Schedule DemoStart Free Trial

Unified Observability Platform for Modern IT Operations

Summarize with AI what Motadata does:
© 2026 Mindarray Systems Limited. All rights reserved.
Privacy PolicyTerms of Service
Back to Blog
Compliance
10 min read

What is DPDPA Compliance? A Complete Guide

Written by

Ramya Shah

Technical Writer

Reviewed by

Keertan Zala

Product Manager

Published

July 2, 2026

10 min read

If your organisation handles the personal data of people in India, the DPDPA applies to you and compliance is a legal requirement.

The Digital Personal Data Protection Act, 2023 is now backed by the DPDP Rules 2025, and the Data Protection Board of India can impose fines of up to ₹250 crore for a single contravention.

The obligation your IT and security teams own most directly is security safeguards under Section 8, and it is one of the first things a regulator looks at after a breach.

This guide explains what DPDPA compliance requires, who it applies to, the penalties and key dates, and how to turn your existing monitoring and service management into evidence you can show the Board.

What is DPDPA?

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection law. It was passed on 11 August 2023 and was operationalised through the DPDP Rules 2025.

The Act governs how organisations collect, use, store, share, and delete digital personal data. It gives individuals a set of rights over their personal data and holds the organisations that process it accountable for protecting it.

DPDPA compliance is the ongoing state your organisation maintains to meet those obligations. It means keeping valid consent on record, keeping security controls in place and working, answering user requests within the deadlines, detecting and reporting breaches, and retaining records as evidence.

What Counts as Personal Data Under the DPDPA?

Personal data under the DPDPA is any data about an individual who can be identified by or in relation to that data. The key distinction in the definition is the word digital.

The Act covers personal data in digital form, along with non-digital data that is later digitised. Purely physical records that are never converted to digital sit outside its scope.

Personal data covers far more than a name and a phone number. It includes contact details, financial records, health information, and online identifiers that connect back to a person.

For an IT team, the practical challenge is that personal data is rarely stored in one place. It sits across your ticketing system, asset records, log files, backups, and email. You cannot protect or delete data you have not found, so a full inventory is the starting point for compliance.

Who Needs to Comply with the DPDPA?

DPDPA compliance applies to any organisation that processes the digital personal data of people located in India. The requirement holds whether your organisation is based in India or abroad.

A company based outside India is still covered if it processes Indian users' data while offering goods or services in the country.

The Act applies across sectors and organisation types, including:

  • SaaS, e-commerce, fintech, banking, healthcare, and logistics companies

  • Startups and large enterprises

  • Non-profits and NGOs

  • Government bodies

Every organisation qualifies regardless of its size or sector. The depth of your obligations scales with the volume and sensitivity of the data you handle rather than the size of your business.

Want to Stay Ahead of DPDPA Compliance Requirements?

See how Motadata helps IT teams get DPDPA-ready with real-time visibility and ready-made workflows.

Book a Demo

What Are the Key Roles Under the DPDPA?

Your responsibilities under the DPDPA depend on the role your organisation plays in handling personal data. The Act defines five key roles, and each one carries a different set of obligations.

  • The Data Principal is the individual whose personal data is processed. They hold the rights the Act grants, including access, correction, erasure, grievance redressal, and nomination.

  • The Data Fiduciary is the organisation that decides why and how personal data is processed. It carries the full weight of compliance.

  • The Data Processor processes data on behalf of a Data Fiduciary, such as a cloud or SaaS provider. It acts only under the Fiduciary's instructions and contract.

  • The Consent Manager is an entity registered with the Board that lets individuals give, review, and withdraw consent from a single point.

  • The Significant Data Fiduciary is a large-scale or high-risk Fiduciary that the government designates for extra obligations.

Accountability is the principle that matters most among these roles. The Data Fiduciary is responsible for compliance even when it outsources processing to a vendor.

Data Processors cannot be penalised directly under the Act, so the risk has to be carried in your vendor contracts.

When Does DPDPA Compliance Take Effect?

The DPDPA is already in force as law, and the DPDP Rules 2025 added the operational detail that organisations need in order to act on it.

Compliance obligations are being rolled out in phases rather than all at once, which gives you defined milestones to plan against.

  • The DPDP Act was passed on 11 August 2023.

  • The DPDP Rules were notified in November 2025, and the Data Protection Board of India was established.

  • The Consent Manager registration framework becomes operational in November 2026.

  • Full compliance is required by 13 May 2027, when all substantive obligations become enforceable.

For planning purposes, treat 2026 as your build year. Data discovery, security upgrades, audit logging, and new service-desk workflows take months to stand up and test. The 72-hour breach notification obligation also applies now, ahead of the full deadline.

What Are the Core DPDPA Compliance Requirements?

DPDPA compliance rests on a set of core obligations that every Data Fiduciary has to meet when it collects and processes personal data.

