DPDP Act Compliance for Businesses: What You Need to Do in 2026

DPDP compliance is no longer optional for Indian businesses. The Digital Personal Data Protection Act, 2023 (DPDP Act), passed by Parliament and granted Presidential assent on August 11, 2023, is India's first comprehensive data protection law. With the DPDP Rules notified in 2025 and enforcement rolling out in phases through 2026, every business that collects a customer's name, email, phone number, or any personal data digitally must comply. The penalties are severe: up to ₹250 crore for a single breach. Whether you run a 5-person startup or a 5,000-employee IT company, the obligations are real, the deadlines are here, and the Data Protection Board of India is operational. Here is exactly what the law requires and how your business can comply.

What is the DPDP Act, 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's dedicated legislation governing the collection, storage, processing, and erasure of personal data in digital form. It was passed by the Indian Parliament and received Presidential assent on August 11, 2023. The Act establishes the rights of individuals over their personal data and the obligations of entities that handle that data.

India has had sector-specific data rules before (IT Act, 2000 and the SPDI Rules, 2011), but the DPDP Act is the first standalone, comprehensive data protection law. Think of it as the country's answer to a question that 140+ nations had already addressed: who controls your personal data, and what happens when someone mishandles it? The Act answers both questions with specific obligations for businesses and enforceable rights for individuals.

Who Does the DPDP Act Apply To?

The short answer: almost every business operating in India. The slightly longer answer involves understanding three scenarios where the Act kicks in.

The DPDP Act applies to the processing of digital personal data within Indian territory, whether the data is collected online or collected offline and later digitized. It also applies to businesses outside India that process personal data of individuals in India in connection with offering goods or services. So if you are an Indian Private Limited Company, an LLP, a sole proprietor with a customer database, or a foreign SaaS company with Indian users, you are covered.

The only clear exemptions are personal or domestic data processing (your personal phone contacts, for example), data made publicly available by the individual themselves, and processing for state security, sovereignty, or order. If your business keeps a customer list, an employee database, a mailing list, or a CRM, you are a Data Fiduciary under this law.

Key Definitions You Need to Know

The DPDP Act introduces specific terminology that every business owner should understand. Using the wrong term in a compliance document or misunderstanding a role can create gaps in your data protection framework. Here are the three definitions that matter most.

Data Fiduciary

A Data Fiduciary is any person or entity that alone or jointly determines the purpose and means of processing personal data. If your company decides why and how customer data is collected, stored, or used, you are the Data Fiduciary. This includes companies, LLPs, partnership firms, sole proprietors, trusts, and government bodies. The Data Fiduciary bears the primary compliance burden under the Act, including consent management, security safeguards, breach notification, and data erasure obligations.

Data Principal

A Data Principal is the individual whose personal data is being processed. Your customers, employees, website visitors, and app users are all Data Principals. In the case of children under 18, the parent or lawful guardian is treated as the Data Principal. The Act grants Data Principals five specific rights that businesses must honor, including access, correction, and erasure.

Data Processor

A Data Processor is any entity that processes personal data on behalf of a Data Fiduciary. If you outsource payroll processing to a third party, use a cloud hosting provider for customer data, or engage a marketing agency that accesses your customer database, those third parties are Data Processors. While the primary compliance responsibility sits with the Data Fiduciary, the Data Processor must also implement security safeguards and follow the fiduciary's instructions regarding data handling.

7 Key Obligations for Businesses Under the DPDP Act

The DPDP Act places seven core obligations on every Data Fiduciary. These are not suggestions or best practices. They are legal requirements backed by penalties ranging from ₹50 crore to ₹250 crore. Here is each obligation broken down into what your business actually needs to do.

1. Obtain Free, Specific, Informed Consent

Before processing any personal data, you must obtain the Data Principal's consent. This consent must be free (no coercion), specific (for a stated purpose), informed (the individual knows what they are consenting to), and unconditional (not bundled with unrelated terms). The consent request must be presented with a clear notice describing the data to be collected, the purpose of processing, and the Data Principal's right to withdraw. Consent can be obtained digitally, and the DPDP Act specifically allows consent collection in any of India's 22 scheduled languages.

