- Why DPDP readiness is now an operational priority
- The DPDP Act and DPDP Rules — what they actually require
- The compliance clock — what's in force, what's coming
- Consent, notice, and the rights of data principals
- Eight building blocks of a DPDP-ready organisation
- Employee data — the blind spot most businesses have
- The 72-hour breach notification clock
- Significant data fiduciaries — do you qualify?
- What happens when DPDP readiness is tested
- What non-compliance actually costs
- How LexWin approaches DPDP readiness
- Who needs this — and when
- DPDP readiness checklist
Why DPDP Readiness Is Now an Operational Priority
Most Indian businesses hold far more personal data than they realise. Customer names, phone numbers, and email addresses in a CRM. Vendor contact details in accounting software. Employee bank account numbers, PAN and Aadhaar copies, biometric attendance logs, performance reviews, and medical certificates in HR systems. Visitor details from a website contact form. WhatsApp Business chats with leads. None of this felt "regulated" for most of the last two decades — it was simply how business was done.
That assumption is no longer safe. The Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023, but it remained largely dormant — a law on the books without an operational framework — until the Digital Personal Data Protection Rules, 2025 were notified on 13 November 2025. That notification did three things at once: it activated the Data Protection Board of India as a functioning regulator, it started an eighteen-month clock toward full compliance, and it converted a piece of legislation that businesses could reasonably defer into a live operational obligation with a hard deadline.
As of mid-2026, that clock has been running for roughly seven months. The Data Protection Board is operational, with its headquarters in the National Capital Region. The institutional and administrative provisions of the Rules — Board governance, penalty framework activation, foundational definitions — came into force immediately upon notification. The next major milestone, the rollout of the Consent Manager ecosystem that will let individuals manage their consent across multiple digital services through interoperable platforms, is expected to be operationalised in the middle of 2026 — which is to say, around now. The eighteen-month runway ends on 13 May 2027, by which point consent architecture, privacy notices, data principal rights mechanisms, breach-reporting protocols, and data retention and erasure systems are all expected to be fully operational.
Your business has a website with a contact or enquiry form, a CRM or billing system with customer details, an HR or payroll system, a vendor database, or even a WhatsApp Business account used for customer communication — you are very likely a "Data Fiduciary" under the DPDP Act. The Act applies to the processing of digital personal data within India, and to processing outside India where it is connected with offering goods or services to individuals in India. Size does not exempt a business from the baseline obligations under Section 8 of the Act. Only the additional, heightened obligations that apply to "Significant Data Fiduciaries" are scaled by volume, sensitivity, and risk — and even then, the Central Government decides who qualifies, not the business itself.
"DPDP readiness" is sometimes treated as a checkbox exercise — update the website's privacy policy, add a cookie banner, and move on. That approach misunderstands what the law requires. The DPDP Act and Rules touch nearly every function in a business: how marketing collects and uses customer data, how HR collects and stores employee data, how IT secures systems and logs access, how procurement contracts with vendors who process data on the business's behalf, and how the business responds when something goes wrong. Genuine readiness means treating personal data as a regulated asset across the organisation — in the same way GST compliance, labour law compliance, or company law compliance are treated — rather than as a one-time documentation project.
The DPDP Act and DPDP Rules — What They Actually Require
To understand what "readiness" means in practice, it helps to understand how the framework is structured. The Digital Personal Data Protection Act, 2023 sets out the legal principles, rights, and obligations — who must do what, and what rights individuals have. The Digital Personal Data Protection Rules, 2025, notified via Gazette notification G.S.R. 846(E), operationalise those principles — they specify the forms, timelines, schedules, and procedures through which the Act's obligations are actually discharged. Reading the Act alone, without the Rules, gives an incomplete picture of what compliance actually involves.
The Key Actors
The framework defines a small number of roles that determine who carries which obligations. The Data Principal is the individual to whom the personal data relates — your customer, your employee, your website visitor. The Data Fiduciary is the entity that determines the purpose and means of processing personal data — in almost every case, this is your business. The Data Processor is any entity that processes personal data on behalf of a Data Fiduciary — your payroll vendor, your cloud hosting provider, your email marketing platform, your IT support contractor. A Consent Manager is a registered intermediary through which a Data Principal can give, manage, review, or withdraw consent across services. And the Data Protection Board of India is the regulator empowered to investigate complaints, conduct inquiries with the powers of a civil court, and impose penalties.