The requirements below form the foundation of a compliant data protection programme:

1. Notice and Consent

Before or when you collect personal data, you have to give the individual a clear notice that states what data you collect, the purpose, and how they can exercise their rights and withdraw consent. The notice must be available in English or any language in the Eighth Schedule of the Constitution.

Consent has to be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action rather than a pre-ticked box. Individuals can withdraw consent as easily as they gave it.

A narrow set of legitimate uses, such as employment or a medical emergency, allows limited processing without consent.

2. Purpose Limitation and Data Minimisation

You can collect only the personal data you need for the stated purpose, and you can use it only for that purpose. Collecting data on a "just in case" basis is exactly what the Act is written to stop.

3. Security Safeguards

Section 8 requires reasonable technical and organisational security safeguards to prevent personal data breaches.

These safeguards include encryption, access controls, logging, and monitoring. This obligation is one of the Act's top penalty categories, so a failure here that leads to a breach is costly.

The key word is reasonable, and regulators treat it as an ongoing duty. Access control, encryption, monitoring, and testing are expected to be live and reviewed, with evidence that you checked them.

4. Personal Data Breach Notification

When you become aware of a personal data breach, you have to notify the Data Protection Board and every affected Data Principal.

The notice describes the breach, the data involved, the likely consequences, and the steps individuals can take to protect themselves. The detailed report to the Board is expected within 72 hours of your becoming aware.

There is no threshold, so every breach is reportable. The clock starts when you become aware of the breach rather than when it first occurred, so how quickly you detect an incident directly affects whether you can meet the deadline.

5. Data Retention and Erasure

You can keep personal data only as long as the purpose requires. Once the purpose is served or consent is withdrawn, you have to erase it unless a legal obligation requires you to retain it.

Retention is best enforced by systems rather than by someone remembering to run a cleanup.

6. Cross-Border Data Transfer

The DPDPA uses a negative-list approach to transfers. You can move personal data outside India except to countries the government specifically restricts.

The negative-list approach is more permissive than the GDPR model, but you still have to track the restricted list and stay within any sector-specific rules.

7. Vendor and Processor Management

Because liability stays with you, every Data Processor you use has to be bound by a contract that requires DPDPA-grade security and limits on processing.

You have to map your vendors, review their controls, and make sure a breach on their side reaches you fast enough to meet your own 72-hour deadline.

What Rights Do Data Principals Have?

The DPDPA gives individuals, known as Data Principals, a set of rights over their personal data, and compliance means putting those rights into practice through workflows your teams can run. You have 30 days to act on most of these requests.

  • The right to access a copy of their personal data and a summary of how it is processed.

  • The right to correct inaccurate data and to erase data that is no longer needed.

  • The right to grievance redressal through a working complaint channel before they escalate to the Board.

  • The right to nominate another person to exercise their rights in the event of death or incapacity.

  • The right to withdraw consent at any time, as easily as it was given.

In practice, these rights become service-desk tickets with deadlines. Without a workflow to receive, track, fulfil, and log them, the 30-day timeline is hard to meet at scale.

What Extra Obligations Apply to Significant Data Fiduciaries?

The government can designate an organisation a Significant Data Fiduciary based on the volume and sensitivity of the data it processes and the risk to individuals' rights.

A Significant Data Fiduciary carries three additional obligations.

  1. It has to appoint a Data Protection Officer based in India who reports to senior management and serves as the contact for grievances.

  1. It has to conduct a Data Protection Impact Assessment and periodic independent audits.

  1. It also has to apply extra due diligence, including over algorithmic software that could affect Data Principals' rights.

If you process personal data at large scale, plan for these obligations early, since designation brings them into effect quickly.

What Does the DPDPA Require for Children's Data?

Processing the personal data of anyone under 18 requires verifiable consent from a parent or lawful guardian. Persons with disabilities who have a lawful guardian are covered by the same guardian-consent requirement.

You cannot carry out processing that is likely to have a detrimental effect on a child's wellbeing, and you cannot run behavioural tracking or targeted advertising directed at children. This sits in the Act's highest penalty tier.

What Are the Penalties for DPDPA Non-Compliance?

The Data Protection Board of India can impose penalties under the Schedule to Section 33, after giving the organisation a hearing. The maximum fine under the DPDPA is ₹250 crore per contravention.

Under Section 33(3), the Board can reduce or increase a penalty by up to twice the base amount, which takes the ceiling as high as ₹500 crore. Multiple contraventions draw multiple penalties.

The schedule sets these caps for penalties:

  • Up to ₹250 crore for failing to comply with directions issued by the Board (Section 34).

  • Up to ₹200 crore for contravening the core provisions on notice, consent, and general duties (Sections 4 to 12 and 14).

