← All posts

28 March 2026

What Indian Businesses Need to Know About the DPDP Act Before May 2027

A practical guide to India's Digital Personal Data Protection Act 2023 for startups and SMEs. What it means, who it applies to, what you need to do, and the key deadlines.

If you run a business in India and collect any personal data online, there's a deadline you should know about: May 13, 2027.

That's when India's Digital Personal Data Protection Act, 2023 (commonly called the DPDP Act) becomes fully enforceable. After that date, businesses that don't comply can face penalties up to ₹250 crore. Not a typo. Two hundred and fifty crore.

Most Indian businesses haven't started preparing. Here's what you need to know.

What is the DPDP Act?

The DPDP Act is India's first comprehensive data protection law. Parliament passed it in August 2023, and the government published the accompanying DPDP Rules in November 2025. Together, they lay out how businesses must collect, process, store, and delete personal data.

Think of it as India's version of Europe's GDPR, but tailored for the Indian context. It's simpler in some ways (fewer legal bases for processing, no distinction between regular and sensitive personal data) and stricter in others (mandatory breach reporting for all breaches, not just high-risk ones).

Does it apply to my business?

Almost certainly yes. The DPDP Act applies to any organization that processes digital personal data of individuals in India. That includes:

  • E-commerce stores collecting customer names, emails, and payment details
  • SaaS companies with Indian users
  • Mobile apps collecting phone numbers or location data
  • Websites using contact forms, newsletter signups, or analytics
  • Businesses running digital marketing campaigns
  • Companies with employees in India (yes, HR data counts)

It doesn't matter if your business is registered in India or abroad. If you process personal data of people in India, the Act applies to you.

The only real exceptions are personal or domestic use (your personal address book, for example) and data that someone has voluntarily made public.

What counts as "personal data"?

Any data that can identify a specific person. Names, email addresses, phone numbers, physical addresses, IP addresses, payment details, government IDs, health records, biometric data. If the data can be linked back to a real human being, it's personal data under the Act.

The DPDP Act only covers digital personal data. That means data collected online or data originally collected offline (like a paper form) that's later digitized.

The key deadlines

The government set up a phased enforcement schedule:

November 2025 (already in effect): The Data Protection Board of India was established. The penalty framework is active. While substantive compliance obligations haven't kicked in yet, the regulator exists and serious breaches can already attract attention.

November 2026: The Consent Manager framework becomes operational. Organizations can register as third-party consent managers to help businesses manage user consent.

May 13, 2027: Full compliance deadline. Every covered business must have all obligations in place. There is no grace period after this date. Penalties apply from day one.

What do you actually need to do?

Here's where most guides lose people in legal jargon. Let's keep it practical. If you're a startup or SME, these are the things that matter most:

1. Publish a standalone privacy notice

You need a clear, specific privacy notice that's separate from your terms of service. Not buried in a 10,000-word legal document nobody reads. A standalone notice that tells people:

  • What personal data you collect
  • Why you collect it (specific purposes, not vague statements like "to improve our services")
  • Who you share it with (name your third-party processors)
  • How long you keep it
  • How users can exercise their rights (access, correction, deletion)
  • How to file a complaint with the Data Protection Board

This notice needs to be available in English and should ideally be accessible in regional languages too.

2. Get proper consent

Under the DPDP Act, consent must be free, specific, informed, and unambiguous. That means:

  • No pre-checked consent boxes
  • No "by continuing to use this site, you agree to everything" statements
  • No bundling consent for multiple purposes into a single checkbox
  • Users must be able to withdraw consent as easily as they gave it

Each purpose for data collection needs its own consent. If you collect email addresses for order updates AND marketing, those are two separate consents.

3. Set up a data retention and deletion process

You can't keep personal data forever. The Act requires you to delete data once the purpose for collecting it has been fulfilled. You need a clear retention policy that defines how long you keep different types of data, and a process for deleting it when the time comes.

There's also a specific requirement: you must notify users at least 48 hours before deleting their data, giving them a chance to act.

4. Designate a contact person for privacy requests

You need a named person (with contact details published on your website) who handles privacy-related questions and complaints. This person needs to respond to requests within a reasonable timeframe.

5. Report data breaches

If you experience a personal data breach, you must report it to the Data Protection Board and notify affected users. There's no materiality threshold. Every breach must be reported.

The penalties are real

The DPDP Act prescribes penalties for different types of violations:

  • Failure to implement reasonable security safeguards: up to ₹250 crore
  • Failure to notify the Board and affected individuals about a data breach: up to ₹200 crore
  • Violations related to children's data: up to ₹200 crore
  • General non-compliance: up to ₹50 crore
  • Even data principals (users) can be penalized up to ₹10,000 for providing false information

These are maximum amounts. The Data Protection Board considers factors like the severity of the breach, whether it was intentional, and how the organization responded when determining actual penalties.

For a small business, even a fraction of these amounts could be devastating. The real risk isn't the maximum penalty. It's the reputational damage and the operational disruption of a Board investigation.

Where to start

If you haven't done anything yet, don't panic. You have time, but not a lot of it. Here's a realistic starting point:

This week: Check your existing privacy policy against the DPDP requirements. You can use a free compliance checker tool to get a quick assessment of where you stand.

This month: Draft or update your privacy notice to include all mandatory disclosures. Set up a contact mechanism for privacy requests.

This quarter: Audit your data collection practices. Document what data you collect, why, where it's stored, and who has access. Define retention periods for each data category.

Before May 2027: Implement consent mechanisms, set up breach reporting procedures, and train your team on handling data subject requests.

The businesses that start now will have a much easier time than those scrambling in early 2027. And with enforcement starting from day one with no grace period, "we'll deal with it later" isn't a viable strategy.

Privly helps Indian businesses generate DPDP-compliant privacy documents in minutes. Check if your existing privacy policy is compliant or generate a complete compliance pack tailored to your business.

Need help getting DPDP compliant?

Check your existing policy against DPDP requirements, or generate a complete compliance pack tailored to your business in 15 minutes.

Check your policy — freeGenerate compliance pack — ₹4,999