kind of practical, lasting uptake.
A Rough Timeline to Work Backwards From
Between now and October 2026, the priority is foundation work – data mapping, gap assessment, policy rewrites, security control upgrades, and vendor contracts. This phase takes longer than teams budget for.
From November 2026, the Consent Manager framework activates. Internal audits should be running by this point, not starting. Rights request processes should be tested, not drafted.
March to May 2027 should be validation time – checking everything works, confirming documentation is complete, and being audit-ready. Not fixing things that should have been fixed six months earlier.
Our Internal Audit team works with businesses throughout all three phases.
A Note for Indian IT Companies With US Clients
If you’re handling data for US-based clients, you’re managing two regulatory environments at once. The US has no single federal privacy law – instead, 20-plus states each have their own, with different applicability thresholds and enforcement patterns. California, Maryland, and Minnesota are among the stricter ones.
Building a solid digital personal data protection framework for India gives you a reasonable base for US data privacy obligations too. The principles carry across. But the specifics differ enough that both need deliberate attention.
Ready to Start? Redkite Network Can Help
The compliance work is real, but it’s manageable when the sequence is right.
Get in touch with our team to begin your gap assessment and build a compliance roadmap that actually fits your business and timeline.
Frequently Asked Questions
Q1. Is May 13, 2027 a fixed deadline or could it shift?
Ans. Fixed. The penalties apply from that date. There’s no official indication of any extension, and the Data Protection Board is already operational. Treat it as immovable.
Q2. Does the Digital Personal Data Protection Act apply to B2B companies?
Ans. Yes. If your platform processes personal data of individuals – whether they’re end users, employees, or customers of your clients – the Act applies. The B2B structure doesn’t change the obligation.
Q3. We already comply with GDPR. How different are India’s requirements?
Ans. More different than most assume. India’s consent framework is more restrictive in some ways – no “legitimate interests” basis like GDPR allows. The children’s data age threshold is 18, not 16. Every breach must be reported regardless of severity. And the Consent Manager framework has no GDPR equivalent. A proper gap assessment is the only way to know what you’re missing.
Q4. What penalties are we realistically looking at for non-compliance?
Ans. A single data breach can result in cumulative penalties across multiple violations – up to ₹250 crore for inadequate security, ₹200 crore for failing to notify the Board, another ₹200 crore for not notifying affected individuals. That’s a possible ₹650 crore exposure from one incident.
Q5. Our company processes data for US clients from India. Does the DPDP Act cover that?
Ans. It depends on the arrangement. Where outsourcing exemptions apply, the situation differs. But if any data relates to individuals in India, the Act is likely relevant. This is worth getting a clear legal read on rather than assuming an exemption applies.
Q6. We haven’t started anything yet. What’s the single most important first step?
Ans. Map your data. Before policies, before training, before anything else – you need to know what personal data you hold, where it lives, and why you have it. Without that, everything else is guesswork.