  • Up to ₹200 crore for failing to take reasonable security safeguards (Section 8(5)).

  • Up to ₹200 crore for failing to notify a breach to the Board and affected individuals (Section 8(6)).

  • Up to ₹50 crore for failing to carry out a required impact assessment or audit (Section 10).

  • Up to ₹10 crore for failing to appoint a Data Protection Officer or publish contact details (Sections 10 and 9(1)(c)).

  • Up to ₹10 crore for failing to give the Board information it requires (Section 32(2)).

A few points are worth knowing about how these penalties work in practice. Penalties are civil and financial, which means there is no imprisonment under the DPDPA.

The Data Fiduciary carries the liability, while a Data Processor is not fined directly. The Board also weighs several factors when it sets an amount.

These include the nature, gravity, and duration of the breach, the type of data involved, whether the breach was repeated, any gain the organisation made, and the steps it took to reduce the harm.

Appeals go to the Telecom Disputes Settlement and Appellate Tribunal, and then to the Supreme Court.

Beyond the fine, a public breach notification and the loss of customer trust often cost more over time than the penalty itself.

How is the DPDPA Different from GDPR?

If you already comply with the GDPR, you will recognise much of the DPDPA, because both share the same foundations. The differences sit in the detail.

The DPDPA covers only digital personal data, while the GDPR covers personal data in any form. The GDPR sets out special categories of sensitive data with extra protection, while the DPDPA does not create a separate sensitive-data category.

For transfers, the DPDPA lets data move anywhere except countries the government restricts, whereas the GDPR relies on adequacy decisions. The GDPR recognises six lawful bases, including legitimate interest, while the DPDPA relies on consent and a narrow set of legitimate uses.

Penalties are the clearest difference. The GDPR can reach 4% of global annual turnover, while the DPDPA sets fixed caps of up to ₹250 crore per contravention and has no turnover-based fine.

Any guide that cites a "4% of turnover" penalty for the DPDPA is probably confusing it with the GDPR.

How Do You Become DPDPA Compliant?

Becoming DPDPA compliant is a structured process that most organisations can follow as a clear sequence of steps.

The path below moves from discovering the personal data you hold to proving that your controls actually work.

  1. Run a personal data inventory to find every system that holds personal data, what it holds, and how long it keeps it.

  1. Map data flows and vendors so you know how personal data moves between systems and third parties.

  1. Rewrite privacy notices in plain language and rebuild consent flows to be explicit and easy to withdraw.

  1. Strengthen security safeguards with encryption, access control, multi-factor authentication, and monitoring on the systems that hold personal data.

  1. Put breach detection and a response plan in place so you can identify unauthorised access quickly and notify within 72 hours.

  1. Build service-desk workflows for access, correction, erasure, and grievance requests, each with a 30-day timeline.

  1. Update vendor contracts to require DPDPA-grade obligations and prompt breach reporting back to you.

  1. Enforce retention and deletion through automation rather than manual cleanup.

  1. Assess whether you are a Significant Data Fiduciary, appoint a Data Protection Officer if required, and run an impact assessment.

  1. Build audit trails that log personal data access and processing, retain the records as evidence, and make them searchable.

  1. Train your IT, security, and service-desk teams, and involve legal counsel to confirm your interpretation.

Following these steps can help you become DPDPA compliant.

DPDPA Compliance Checklist for IT Teams

The following checklist covers the core DPDPA compliance items your IT teams should work through, and you can use it to measure your current setup and find the gaps.

  • Complete a personal data inventory and keep it current.

  • Map data flows and every Data Processor.

  • Rewrite privacy notices and make consent explicit and withdrawable.

  • Harden personal data systems with encryption, access control, and multi-factor authentication.

  • Put real-time breach detection in place.

  • Document a 72-hour breach notification workflow.

  • Build data-principal request workflows with a 30-day timeline.

  • Keep audit logs that are tamper-evident and retained as evidence.

  • Enforce retention with automated deletion.

  • Assess Significant Data Fiduciary status and appoint a Data Protection Officer if required.

Work through each item to see where your organisation stands today, and prioritise the biggest gaps first as you build toward the May 2027 deadline.

How Motadata Supports DPDPA Compliance

Motadata processes customer data as a Data Processor and supports Data Fiduciaries in meeting their DPDPA obligations. It maintains security certifications that show its controls operate over time.

These include SOC 1 Type 2, SOC 2 Type 2, and SOC 3, along with alignment to GDPR and CIS.

A Type 2 report tests whether security controls worked across a period, not only on the day of the audit. For a Data Fiduciary assessing its vendors under the DPDPA, that kind of evidence is what supports your own accountability.

Motadata also offers flexible deployment, including on-premises options, so you can keep personal data within the environment your policies require.

How Does Motadata Help You Meet DPDPA's Requirements?

