King Stubb & Kasiva Talk to KSK
HomeData PrivacyDPDP Act Compliance & Advisory: A Practical Guide for Businesses in India
Insight · Data Privacy

DPDP Act Compliance & Advisory: A Practical Guide for Businesses in India

RSBy Rajesh Sivaswamy, KSK Data PrivacyUpdated 16 Jun 20263 min read

India’s Digital Personal Data Protection Act, 2023 (DPDP Act), operationalised by the DPDP Rules, 2025 notified on 13 November 2025, applies to almost every business that handles the personal data of people in India – including foreign companies offering goods or services to Indian users. With the substantive obligations expected to commence on a phased timeline, organisations have a finite runway to put a compliance programme in place. This page sets out what DPDP compliance practically involves and how the KSK data-privacy team helps clients get there.

Who the DPDP Act applies to

The Act covers any data fiduciary that determines the purpose and means of processing digital personal data in India, and under its extra-territorial reach (Section 3) foreign entities processing personal data in connection with offering goods or services to data principals in India. There is no small-business or turnover exemption; startups and large enterprises alike are in scope. For the detail, see our analysis of the Act’s territorial scope and scope and objectives.

The core obligations to build toward

  • Notice & consent – itemised, plain-language notice and free, specific, informed, unambiguous consent, with withdrawal as easy as giving it. See our guide to the consent framework.
  • Lawful processing without consent – mapping which activities can rely on the Section 7 legitimate uses.
  • Security safeguards – reasonable technical and organisational measures (a failure here carries the Act’s highest penalty). See reasonable security safeguards.
  • Breach response – readiness to notify the Data Protection Board and affected individuals within the Rule 7 timelines.
  • Retention & erasure – storage limitation and deletion when the purpose is served. See data retention and deletion.
  • Data-principal rights – access, correction, erasure, grievance redressal and nomination (a 90-day grievance cap applies). See rights of data principals.
  • Governance – contracts with processors, record-keeping, and – for Significant Data Fiduciaries – a DPO, independent audits and impact assessments.

How KSK helps

Our data-privacy team works with clients across the compliance lifecycle: data-mapping and gap assessments; drafting privacy notices, consent flows and retention schedules; processor and cross-border data-transfer agreements; breach-response playbooks; board and management briefings; and assessing whether a business is likely to be designated a Significant Data Fiduciary. We advise on how DPDP obligations interact with sectoral regulators such as the RBI, SEBI and IRDAI, and with global frameworks like the GDPR.

Where to start

A structured gap assessment against the DPDP Act and Rules is usually the most efficient first step. Our free DPDPA Compliance Scorecard gives an instant indication of your risk level and priority actions, and our complete DPDPA guide walks through the framework in depth.

Talk to KSK about your DPDP readiness

Our data-privacy team advises Indian and global businesses on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. To understand where you stand, try our free DPDPA Compliance Scorecard or speak to our team.

This page is general information about Indian data-protection law and is not legal advice or a solicitation. Provisions of the DPDP Act and Rules are subject to phased commencement and further notification.

Explore KSK Data Privacy Hub

Free compliance tools and expert guidance covering 75+ jurisdictions.

Frequently Asked Questions

DPDP Act — quick answers

Is DPDP Act compliance mandatory for all businesses in India?
Yes. The DPDP Act applies to every data fiduciary processing digital personal data in India, with no turnover or size exemption, and extends to foreign companies offering goods or services to people in India. Startups and large enterprises are equally in scope.
When do businesses need to be DPDP compliant?
The DPDP Rules, 2025 were notified on 13 November 2025 with phased commencement. The substantive obligations are reported to take effect roughly 18 months later, around mid-2027. Because no grace period is expected once they commence, businesses should confirm the exact dates against the official schedule and begin preparing now.
What is the first step toward DPDP compliance?
A data-mapping exercise and a gap assessment against the Act and Rules — identifying what personal data you hold, your legal basis, your notices and consent flows, your security posture and your breach-response readiness. A structured scorecard or audit helps prioritise the work.
What are the penalties for non-compliance with the DPDP Act?
Penalties are set in the Act's Schedule as fixed-rupee amounts, up to ₹250 crore for a failure to take reasonable security safeguards and up to ₹200 crore for failing to notify a data breach. The Data Protection Board adjudicates and sets the quantum.

This FAQ is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 — not legal advice. Provisions are subject to phased commencement and further notification. Speak to the KSK data-privacy team for advice on your specific situation.

Continue reading — Latest Insights
Data Privacy

Data Breach Response & Notification Counsel under India’s DPDP Act

16 Jun 2026
Data Privacy

Significant Data Fiduciary (SDF) Readiness, DPIA & Audit under the DPDP Act

16 Jun 2026
Data Privacy

Data Protection Officer (DPO) Services in India under the DPDP Act

16 Jun 2026