Two Lawful Grounds for Processing
A common misconception is that every instance of collecting or using personal data requires a consent pop-up. That is not how the Act is structured. Section 6 sets out the standard for valid consent — it must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action, and it must be as easy to withdraw as it was to give. But Section 7 separately lists categories of "legitimate uses" for which personal data may be processed without consent — including compliance with court orders or legal obligations, responding to medical emergencies, processing by the State for specified public functions, and, importantly for most employers, processing for purposes related to employment. This distinction matters enormously in practice: a business does not need to obtain fresh consent from every employee to run payroll, but it does need a documented basis for every category of data it processes, whether that basis is consent or one of the recognised legitimate uses.
Section 8 — The Eleven Baseline Duties
Section 8 of the Act sets out the obligations that apply to every Data Fiduciary, regardless of size, sector, or how much personal data is processed. This is the irreducible floor — other provisions, such as Section 9 (children's data) and Section 10 (Significant Data Fiduciaries), add further obligations on top of it, but nothing reduces below it. The most operationally significant of these eleven duties include: implementing appropriate technical and organisational measures to ensure compliance; ensuring the completeness, accuracy, and consistency of personal data where it is likely to be used to make a decision affecting the Data Principal, or where it is likely to be shared with another Data Fiduciary; implementing reasonable security safeguards to prevent personal data breaches; notifying the Board and affected Data Principals in the event of a breach; erasing personal data once the purpose for which it was collected is no longer being served (unless retention is required by law); and ensuring that contracts with Data Processors include provisions requiring those processors to implement adequate security safeguards.
Critically, Section 8(1) makes clear that the Data Fiduciary remains responsible for compliance with the Act in respect of any processing undertaken by it or on its behalf by a Data Processor — even where the actual failure originates with the vendor. This responsibility is non-delegable. A business cannot outsource its way out of DPDP liability by pointing to a third-party vendor's failure; it can only manage that risk through careful vendor selection, contractual safeguards, and ongoing oversight.
The Compliance Clock — What's In Force, What's Coming
One of the most important things for a business owner to understand is that the DPDP framework did not arrive all at once, and it is not going to be enforced all at once either. The Central Government has adopted a deliberate, phased approach — and where your business sits on that timeline determines how urgently different parts of this guide apply to you.
The Data Protection Board of India is formally established and operational, with its headquarters in the National Capital Region. The penalty framework is activated, and the foundational definitions and administrative provisions of the Rules are effective immediately. The regulator now exists — complaint mechanisms are live, and the institutional machinery for enforcement is in place.
Provisions governing the registration of Consent Managers come into force one year after notification. Only India-incorporated entities meeting a minimum net worth threshold (₹2 crore) can register as Consent Managers. Between June and August 2026, the government is expected to operationalise interoperable consent-management platforms — meaning the infrastructure that many businesses will eventually need to integrate with is being built right now.
This is the hard deadline. By this date, every Data Fiduciary is expected to have operational consent-capture architecture, itemised privacy notices, functioning data principal rights mechanisms, breach-detection and 72-hour reporting capability, retention and erasure systems aligned to the prescribed schedules, and DPDP-compliant contracts with every Data Processor. The penalty framework, already active, applies in full from this point.
Where does that leave a business reading this in June 2026? Roughly halfway through the runway, but at a critical inflection point. November 2026 — marking one year since the Rules were notified — is widely expected to be the point at which the initial "soft enforcement" phase ends and regulatory attention shifts from institution-building to active oversight of how businesses are actually implementing the framework. The six-month window before the May 2027 deadline is likely to be the busiest and most expensive period for compliance consultants, auditors, and legal advisors, simply because most businesses will be starting — or scrambling — at the same time. Businesses that begin building their readiness infrastructure now, while there is still meaningful runway, will do so at a fraction of the cost, time pressure, and risk of those that wait.
