Corporate

India’s DPDP Act: A Compliance Checklist for 2026

Home / Blog / Apr 6, 2026

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) is now in force, and the Rules notified in early 2025 have set the compliance clock ticking. Every business that processes personal data of Indian residents — whether based in India or abroad — needs to act.

Who’s covered

The DPDP applies to processing of digital personal data within India, and to processing outside India that’s connected to offering goods or services to Indian residents. If you have Indian customers, you’re covered.

Core obligations

  • Notice and consent: separate, clear notice in English plus the schedule of Indian languages. Consent must be free, specific, informed, and unambiguous.
  • Purpose limitation: data collected for one stated purpose cannot be re-used for another without fresh consent.
  • Reasonable security: encryption, access controls, breach response.
  • Data principal rights: access, correction, erasure, grievance redressal.
  • Children’s data: verifiable parental consent for users under 18 (one of the strictest standards globally).

The DPO and the Consent Manager

“Significant Data Fiduciaries” (companies notified by the Centre) must appoint a Data Protection Officer in India. The Act also creates a new role — the Consent Manager — a registered entity that helps data principals manage consents across services.

Penalties have real teeth

Penalties range from ₹10,000 (failure of a data principal’s duty) to ₹250 crore (failure to take reasonable security measures, breach notification, or children’s data violations). The Data Protection Board has enforcement powers.

What to do this quarter

  1. Map what personal data you collect, where it sits, and how it flows.
  2. Update your Privacy Policy and consent flows to DPDP standards.
  3. Draft a Data Processing Addendum for vendors.
  4. Implement a breach response runbook (72-hour notification window).
  5. For B2C companies: redesign signup to use the consent manager framework once notified.

This isn’t GDPR

The DPDP borrows the structure of GDPR but is materially different. Localisation of children’s data, different definitions of “harm,” and a stricter consent regime mean you can’t simply copy-paste your GDPR documentation. Get an India-specific review.

Have a legal matter on a related topic? We’re a quick message away.

Discuss your matter