2. Provide Clear-Language Notice

Every Data Fiduciary must issue a notice to the Data Principal before or at the time of collecting personal data. This notice must describe the personal data being collected, the purpose of processing, and how the Data Principal can exercise their rights, including contacting a Consent Manager. Critically, the notice must be in clear, plain language. No 14-page legalese privacy policies buried behind three hyperlinks.

3. Implement Reasonable Security Safeguards

The Act requires "reasonable security safeguards" to protect personal data from breaches, unauthorized access, and loss. While the Act does not prescribe specific technologies, the expectation is that safeguards must be proportionate to the nature and volume of data processed. For most businesses, this means encryption at rest and in transit, access controls, regular security audits, and employee training. Companies pursuing ISO 27001 certification find overnight alignment with this requirement because the security management framework already covers these areas.

4. Report Data Breaches

If a personal data breach occurs, the Data Fiduciary must notify both the Data Protection Board of India (DPBI) and each affected Data Principal without unreasonable delay. The notification must describe the nature of the breach and the personal data involved. This is not a "best effort" obligation. Failure to report a breach carries a penalty of up to ₹150 crore. Build your breach notification protocol before a breach happens, not after.

5. Retain Data Only as Long as Necessary

Personal data must be erased once the purpose for which it was collected has been fulfilled and retention is no longer necessary for that purpose. If a customer cancels a subscription, you cannot hold their personal data indefinitely "just in case." You need a documented data retention policy that specifies timelines for each category of data you collect. When the period expires or the purpose is fulfilled, the data must be erased, both from active systems and backups.

6. Ensure Data Accuracy

Data Fiduciaries must make reasonable efforts to ensure that personal data is complete, accurate, and consistent, particularly when the data is used to make decisions affecting the Data Principal or is shared with another Data Fiduciary. If your CRM contains outdated customer addresses that are being used for credit decisions or service eligibility checks, you have an accuracy obligation under the Act.

7. Erase Data on Consent Withdrawal

When a Data Principal withdraws consent, the Data Fiduciary must erase their personal data (and direct any Data Processors to do the same) unless retention is required by law. The withdrawal process must be as easy as the consent process. If consent was collected with a single click, withdrawal cannot require a 10-step process with a support ticket. This obligation extends to all third parties with whom the data was shared.

Penalty Structure Under the DPDP Act

The DPDP Act does not take a polite approach to enforcement. The penalty structure is among the steepest in Indian regulatory law, with the maximum fine for a single violation matching what most mid-sized companies earn in annual revenue. Here is the complete penalty breakdown.

Significant Data Fiduciary: Additional Requirements

Not all Data Fiduciaries are treated equally. The DPDP Act creates a higher compliance tier for entities designated as Significant Data Fiduciaries (SDFs) by the Central Government. This designation is based on the volume and sensitivity of data processed, the risk to Data Principal rights, potential impact on sovereignty, and other factors deemed relevant.

Appoint a Data Protection Officer (DPO)

Every SDF must appoint a Data Protection Officer based in India. The DPO serves as the primary point of contact for the Data Protection Board of India, represents the SDF in regulatory matters, handles Data Principal grievances, and oversees internal compliance. The DPO must be a senior executive with the authority to make decisions about data processing practices. Unlike GDPR, the DPDP Act does not specify professional qualifications for the DPO, but practical expertise in data protection is expected.

Conduct a Data Protection Impact Assessment (DPIA)

SDFs must conduct periodic Data Protection Impact Assessments. A DPIA evaluates the privacy risks of the organization's data processing activities, identifies gaps in safeguards, and proposes remediation measures. The assessment must be conducted before starting any new high-risk processing activity and periodically for ongoing operations. The DPIA report must be available for review by the DPBI on request.