Consent, Notice, and the Rights of Data Principals
At the heart of the DPDP framework is a simple idea: individuals should know what personal data is being collected about them, why, and should have meaningful control over it. The Rules translate this into specific operational requirements around notices, consent, and a defined set of rights.
The Notice Requirement
Wherever personal data is collected on the basis of consent, the Data Fiduciary must provide a notice — in clear and plain language, independent of any other information — that itemises the personal data being collected, the specific purpose for which it is being processed, the manner in which the Data Principal can exercise their rights, and how to lodge a complaint with the Data Protection Board. This notice cannot be buried inside a lengthy terms-of-service document written in dense legal language; it must be understandable on its own, and increasingly businesses are expected to be able to present it in English and in at least one language listed in the Eighth Schedule to the Constitution.
What Data Principals Can Demand
The Act grants individuals a defined set of enforceable rights: the right to obtain a summary of the personal data being processed and the processing activities undertaken; the right to correction, completion, and updating of their personal data; the right to erasure of personal data that is no longer necessary for the purpose for which it was collected; the right to grievance redressal, in the first instance with the Data Fiduciary itself, and thereafter with the Board; and the right to nominate another individual to exercise these rights on their behalf in the event of death or incapacity. These are not abstract entitlements — under the Rules, a Data Fiduciary must publish the contact details of a designated person responsible for handling such requests, and must respond within prescribed timelines.
"By creating an account, you agree to our Terms of Service and Privacy Policy, and consent to receive promotional communications, share your data with our partners, and allow analytics tracking." A single checkbox covering account creation, marketing, third-party sharing, and analytics — all bundled together, with no way to agree to one without the others. This is precisely the pattern Section 6 is designed to prohibit: consent must be specific to each purpose, and access to a core service cannot be made conditional on consenting to processing unrelated to that service.
An onboarding flow that separates "create my account" (necessary, no consent toggle required) from clearly labelled, independently togglable options for "send me product updates," "share my contact details with our delivery partner," and "use my browsing data for personalised recommendations" — each accompanied by a short, plain-language explanation of what it means. Every toggle interaction is logged with a timestamp, and withdrawing consent for any one purpose is exactly as easy as granting it was.
Where a question arises in any proceeding about whether valid consent was obtained, the burden falls on the Data Fiduciary to prove that the required notice was given and that consent was obtained in accordance with the Act and Rules. In practice, this means that how your consent flows are logged — timestamps, the exact text of the notice shown, the specific toggle states — is not a cosmetic detail. It is the evidentiary record your business will need to produce if a complaint is ever made.
Eight Building Blocks of a DPDP-Ready Organisation
Stripped of legal language, DPDP readiness comes down to eight interlocking pieces of infrastructure. Most businesses already have fragments of several of these — a privacy policy here, an IT security checklist there — but rarely have they been built as a coherent system aligned to the Act and Rules. These are the building blocks that, taken together, constitute genuine readiness.
Data Mapping & Inventory
A current record of what personal data your business collects, where it is stored, who has access to it, which systems and vendors touch it, and why it is collected in the first place. Without this, every other building block is guesswork.
FoundationalLawful Basis Assessment
For every category of personal data and every processing activity identified in your data map, a documented determination of whether it rests on consent under Section 6 or a recognised legitimate use under Section 7 — and the reasoning behind that determination.
FoundationalNotices & Consent Architecture
Itemised, plain-language notices and consent-capture mechanisms across every touchpoint — website forms, mobile apps, customer onboarding, employee onboarding — with logged, timestamped, and independently withdrawable consent for each distinct purpose.
High PriorityData Principal Rights Mechanism
A documented process, with a named owner, for handling requests for access, correction, and erasure of personal data — including defined response timelines and a published point of contact, as required under the Rules.
Often OverlookedVendor & Processor Contracts
Every contract with a third party that processes personal data on your behalf — payroll providers, cloud hosts, marketing platforms, IT support, recruitment agencies — updated to include the security safeguard provisions required by the Rules. Remember: Section 8(1) liability does not pass to your vendor.
High PrioritySecurity Safeguards
Encryption of sensitive personal data, role-based access controls, monitoring and logging of access to personal data with at least one year's retention as required by the Rules, regular backups, and a documented basis for why these measures are "reasonable" for your business's risk profile.
