DPDP Act, in production. Notice, consent, rights.
India's data protection law applies to digital personal data of data principals in India regardless of where the company is based. We run notice, consent, data principal rights, and the obligations that turn up in customer security reviews.
Indian law governing processing of digital personal data of data principals in India.
The Digital Personal Data Protection Act 2023 is India's data protection law. It applies to processing of digital personal data within India and to processing outside India when offering goods or services to data principals in India. The law uses the term Data Fiduciary (similar to controller) and Data Processor. The Data Protection Board of India is the supervisory authority. The law was notified in August 2023, with implementation rules following in stages through 2024 and 2025.
Who needs it
Any company processing digital personal data of data principals in India, including SaaS, e-commerce, fintech, and mobile applications. The territorial reach is similar to GDPR. Significant Data Fiduciaries, designated by volume or sensitivity of processing, face additional obligations including a Data Protection Officer based in India and an annual independent data audit.
The HSD playbook for DPDP
HSD writes the notice in clear and plain language for each processing activity, the consent capture and withdrawal mechanisms, the data principal rights process for access, correction, erasure, and grievance redressal, the data breach notification runbook, and the agreements with data processors. For Significant Data Fiduciaries, we coordinate the annual independent data audit and DPO appointment.
Timeline
Weeks 1 to 2
Data mapping and processing inventory
All digital personal data flows for India data principals, lawful basis (consent or legitimate use), retention
Weeks 2 to 4
Notice and consent
Notice in English and additional languages where appropriate; consent capture, withdrawal, and audit log
Weeks 3 to 5
Data principal rights process
Access, correction, erasure, nomination, grievance redressal; response timelines
Weeks 4 to 5
Data Processor agreements
Section 8(5) processor contracts with India processors and downstream subcontractors
Week 6
Breach reporting readiness
Reporting obligation to Data Protection Board and to affected data principals
If applicable
Significant Data Fiduciary obligations
DPO based in India, annual independent data audit, DPIA for high-risk processing
Cost reality
| Line item | Range | Note |
|---|---|---|
| Software platforms with DPDP support | USD 5,000 to 18,000 per year | Sprinto and Scrut Automation lead India coverage; US-headquartered platforms typically do not list DPDP |
| Remediation consulting | USD 15,000 to 50,000 | Lower than GDPR remediation given narrower scope; rises if Significant Data Fiduciary obligations apply |
| Independent data audit (SDF only) | USD 10,000 to 30,000 per year | Required annually for Significant Data Fiduciaries |
| HSD bundled program | Scoped per program | Notice, consent, rights, processor contracts, breach readiness in one engagement |
What auditors check
Notice in clear and plain language
Notice provided to data principals at or before processing, listing personal data, purpose, rights, and grievance redressal contacts.
Consent capture and withdrawal mechanism
Free, specific, informed, unconditional, and unambiguous; same ease of withdrawal as the giving of consent; consent records retained.
Data principal rights process
Access, correction, erasure, nomination, and grievance redressal mechanisms; documented response timelines.
Data Processor contracts with required terms
Section 8(5) contracts in place with every processor handling personal data on the company's behalf.
Reasonable security safeguards
Section 8(5) safeguards proportionate to the nature, scope, and purpose of processing; commonly aligned to ISO 27001 or equivalent.
Breach reporting capability
Process to notify the Data Protection Board and affected data principals when a personal data breach occurs.
Common pitfalls
Treating DPDP as identical to GDPR
Concepts overlap but DPDP has India-specific definitions, particularly around children (under eighteen), Significant Data Fiduciaries, and the role of consent.
Generic English-only notice
Notice must be available in English and any of the languages specified in the Eighth Schedule of the Indian Constitution that the data principal selects.
Consent not specific or unambiguous
Bundled consent for unrelated purposes does not satisfy the act. Each purpose requires a discrete consent decision.
No grievance officer designated
Companies must designate a person to handle data principal grievances; contact details published.
Significant Data Fiduciary obligations missed
DPO based in India, annual independent data audit, DPIA for high-risk processing; designation criteria include volume and sensitivity, both of which can change as the company grows.
FAQ
Who does the DPDP Act apply to?+
What is a Significant Data Fiduciary?+
Is consent the only lawful basis?+
What are the penalties under DPDP?+
Does DPDP allow international transfers?+
Does ISO 27001 or SOC 2 satisfy DPDP?+
Want DPDP scoped for your stack?
Thirty-minute call. Fixed-scope quote inside a week. We tell you honestly when DPDP should wait or when it should lead.