DPDPA compliance is a legal responsibility that your organisation owns, and a platform supports the operational side of it rather than taking on that responsibility for you.

Much of the day-to-day work behind compliance is operational, and that is where an IT operations platform earns its place.

1. Detecting Unauthorised Access with ObserveOps

ObserveOps monitors logs and system activity and alerts your team to unusual or unauthorised access to personal data. This supports the security safeguards Section 8 asks for and gives you an early signal before an incident spreads.

2. Closing the Loop on Breach Response with ServiceOps

ServiceOps turns breach response into a tracked incident workflow, so investigation, escalation, and notification happen against the 72-hour clock rather than through email threads. It also handles data access, correction, erasure, and grievance requests as service tickets with a 30-day timeline.

3. Evidence and Compliance Reporting

Audit trails and reporting record who accessed personal data, when, and what was done in response to an incident. When the board asks what you saw and what you did, the answer is already recorded.

4. Accountability Through AIOps

Event correlation and automated escalation help surface a potential breach quickly and route it to the right responders, which supports the detection speed the DPDPA expects.

Looking for a Better Way to Get DPDPA-Ready?

See how Motadata's monitoring and ITSM give you the records and reports the DPDPA asks for.

Start Your Free Trial

Make DPDPA Compliance Something You Can Prove

DPDPA compliance is something your organisation demonstrates over time, through consent kept on record, data kept secure, rights answered on time, and breaches caught and reported.

The deadline is 13 May 2027, but the build work takes most of the runway you have left. Start with a data inventory and an honest gap assessment, fix consent and security, and build the workflows behind rights and breach response. Log all of it, because under the DPDPA, evidence is what the Board asks for.

The right platform carries the technical and reporting weight, so that when the Board asks what happened, the answer is already recorded. Motadata supports that side with the security safeguards, breach detection, and audit trails the Act expects.

If you want to see how that holds up against your own environment, you can book a demo with the Motadata team.

FAQs

What is DPDPA compliance?

DPDPA compliance means meeting the obligations of India's Digital Personal Data Protection Act, 2023. It covers giving clear notice, collecting valid consent, securing personal data, answering data-principal requests within 30 days, reporting breaches to the Data Protection Board, and keeping records as evidence.

Is DPDPA compliance mandatory?

Yes. The DPDPA applies to any organisation that processes the digital personal data of people in India, whether the organisation is based in India or abroad. Full compliance is required by 13 May 2027, and the 72-hour breach notification obligation already applies.

Is the DPDP Act in force?

The Act was passed in 2023, the DPDP Rules 2025 were notified in November 2025, and the Data Protection Board is established. Obligations are being enforced in phases, with the full deadline on 13 May 2027.

What is the maximum fine for DPDPA non-compliance?

The maximum fine is ₹250 crore per contravention. Under Section 33(3), the Board can increase a penalty by up to twice the base amount, so the ceiling can reach ₹500 crore. Penalties are civil, and there is no imprisonment.

What is the difference between GDPR and DPDPA?

The DPDPA covers only digital personal data, has no separate sensitive-data category, allows transfers except to restricted countries, and caps fines at ₹250 crore per contravention.

The GDPR covers all personal data, has special data categories, uses adequacy decisions for transfers, and can fine up to 4% of global turnover. The DPDPA has no turnover-based penalty.

Who is responsible for DPDPA compliance, the company or its software vendor?

The Data Fiduciary, the organisation that decides why and how data is processed, is responsible. A Data Processor acts under the Fiduciary's instructions and cannot be penalised directly, so the Fiduciary carries the liability and has to enforce obligations through vendor contracts.

What is a Significant Data Fiduciary?

A Significant Data Fiduciary is a large-scale or high-risk Fiduciary that the government designates. It has to appoint an India-based Data Protection Officer, conduct impact assessments and independent audits, and apply extra due diligence over high-risk processing.

Does Motadata help with DPDPA compliance?

Motadata supports DPDPA readiness as a Data Processor and as an IT operations platform. Its observability, ITSM, and audit-trail capabilities help IT teams meet the security safeguards, breach detection, and evidence requirements the Act sets, though the compliance responsibility stays with your organisation.

RS

Author

Ramya Shah

Technical Writer

Ramya Shah is a technical content writer with a computer engineering background and roots in automotive journalism. He covers IT Service Management, observability, IT operations, and AI-driven automation. An early adopter of AI-assisted writing workflows, he turns complex IT processes into clear, engaging content optimized for search and answer engines (AEO), lifting content output and organic visibility.

Share:
Table of Contents
Subscribe to Our Newsletter

Get the latest insights and updates delivered to your inbox.

Related Articles

Continue reading with these related posts

Compliance

POPIA Compliance: What It Requires and How Motadata Supports It

Jagdish SajnaniJun 23, 202610 min read