High PriorityBreach Response Plan
A documented, rehearsed incident response playbook aligned to the dual-notification obligation under the Rules — immediate intimation to the Board and affected individuals, followed by a detailed report within 72 hours of becoming aware of the breach.
High PriorityRetention & Erasure Policy
Purpose-based retention schedules for every category of personal data, reconciled with minimum retention periods imposed by other laws (tax, labour, company law), with documented deletion or anonymisation workflows and, where applicable, the 48-hour pre-erasure notice to the individual.
Often OverlookedEmployee Data — The Blind Spot Most Businesses Have
When businesses think about "data protection," they tend to think first about customer data — CRMs, websites, e-commerce checkouts. Employee data is frequently overlooked, despite being among the most sensitive personal data any organisation holds: government-issued identification (Aadhaar, PAN, passport), bank account details, salary and compensation history, biometric attendance records, health and medical information, performance appraisals, disciplinary records, and background verification reports.
The good news is that employment is explicitly recognised as a "legitimate use" under Section 7 — a business does not need to obtain fresh consent from each employee simply to run payroll, administer statutory benefits like PF, ESI, and TDS, or carry out core HR administration. This is a meaningful relief, and mirrors the position under comparable frameworks like the EU's GDPR, where employee consent is generally treated as inherently problematic given the power imbalance in an employment relationship.
The relief, however, is narrower than many employers assume. The employment legitimate use covers processing genuinely necessary for the employment relationship and related statutory compliance. It does not automatically extend to using employee photographs in external marketing material, sharing employee contact details with a third-party vendor for purposes unrelated to employment, or deploying biometric or monitoring technology for purposes beyond what was disclosed when it was introduced. For anything outside the defined employment purpose, purpose-specific consent — or another recognised legitimate use — is required.
A company installs a biometric attendance system for time and attendance tracking — a legitimate, well-established HR function. The vendor's platform includes a "workforce analytics" module that profiles employee movement patterns and flags "low engagement" individuals, enabled by default during setup. No notice was given to employees about this additional processing, no assessment was made of whether it falls within the employment legitimate use or requires separate consent, and the data is processed on the vendor's cloud servers under a contract that predates the DPDP Rules and contains no security safeguard provisions.
The workforce analytics module is disabled by default. Before any decision is made to enable it, HR and legal jointly assess whether the additional processing falls within employment-related legitimate use or requires a separate, purpose-specific notice and consent from employees. The vendor contract is reviewed and updated to include DPDP-compliant security safeguard clauses before the system goes live. Employees are told, in plain language, exactly what the system does and does not do.
Retention of HR records is another area where two sets of obligations must be reconciled rather than treated separately. The DPDP Act requires erasure of personal data once the purpose for which it was collected is no longer being served — for example, once an employee exits and the employment relationship ends. But other laws — the Income Tax Act, EPF and ESI regulations, the Companies Act — often impose their own minimum retention periods for payroll records, statutory filings, and related documentation. A DPDP-compliant retention policy does not pick one framework over the other; it identifies, for each category of HR data, the longest applicable retention floor across all relevant laws, and builds deletion or anonymisation workflows that trigger once that floor is reached and the original purpose has lapsed.
Every HR policy framework now needs DPDP-aligned data privacy provisions woven through it — covering recruitment, onboarding, performance management, monitoring, and exit — rather than relying on a standalone privacy policy that sits separately from the documents employees and managers actually use day to day. Read our guide to legally drafted HR policies →
The 72-Hour Breach Notification Clock
Few provisions of the Rules carry as much operational consequence as the breach notification timeline. A "personal data breach" is defined broadly — any unauthorised processing, or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises confidentiality, integrity, or availability. The threshold for the obligation to apply is low: any unauthorised access or disclosure triggers it, regardless of how many individuals are affected.
The Clock Starts on Awareness, Not Occurrence
The 72-hour window begins when your organisation becomes aware of the breach — not when the breach actually occurred. A breach that happened weeks earlier but was only discovered today starts the clock today. Delayed discovery does not delay the deadline; it shortens the time you have to respond once you do discover it.