Periodic Compliance Audits

SDFs are required to engage an independent data auditor to evaluate their compliance with the Act. The auditor assesses the adequacy of security safeguards, consent mechanisms, data retention practices, and grievance redressal systems. Audit reports must be submitted to the DPBI as prescribed. For businesses already maintaining annual statutory compliance, adding a data protection audit to the compliance calendar is a practical approach.

Data Principal Rights Under the DPDP Act

The DPDP Act does not just impose obligations on businesses. It also grants specific, enforceable rights to individuals whose data is being processed. These rights are not aspirational. Your business must have operational processes to honor each one within the time frame prescribed by the rules.

Right to Access Information

Data Principals can request a summary of their personal data being processed, the processing activities undertaken, and the identities of Data Fiduciaries and Data Processors who have received their data. Your business needs a system (even a simple internal process) to generate and deliver this information on request.

Right to Correction and Erasure

Individuals can request correction of inaccurate or misleading personal data and complete erasure of data that is no longer necessary for the stated purpose. When a Data Principal exercises the right to erasure, you must delete the data and direct all Data Processors who received it to do the same.

Right to Grievance Redressal

Every Data Fiduciary must provide a mechanism for Data Principals to register grievances. The business must acknowledge and resolve grievances within the period specified in the rules. If the Data Principal is unsatisfied with the resolution, they can escalate the complaint to the Data Protection Board of India.

Right to Nominate

Data Principals can nominate another individual to exercise their rights in the event of death or incapacity. This is a unique provision not commonly found in other data protection laws globally. Businesses must accommodate nomination requests and maintain records.

DPDP Act vs GDPR: Key Differences

If your business already complies with the EU's General Data Protection Regulation, you might assume DPDP compliance is automatic. That assumption is risky. While the DPDP Act draws conceptual inspiration from GDPR, there are meaningful structural differences that affect how you implement compliance.

The key takeaway for businesses operating in both jurisdictions: GDPR compliance gives you a strong foundation, but you will need India-specific adjustments, particularly around consent mechanisms, the absence of legitimate interest as a standalone basis, and the DPBI complaint process.

Steps to Achieve DPDP Compliance in 2026

Compliance is not a single checkbox. It is a systematic process that touches your technology stack, documentation, internal policies, and staff behaviour. Here is a practical, step-by-step plan that works for businesses of all sizes.

Step 1: Conduct a Data Audit

Map every category of personal data your business collects, stores, processes, and shares. Record where the data resides (CRM, email marketing tool, HR software, spreadsheets), who has access, and why the data was collected. This data inventory is the foundation of everything that follows. You cannot protect data you do not know you have.

Step 2: Review and Update Your Privacy Policy

Your privacy policy must clearly describe what personal data you collect, the purpose of processing, the Data Principal's rights, your data retention periods, and how to contact your grievance officer. Replace vague language like "we may use your data to improve services" with specific purposes. The DPDP Act requires clear, plain-language notices, not legal jargon.

Step 3: Implement a Consent Management Framework

Build or integrate a consent collection mechanism that records when consent was given, what specific purpose it was given for, and that offers an equally simple way to withdraw it. Cookie banners alone are not sufficient. Every data collection point, including signup forms, checkout pages, job application portals, and customer support chatbots, needs a compliant consent flow.

Step 4: Establish a Data Breach Response Plan

Create a documented incident response protocol that covers breach detection, internal escalation, notification to the DPBI, and communication with affected Data Principals. Assign clear roles: who detects, who assesses severity, who reports, and who communicates. Test the protocol with a simulated breach scenario at least once a year.

Step 5: Draft a Data Retention and Erasure Policy

For each category of personal data, define maximum retention periods based on the purpose of collection and any legal requirements for retention (such as tax records under the Income Tax Act). Build automated or manual erasure processes that trigger when retention periods expire or when a Data Principal requests deletion.

Step 6: Train Your Team

Every employee who handles personal data (which, in most businesses, is everyone) needs basic training on DPDP obligations. Focus on what constitutes personal data, how to handle data access and deletion requests, what qualifies as a breach, and the internal escalation process. Annual refresher training keeps compliance from becoming a one-time exercise that fades from memory.

