When does India's DPDP Act come into force?

The Digital Personal Data Protection Act was passed in August 2023. The Data Protection Board of India and enforcement rules are expected to be operational by 2027. Businesses should treat 2027 as their hard compliance deadline.

What is the first step for DPDP Act compliance?

The first step is a data audit — mapping every category of personal data your business collects, where it is stored, who has access, what it is used for, and how long it is retained. This single exercise surfaces most compliance gaps and forms the foundation for everything else.

Data Protection Compliance in India — What Every Business Must Do Before 2027

June 8, 2026

TL;DR / QUICK ANSWER

Every business collecting personal data of Indian residents must comply with the DPDP Act by 2027. Start with a data audit, fix your consent mechanisms, update your privacy policy, build a data subject request process, and create a breach notification workflow. The penalty for non-compliance is up to INR 250 crore.

The state of data protection compliance in India today

Before the DPDP Act, India had no comprehensive data protection law. The Information Technology Act 2000 and its 2011 amendment provided limited protections, primarily covering sensitive personal data and applying mainly to body corporates. The result: years of inconsistent practices, inadequate consent mechanisms, unchecked data sharing, and no independent enforcement body. The DPDP Act changes this fundamentally. It establishes clear obligations, a dedicated enforcement authority (the Data Protection Board of India), and penalties substantial enough to create real compliance incentive.

Most Indian businesses are not ready. A 2025 survey of Indian SMEs found that fewer than 15% had reviewed their data collection practices in preparation for the DPDP Act. That number needs to change significantly before 2027.

Source: Digital Personal Data Protection Act, 2023; IT Act 2000 Amendment Rules 2011

The compliance timeline — what needs to happen and when

The DPDP Act is in force. The government is finalising the rules that will specify operational details — breach notification timelines, data retention periods, the list of countries approved for data transfer, and the criteria for Significant Data Fiduciary classification. These rules are expected in 2026. Once the rules are notified, the Data Protection Board will be constituted and enforcement will begin. Businesses that wait for the rules to be finalised before starting compliance work are making a mistake — the core obligations are clear from the Act itself and the rules will add operational specificity, not change the fundamental direction.

Recommended timeline: complete your data audit by Q3 2026. Have consent mechanisms updated and privacy policy revised by Q4 2026. Have your data subject request process operational and breach notification workflow documented by Q1 2027. If you are likely to be a Significant Data Fiduciary, begin your Data Protection Impact Assessment in parallel.

The five compliance actions every Indian business must take

1. Data audit. Map every category of personal data you collect, why you collect it, where it is stored, who has access, what you share with third parties, and how long you retain it. This is the foundation of all compliance work.

2. Consent mechanisms. Every data collection touchpoint — signup forms, checkout flows, contact forms, cookies, app permissions — needs a lawful basis. For most consumer businesses this means explicit, informed, freely given consent with the ability to withdraw. Audit every touchpoint and update accordingly.

3. Privacy policy update. Your privacy policy must be updated to reflect DPDP Act language — what data you collect, the purpose, the legal basis, data subject rights, how to make a request, and your breach notification process. Plain language is required; legalese that obscures your practices will not satisfy the consent requirements.

4. Data subject request process. Build a mechanism for individuals to submit access, correction, and erasure requests. Define who in your organisation handles these requests, what your response timeline will be, and how you verify the identity of the requestor.

5. Breach notification workflow. When a personal data breach occurs, you will be required to notify the Data Protection Board and, in serious cases, the affected individuals. Build the workflow now: who decides it is a notifiable breach, who drafts the notification, who submits it, what the required content is.

The security foundation compliance requires

Compliance is not just paperwork. The DPDP Act requires appropriate technical and organisational security measures to protect personal data. That means vulnerability management on your systems, access controls, encryption of personal data at rest and in transit, and the ability to detect and respond to breaches. If you cannot detect a breach, you cannot notify of one — and notification failures carry their own penalties. Security posture management and compliance automation need to work together. Organisations that treat them as separate programmes will find the overhead unsustainable.

How Monarc helps Indian businesses hit the 2027 deadline

Monarc brings security posture management and compliance automation together in a single platform. For Indian businesses, that means continuous vulnerability scanning on your web assets, compliance workflow tracking against DPDP Act requirements, and an audit-ready posture you can demonstrate to regulators. India pricing starts at ₹2,499 per month. Launching Q1 2027 — join the waitlist for early access.

Start your DPDP Act compliance preparation today.

Join the Waitlist ← Back to Blog