Immediate Intimation — "Without Delay"
The Data Fiduciary has a dual notification obligation: an initial description of the breach must go to the Data Protection Board and to affected Data Principals without delay — well before the 72-hour mark. This initial notification need not be exhaustive, but it must happen quickly.
The Detailed Report — Within 72 Hours
A comprehensive follow-up report must be submitted within 72 hours of becoming aware of the breach, unless the Board grants a longer period on a written request made before that window lapses. The report must cover the broad facts and circumstances leading to the breach, an assessment of its impact, mitigation measures taken or proposed, findings regarding who or what caused it, steps to prevent recurrence, and a summary of the notifications already sent to affected Data Principals.
Notification Content for Affected Individuals
Notices to Data Principals must be in plain language and describe the nature of the breach, what personal data was affected, the protective measures the individual can take, and the Data Fiduciary's contact details for further queries — not a generic "we take your privacy seriously" statement.
The Logs That Make All of This Possible
None of the above is achievable in 72 hours without pre-existing infrastructure: access logs, monitoring systems, and incident records retained for at least one year, as the Rules require. A business attempting to reconstruct what happened, who accessed what, and when — after the fact, with no logs — cannot meet this timeline.
A single security incident can trigger two distinct penalty provisions. Failure to implement reasonable security safeguards in the first place — the underlying cause of most breaches — can attract a penalty of up to ₹250 crore under Section 8(5). Separately, failure to notify the Board and affected Data Principals as required can attract a further penalty of up to ₹200 crore under Section 8(6). A business that was both unprepared and slow to respond faces both exposures from the same event.
Significant Data Fiduciaries — Do You Qualify?
The Act creates a second, heightened tier of obligations for entities designated as Significant Data Fiduciaries (SDFs). This designation is not self-assessed in the way a business might decide it is "small" or "large" for other regulatory purposes — under Section 10(1), the Central Government notifies which Data Fiduciaries or classes of Data Fiduciaries qualify, based on an assessment of factors including the volume and sensitivity of personal data processed, the risk of harm to Data Principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, the security of the State, and public order.
It is worth being deliberate about this: SDF status is not solely a function of company size. A relatively modest fintech, health-tech, or e-commerce platform processing sensitive categories of data — financial information, health records, biometric data — at meaningful scale may attract SDF designation well before a larger but lower-risk traditional business does. Businesses in these sectors should not assume SDF obligations are someone else's problem without an actual assessment.
| Obligation | Ordinary Data Fiduciary | Significant Data Fiduciary |
|---|---|---|
| Baseline duties (Section 8) | Applies in full | Applies in full, plus the obligations below |
| Data Protection Officer | Not mandatory — but a designated grievance contact must still be published | Mandatory; must be based in India, report to the Board of Directors, and act as the point of contact for grievance redressal |
| Independent Data Audit | Not mandatory | Must appoint an independent data auditor to evaluate compliance with the Act |
| Data Protection Impact Assessment | Not mandatory | Periodic DPIAs required, with significant observations shared with the Board |
| Algorithmic Due Diligence | Not specified | Required under Rule 13, where algorithmic systems are used in processing |
| Data Localisation | Not applicable | Certain categories of personal data may be subject to processing restrictions outside India under Rule 13 |
Because SDF designation depends on risk factors that the Board assesses rather than ones a business declares, the practical step is to conduct your own honest assessment now — particularly if your business handles financial data, health data, biometric data, or large volumes of customer data — so that the additional infrastructure (DPO appointment, audit arrangements, DPIA processes) is not something you are building from zero after a notification arrives with a compliance deadline attached.
What Happens When DPDP Readiness Is Tested
The cost of inadequate DPDP readiness rarely announces itself in advance. It surfaces in moments — a complaint, an incident, a routine request — that a prepared organisation handles as a non-event, and an unprepared one experiences as a crisis. The following scenarios are representative of the kinds of situations Indian businesses are increasingly likely to face.
The Marketing List That Wasn't Really Consented
A business has spent years building a customer contact database from billing records, event registration sheets, business card scans at trade shows, and a list purchased from a third-party data broker. Marketing runs regular WhatsApp and email campaigns to this list. A recipient files a complaint with the Data Protection Board, asking on what basis their contact details are being used for marketing they never agreed to. The business is asked to demonstrate that valid, itemised consent was obtained for marketing communications — and discovers it has no records that meet that standard for the vast majority of its list, because the data was never collected with marketing consent in mind, let alone itemised consent logged against this specific purpose.
