India’s DPDP Compliance Deadline Is Approaching: What Businesses Need to Do Before May 2027

Posted by Written by Melissa Cyrill Reading Time: 6 minutes

With the notification of India’s Digital Personal Data Protection (DPDP) Rules, 2025 and the phased commencement of the DPDP Act, 2023, businesses now have a defined window to prepare their data governance, cybersecurity, consent, and vendor management systems before the core compliance regime takes effect.

For companies operating in India, the DPDP framework requires organizations to understand what personal data they collect, why they use it, where it is stored, how long it is retained, which third parties receive it, and how individuals can exercise their rights.

Further, while multinational companies with global data compliance obligations may be better prepared, their setup will not automatically satisfy India’s DPDP requirements.

ALSO READ: When Does India’s DPDP Law Begin Full Enforcement? 2026-2027 Timeline Explained

India’s DPDP implementation timeline: What happens before May 2027?

India has adopted a phased implementation approach.

India’s Data Protection Regime: DPDP Implementation Timeline

Date

What takes effect

Business implication

November 14, 2025

Foundational provisions, definitions, and the institutional framework for the Data Protection Board of India

Businesses should begin data mapping, privacy governance, and implementation planning.

November 14, 2026

Consent Manager-related provisions

Organizations using or considering consent-management platforms should monitor registration and interoperability requirements.

May 14, 2027

Core operational obligations, rights, breach requirements, enforcement provisions, and penalty framework

Data Fiduciaries should have their compliance systems, contracts, incident-response procedures, and rights-management workflows fully operational.

The May 2027 deadline is therefore the key compliance milestone for most businesses. Companies that wait until then may find that their data architecture, legacy systems, third-party contracts, and customer-facing consent journeys cannot be redesigned quickly enough.

Assess your organization’s DPDP readiness across data flows, consent design, retention, vendor contracts, cybersecurity, and regulatory governance before the May 2027 implementation deadline. For business support, contact our India offices or email us at: India@dezshira.com

What does the DPDP Act require businesses to do?

Find Business Support
Review your India compliance position with our local legal, tax, HR, and business advisory specialists.

The Act applies to digital personal data collected in India, as well as offline information that is subsequently digitized. It can also apply to organizations outside India where they process digital personal data in connection with offering goods or services to individuals in India.

The core accountability rests with the “Data Fiduciary” – broadly comparable to a GDPR controller. A Data Fiduciary determines the purpose and means of processing personal data and remains accountable even where processing is outsourced to a Data Processor, cloud provider, technology vendor, call center, or other service partner.

Businesses should prioritize the following compliance areas.

Consent, notices, and purpose limitation

DPDP is substantially consent-led. Where consent is relied upon, it must be free, specific, informed, unconditional, unambiguous, and based on clear affirmative action.

Businesses will need to assess whether their existing consent journeys are sufficiently granular and understandable. This is particularly relevant for digital onboarding, marketing databases, mobile applications, employee platforms, customer portals, and lead-generation campaigns.

Businesses should design withdrawal mechanisms that are as accessible and practical as the original consent process. This has practical consequences for user-interface design, customer support processes, CRM systems, marketing automation tools, and data deletion workflows.

Data retention and erasure

Businesses will need to justify continued retention against the purpose for which the data was collected and any separate legal retention requirement. 

For businesses, this means developing a defensible retention schedule that identifies:

  • the purpose for each data set;
  • the legal or regulatory basis for retaining it;
  • the system in which it is held;
  • the business owner responsible for it; and
  • the trigger for deletion, anonymization, or archival.

This will be particularly challenging for organizations holding legacy customer records across multiple systems.

Data security and breach readiness

The DPDP framework makes security safeguards a central board-level issue. The highest stated financial penalty can apply where a Data Fiduciary fails to take reasonable security safeguards to prevent a personal data breach.

Companies should have a tested incident-response plan capable of identifying, containing, investigating, documenting, and reporting breaches. The DPDP Rules require affected individuals to be informed without delay, while the Data Protection Board must receive a detailed report within the prescribed timeframe.

This means privacy, legal, cybersecurity, IT, communications, customer service, and senior management teams need a coordinated breach-response protocol.

Children’s data and digital services

The DPDP Act treats anyone below the age of 18 as a child. Processing a child’s personal data generally requires verifiable parental consent. The Act also restricts tracking, behavioral monitoring, and targeted advertising directed at children, subject to notified exemptions.

This is relevant not only to edtech and gaming platforms, but also to banks, insurers, consumer-app providers, e-commerce companies, telecommunications businesses, and companies selling family or student-focused products.

Vendor, cloud, and processor governance

Find Business Support
Review your internal controls, vendor arrangements, and governance processes across India operations.

A Data Fiduciary remains accountable for data processed on its behalf. Businesses should therefore review contracts with cloud providers, technology partners, payroll vendors, customer-service providers, marketing agencies, payment platforms, KYC service providers, and outsourced business-process providers.

Contracts should address security safeguards, permitted processing purposes, subcontracting, breach escalation, audit support, deletion obligations, return of data, confidentiality, and assistance with individual-rights requests.

How does DPDP compare with GDPR?