Step 7: Engage a Compliance Advisor

For businesses without in-house data protection expertise, engaging a professional compliance advisory service reduces the risk of gaps and misinterpretation. An advisor can conduct your initial data audit, draft your policies, implement consent mechanisms, and provide ongoing monitoring. The cost of professional advisory is a fraction of the potential penalty exposure.

Impact on Startups and Small Businesses

If you are a startup founder reading this and thinking "this sounds like something only big tech needs to worry about," reconsider. The DPDP Act does not have a small business exemption. A 3-person SaaS company that stores client data in a Google Sheet is as much a Data Fiduciary as Infosys.

That said, the practical impact scales with your data footprint. A Startup India-registered company with a few hundred users has simpler compliance requirements than a fintech processing millions of transactions. You still need a privacy policy, consent mechanism, and breach protocol, but the complexity of each is proportionate to your operations.

What Small Businesses Should Prioritize

Start with the non-negotiables: a clear privacy policy on your website, a consent checkbox that actually records consent (not just a pre-ticked box), a basic data inventory documenting what data you hold and why, and a plan for what to do if you discover a breach. If you handle these four items, you have addressed the highest-risk areas for a small operation. As your business grows and your data processing increases, layer on more formal policies and controls.

The Compliance Advantage

Here is the upside that rarely gets mentioned: early DPDP compliance is a competitive advantage. Enterprise clients, government contracts, and partnerships with foreign companies increasingly require proof of data protection compliance. A startup that can demonstrate DPDP alignment wins contracts over competitors who cannot. For businesses maintaining LLP compliance or Pvt Ltd compliance, adding data protection to the annual compliance cycle is a logical and manageable extension.

Common DPDP Compliance Mistakes to Avoid

Every new regulation triggers a wave of well-intentioned but poorly executed compliance efforts. Based on patterns emerging from early implementation, here are the mistakes that trip up businesses most frequently.

• Pre-ticked consent checkboxes: Consent must be affirmative. A pre-ticked "I agree" box on your signup form does not qualify as free, specific, informed consent under the DPDP Act. The Data Principal must actively opt in
• Bundled consent: Collecting consent for multiple unrelated purposes in a single "I agree to the terms and conditions" click violates the specific consent requirement. Each purpose needs separate consent
• No mechanism for consent withdrawal: If your user can sign up in 30 seconds but needs to email support and wait 3 days to withdraw consent, you are non-compliant. Withdrawal must be as easy as giving consent
• Ignoring existing data: The DPDP Act applies to data collected before the Act came into force. If you have a customer database built over 10 years, you must ensure all that data is held with valid, purpose-specific consent
• Treating privacy policy as a legal formality: Copying a privacy policy template from the internet and adding your company name does not constitute compliance. The policy must accurately reflect your actual data practices, purposes, and retention periods
• No data processing agreement with vendors: If you share customer data with a marketing agency, payment processor, or cloud provider, you need a contractual agreement specifying how they handle the data. Without it, you are liable for their lapses
• Assuming "delete" means deleting from one system: When a Data Principal requests erasure, you must delete their data from all systems, including backups, analytics platforms, email marketing tools, and any Data Processors you have shared their data with
• No breach notification protocol: Waiting until a breach happens to figure out how to respond guarantees delayed notification and the ₹150 crore penalty that follows. Build the protocol before you need it

Summary

The Digital Personal Data Protection Act, 2023 is India's most significant data regulation to date. For businesses, compliance requires seven core actions: obtaining proper consent, providing clear notices, implementing security safeguards, reporting breaches, managing data retention, ensuring accuracy, and honoring erasure requests. The penalties for non-compliance start at ₹50 crore and go up to ₹250 crore per violation. Whether you are a startup collecting your first 100 user emails or an established enterprise with lakhs of customer records, DPDP compliance must be part of your 2026 compliance calendar. Start with a data audit, build your consent framework, document your policies, and consider engaging professional advisory support to close any gaps. Your data practices are no longer just an IT concern; they are a board-level legal obligation.