The Vendor Laptop That Went Missing
An outsourced payroll provider's employee loses a laptop containing unencrypted payroll exports for a client's entire 80-person workforce — names, bank account details, salary figures, PAN numbers. The contract between the client business and the payroll vendor predates the DPDP Rules and contains no provisions requiring the vendor to implement security safeguards. Under Section 8(1), the client — not the vendor — remains primarily responsible for compliance. The client has no incident response plan, no one designated to assess whether this constitutes a reportable breach, and no familiarity with the 72-hour reporting requirement. By the time the client's leadership understands what has happened and what is required, days have passed.
The Former Employee Who Asked a Reasonable Question
A former employee, several months after leaving, emails HR asking what personal data the company still holds about them, how it has been used since their departure, and requests that certain records — particularly performance review data unrelated to any ongoing statutory obligation — be deleted. No one in the organisation is designated to handle this kind of request. It is forwarded between HR, IT, and legal, with no defined timeline, and eventually goes unanswered for several weeks. The former employee, increasingly frustrated, raises the matter with the Data Protection Board — which now has an independent basis to make enquiries of the organisation, well beyond the scope of the original request.
None of these situations involve a business acting in bad faith. In each case, the gap is not intent but infrastructure — a data inventory that would have flagged the marketing list's missing consent basis, a vendor contract clause that would have shifted and clarified security expectations before the laptop went missing, and a documented rights-request process that would have turned a routine email into a routine response. Each of these is inexpensive to build proactively, and disproportionately expensive to build for the first time under regulatory pressure.
What Non-Compliance Actually Costs
The Schedule to the DPDP Act sets out the maximum monetary penalties the Data Protection Board can impose for specific categories of non-compliance. These figures are ceilings, not fixed amounts — the Board considers factors including the nature and gravity of the breach, the number of individuals affected, the Data Fiduciary's history of compliance, and the remediation measures taken when determining the actual penalty in any given case. Even so, the ceilings establish the scale of exposure a business is operating against.
| Contravention | Maximum Penalty | Statutory Basis |
|---|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore | Section 8(5) |
| Failure to notify the Board or affected Data Principals of a breach | ₹200 crore | Section 8(6) |
| Non-compliance with special provisions for children's data | ₹200 crore | Section 9 |
| Failure to fulfil additional Significant Data Fiduciary obligations | ₹150 crore | Section 10 |
| Breach of a voluntary undertaking accepted by the Board | Up to the penalty applicable to the original contravention | Section 32 |
| Failure by a Data Principal to observe their own duties | ₹10,000 | Section 15 |
For context, the European Union's General Data Protection Regulation caps penalties at the higher of €20 million or 4% of global annual turnover. The DPDP Act's ₹250 crore ceiling — roughly comparable in absolute terms — represents one of the highest absolute penalty ceilings in any major data protection framework globally, without the turnover-based cap that, for very large multinational organisations, can sometimes exceed a fixed ceiling. For a typical Indian small or mid-sized business, however, the practical point is simpler: these are not parking-fine numbers, and a single security incident can plausibly engage more than one of these provisions at once.
How LexWin Approaches DPDP Readiness
At LexWin, DPDP readiness is approached as a structured legal and operational engagement — not a one-off privacy policy update. Because the Act and Rules touch HR, marketing, IT, procurement, and customer-facing functions simultaneously, the work is necessarily cross-functional, but it follows a consistent, sequential process.
Data Mapping & Diagnostic
We work with you to identify every category of personal data your business collects — customer, employee, vendor — where it is stored, which systems and third parties touch it, and for what purpose. This map becomes the foundation for everything that follows, and for most businesses, it is also the step that surfaces the most surprises.
Gap Analysis Against the Act & Rules
Against the data map, we assess your existing notices, consent flows, vendor contracts, security practices, and retention practices for alignment with Sections 6 through 10 of the Act and Rules 6 through 13. This typically reveals a mix of missing lawful-basis documentation, bundled or non-itemised consent, outdated vendor contracts, and retention practices with no defined endpoint.