DPDP and the EU’s General Data Protection Regulation (GDPR) share several broad objectives: giving individuals greater control over personal data, strengthening security, and requiring organizations to adopt more accountable governance practices. However, they are not interchangeable frameworks.

Comparing India’s DPDP Act with the EU’s GDPR

Area

GDPR

India’s DPDP framework

Compliance note

Scope

Covers personal data processed wholly or partly by automated means. It also applies to non-automated processing where personal data forms part of, or is intended to form part of, a structured filing system

Covers digital personal data: data collected in digital form, or data collected offline and subsequently digitized

Purely offline personal data that is never digitized is outside the Act’s scope

Multinational companies should separately assess paper-based records and digital records.

Lawful grounds

Processing personal data is lawful under the GDPR only when it is based on a valid legal ground, such as consent, contract necessity, legal obligation, vital interests, public interest or official authority, or legitimate interests that do not override the individual’s rights and freedoms

Relies mainly on consent and specified “certain legitimate uses”

 

GDPR legitimate interest assessments do not automatically justify processing in India.

Individual rights

Includes data portability, objection to processing data, and restriction on processing, as well as safeguards around automated decision-making

Provides rights to access, correction, updating, erasure, grievance redressal, and nomination

Rights-management processes need India-specific workflows.

Processor obligations

Controllers and processors both have detailed direct statutory duties

Primary accountability rests with the Data Fiduciary

Vendor contracts remain critical, even where processors are not regulated in the same way.

International transfers

Personal data transfers outside the European Economic Area (EEA) are permitted only when protected through approved safeguards, such as adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or limited derogations

Permits transfers unless the Central Government restricts specified countries or territories, alongside sector-specific restrictions

Businesses must monitor future Indian transfer restrictions separately from GDPR transfer mechanisms.

Children’s data

Default consent age is generally 16

GDPR includes a flexibility clause that allows individual member states to lower this age to as young as 13 years

Child is defined as a person below 18

Digital services may need stronger age-assurance and parental-consent controls in India.

Penalties

Up to EUR 20 million or 4 percent of worldwide annual turnover for serious infringements

Fixed statutory penalty caps, including up to INR 2.5 billion (approx. US$26.53 million / €23.06 million) for failure to maintain reasonable security safeguards

DPDP exposure is not turnover-based, but breach, reputational, contractual, and sectoral risk can still be significant.

The most important operational difference is that GDPR’s broad “legitimate interests” basis does not have a direct private sector equivalent under DPDP. Businesses using customer analytics, behavioral marketing, cross-selling, profiling, internal data sharing, or AI-enabled decision-making should not assume that a GDPR justification will work unchanged in India.

Significant Data Fiduciaries: Which businesses should prepare?

A company does not become a Significant Data Fiduciary or SDF automatically because it is large or operates in a regulated industry. India’s Central Government must formally notify a Data Fiduciary or class of Data Fiduciaries based on factors such as the volume and sensitivity of data processed, risk to individuals, and potential implications for public order, security, or national interests.

However, data-intensive businesses should prepare for the possibility of designation. This may include large banks, NBFCs, digital lenders, payment businesses, insurers, credit-information companies, investment platforms, marketplaces, technology platforms, healthcare businesses, telecommunications companies, and major consumer-facing employers.

Significant Data Fiduciaries face additional obligations, including an India-based Data Protection Officer, independent audits, periodic Data Protection Impact Assessments, annual compliance reviews, and due diligence over algorithmic systems that process personal data.

For financial institutions, this is particularly relevant where automated credit scoring, fraud detection, underwriting, risk profiling, digital lending, or behavioral analytics influence customer outcomes.

A practical DPDP readiness roadmap

Businesses should use the transition period to complete a structured compliance assessment rather than wait for the May 2027 deadline.

Priority actions include:

  1. Map personal-data flows across customer, employee, supplier, marketing, and digital systems.
  2. Identify the legal basis and stated purpose for each major processing activity.
  3. Redesign notices and consent journeys in clear, accessible language.
  4. Build workflows for consent withdrawal, correction, access, erasure, and grievance redressal.
  5. Review retention schedules and deletion controls across legacy systems.
  6. Update processor, cloud, and outsourcing agreements.
  7. Test breach detection, notification, and escalation procedures.
  8. Assess high-risk uses of AI, profiling, automated decision-making, and customer analytics.
  9. Prepare governance structures for possible Significant Data Fiduciary designation.
  10. Monitor new government notifications, Data Protection Board practice, and sector-specific RBI, SEBI, IRDAI, CERT-In, and other regulatory requirements.

The commercial takeaway

Alongside legal compliance, the DPDP implementation will require changes across operating processes, affecting customer acquisition, digital product design, employee-data governance, cybersecurity, outsourcing, cloud deployment, marketing, and AI use.

Companies that act early can use the transition period to reduce compliance risk, improve customer trust, and avoid costly remediation once the substantive requirements become enforceable.

About Us

India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Vietnam, Indonesia, Singapore, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to India Briefing’s content products, please click here. For support with establishing a business in India or for assistance in analyzing and entering markets, please contact the firm at india@dezshira.com or visit our website at www.dezshira.com.