DPDP Act Compliance: What Every Indian Business Must Do Before the Deadline

shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8
DPDP Act Compliance: What Every Indian Business Must Do Before the Deadline

DPDP Act Compliance: What Every Indian Business Must Do Before the Deadline

India's Digital Personal Data Protection Act, 2023 is no longer a law waiting on the shelf. With the DPDP Rules notified in November 2025, the Data Protection Board active, and penalties of up to Rs 250 crore per violation already in force, every business that collects even one customer's email digitally is now legally responsible for how it handles personal data. Here is what that means for you, in plain language, and what to do about it before the deadlines arrive.

What Is the DPDP Act, in Simple Words?

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data privacy law. It says one simple thing: if your business collects or uses the personal data of people in India, whether names, phone numbers, emails, addresses, payment details, or health records, you must collect it with proper consent, protect it, use it only for the stated purpose, and delete it when the purpose is over. The law calls your business a Data Fiduciary and the customer a Data Principal, and it gives customers real, enforceable rights over their own data.

Why 2026 Is the Year That Matters

The DPDP Rules, 2025 were notified on 14 November 2025, making the law fully operational. The Data Protection Board of India is already accepting complaints. Consent-related obligations become mandatory from 13 November 2026, and full compliance is enforced from 13 May 2027, with no grace period after that. Since a proper compliance setup typically takes 2 to 6 months, businesses that start in the second half of 2026 are cutting it dangerously close.

Who Has to Comply?

  • E-commerce and retail businesses collecting customer and order data
  • Hospitals, clinics, labs, and anyone handling patient records
  • Schools, coaching classes, and EdTech platforms working with children's data
  • Banks, NBFCs, insurance, and fintech companies
  • IT companies, SaaS products, and agencies processing client data
  • HR teams, recruiters, and real estate firms holding employee or candidate data

There Is No Small-Business Exemption

One of the biggest myths about the DPDP Act is that it only applies to large companies. It does not. The Act applies to every business processing digital personal data in India, regardless of size or turnover. A ten-person startup and a listed enterprise carry the same core obligations, and penalties apply per violation with no discount for company size.

The Penalties Are Serious

  • Up to Rs 250 crore for failing to maintain reasonable security safeguards
  • Up to Rs 200 crore for failing to report a data breach to the Board and affected users
  • Up to Rs 200 crore for violations involving children's data
  • Up to Rs 150 crore for Significant Data Fiduciary failures
  • Up to Rs 50 crore for most other violations

Your DPDP Compliance Checklist

Compliance is not a privacy policy page; it is a set of working systems. At minimum you need: clear consent taken before collecting data with no pre-ticked boxes, a plain-language privacy notice available in English and Indian languages, a way for customers to access, correct, and delete their data, a grievance process that resolves complaints within the timelines, security safeguards like encryption, access controls, and backups, a breach response plan that can notify the Board within 72 hours, written contracts with every vendor that touches your data, and a retention policy that deletes data once the purpose is served.

Where Should You Start?

Start with a gap assessment. Before spending anything on tools or consultants, find out what personal data you actually hold, where it sits, and which obligations you already meet. Most businesses discover that customer data is scattered across old emails, spreadsheets, and cloud folders nobody remembers. A structured audit turns that unknown risk into a clear, prioritized fix list.

Conclusion

The DPDP Act is not a future problem; it is a present obligation with active penalties and hard deadlines in November 2026 and May 2027. The businesses that act now get a planned, affordable path to compliance and a trust advantage with their customers. Adri IT Software Solutions Pvt Ltd, based in Vadodara, helps businesses across Gujarat and India become DPDP-compliant, starting with a free DPDP gap audit that gives you a risk score and a step-by-step fix roadmap. Visit our DPDP Act compliance page at adriitsolutions.com/dpdp-act-compliance or book a free audit to see exactly where your business stands.