Drafting — Notices, Policies, and Contracts
We draft itemised privacy notices and consent flows, an internal data protection policy, DPDP-compliant clauses for your Data Processor contracts, and — where employee data is involved — integrate data privacy provisions directly into your HR policy framework rather than treating it as a separate document.
Breach Response & Rights-Request Playbooks
We build documented, role-assigned procedures for two scenarios every business will eventually face: a personal data breach that must be assessed and, where required, reported within the 72-hour window, and a data principal rights request that must be acknowledged and resolved within defined timelines.
Training & Annual Review
Policies and playbooks are only effective if the people executing them understand why they exist and how to follow them. We provide training for HR, IT, and customer-facing teams, and offer annual reviews — particularly important given how actively the Consent Manager ecosystem, SDF notifications, and enforcement practice are expected to evolve through 2026 and into 2027.
Who Needs This — and When
DPDP readiness is not a one-size-fits-all exercise, and the priority areas differ depending on the nature of your business. The table below is a starting point for thinking about where your organisation should focus first.
| Business Profile | Primary Risk Areas | Where to Start |
|---|---|---|
| Startups & SMBs with digital customer touchpoints | Customer data collected via website, app, or CRM with no itemised consent records | Data mapping, lawful basis assessment, consent architecture for web and app forms |
| Any business with 10+ employees | Sensitive HR data (biometric, financial, health) managed without DPDP-aligned policy | Employee data policy integrated into HR framework; vendor contracts for payroll/HRMS |
| E-commerce, fintech, health-tech | High volume / high sensitivity data — possible Significant Data Fiduciary designation | SDF readiness assessment, DPIA framework, DPO appointment planning |
| Foreign companies with India operations or customers | Extraterritorial application of the Act is frequently overlooked | India-specific privacy notices, local grievance contact, data localisation review |
| Businesses heavily reliant on outsourced functions | Non-delegable Section 8(1) liability for vendor and processor failures | DPDP-compliant processor contracts; risk-tiering of vendors by data sensitivity |
DPDP Readiness Checklist — 10 Questions to Ask Right Now
Before commissioning a full readiness programme, run this quick diagnostic against your current practices. If you answer "no" or "unsure" to more than three of these, your business carries meaningful and growing regulatory exposure as the May 2027 deadline approaches.
- Can you produce, for any given customer or employee, a record of what personal data you hold about them and why?
- Do your website, app, and onboarding forms capture itemised, purpose-specific consent — rather than a single bundled "I agree" checkbox covering multiple unrelated purposes?
- Does every contract with a vendor that processes personal data on your behalf — payroll, cloud hosting, IT support, marketing platforms — include DPDP-compliant security safeguard provisions?
- Do you have a documented, tested incident response plan capable of producing a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a breach?
- Is there a designated person or team responsible for handling data principal requests for access, correction, or erasure, with defined response timelines?
- Have you assessed whether your business could be designated a Significant Data Fiduciary, based on the volume or sensitivity of the personal data you process?
- Do your HR policies, offer letters, and employment contracts address how employee personal data is collected, used, retained, and protected?
- Do you have a retention and erasure schedule that reconciles DPDP's purpose-based erasure requirement with retention floors set by other laws — the Income Tax Act, EPF and ESI regulations, the Companies Act?
- Are your access logs and monitoring systems capable of retaining processing records for at least one year, as required under the Rules?
- Has anyone in your organisation actually read the DPDP Rules, 2025 — or is your understanding still based on the 2023 Act alone?
LexWin provides end-to-end DPDP readiness services — from initial data mapping and gap analysis through to drafting consent architecture, privacy notices, vendor contract clauses, breach response playbooks, and employee data policies integrated into your broader HR framework. We work with Indian businesses across the readiness spectrum, from organisations starting from a blank slate to those assessing whether they may face Significant Data Fiduciary obligations, and with Indian subsidiaries of foreign companies navigating India's data protection framework for the first time.
DPDP ActDPDP Rules 2025Data Protection IndiaData Privacy ComplianceData FiduciaryEmployee Data PrivacyHR ComplianceLexWin