BIPI
BIPI

DPDPA Is Live. Here's What Your Indian Tech Team Actually Has to Change.

Compliance

The Digital Personal Data Protection Act has been in force since 2025. Most Indian tech teams are still treating it as a privacy policy exercise. That isn't enough. This is the checklist we work through with clients who treat the Act seriously.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 8, 2026 · 8 min read

#dpdpa#india#privacy#data-protection

The Digital Personal Data Protection Act has been in force since 2025, and most Indian tech teams we work with are still treating it as a privacy policy exercise. That isn't enough. DPDPA has teeth. The Data Protection Board has begun issuing show-cause notices. The financial penalty for a single breach in certain categories is up to Rs 250 crore. This is the checklist we work through with clients who are treating the Act seriously.

What DPDPA actually expects

The law has three core obligations for what it calls a Data Fiduciary (the entity that decides the purpose of processing). Most teams understand the first two and miss the third.

Obligation one is notice and consent. Every time personal data is collected, the person (the Data Principal) must be told what is being collected, for what purpose, and must consent explicitly. Consent must be free, specific, informed, unconditional, and unambiguous.

Obligation two is purpose limitation. Data collected for purpose A cannot be used for purpose B without fresh consent. That sounds obvious. It breaks most analytics pipelines.

Obligation three is the one teams miss. Security safeguards that are 'reasonable' and breach notification within 72 hours to both the Data Protection Board and affected principals. The 72-hour clock starts when the organisation becomes aware of the breach, not when the incident is confirmed.

Consent architecture, where teams break it

The consent implementation we see most often is a single checkbox at signup with 'I agree to the privacy policy.' That is not DPDPA-compliant. The specific requirements are:

Purpose-specific consent. If your app uses data for onboarding, analytics, and marketing, those are three distinct consents. A bundled consent is presumed invalid if challenged.

Withdrawable consent. The Act guarantees a right to withdraw consent. If your database schema can't flag a user's consent as withdrawn per-purpose, you cannot honour the right. We've found this is usually a schema change, not a UI change, and most teams underestimate the data-model work.

Auditable consent. You must be able to produce, on request, the exact consent record for any user. When they gave it, for what purpose, under what text. A live consent screen today does not prove consent was given in 2024. Consent records must be versioned and immutable.

Data principal rights you have to handle

Five rights, all with implementation consequences.

  1. Right to access: produce every piece of data you hold about the principal, in machine-readable form, usually within 30 days.
  2. Right to correction: let the principal fix inaccurate records.
  3. Right to erasure: delete the data when consent is withdrawn or the purpose is fulfilled, unless you have a legal retention obligation.
  4. Right to grievance redressal: a named Grievance Officer with a working email, responses within 30 days.
  5. Right to nominate: let a principal nominate someone to act on their behalf if incapacitated or deceased.

A DSAR (Data Subject Access Request) pipeline is the biggest engineering lift. Most teams have no single tool that can produce 'everything about user X across CRM, product, analytics, and support.' Building that pipeline is the core DPDPA project for a mid-size team.

The 72-hour breach clock

The breach notification requirement is the one that will catch most teams unprepared. Ask yourself. If your product database is exfiltrated at 2 AM on a Saturday, what is the path from discovery to DPB notification? How many people, across how many departments, need to sign off? Is your incident response plan DPDPA-aware?

We've found that teams with a mature IR process still need 12 to 18 hours to assemble the facts into a DPB-grade notification. That leaves very little margin.

The 72-hour clock starts when the organisation becomes aware of the breach, not when the incident is confirmed.

Practical migration checklist

For a team starting from zero:

  • Map every place personal data is collected, stored, and processed. The map is usually bigger than the team expects.
  • Appoint a Data Protection Officer or Grievance Officer with a working email address.
  • Rebuild consent at every collection point into per-purpose consent.
  • Implement a DSAR pipeline that can produce, export, and delete data per-user.
  • Rehearse the 72-hour breach notification path quarterly.
  • Update all third-party processor contracts to include DPDPA-compliant terms.

Closing

DPDPA is not a policy document. It is an engineering program. The teams that are ready for audit today started the work in 2024 and treated it as a multi-quarter investment. The teams that are still writing privacy policies will learn the harder lesson in front of the Data Protection Board.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.