India’s DPDP Act 2023, implemented end-to-end.
Most Indian companies will need to comply with the Digital Personal Data Protection Act 2023 once Rules are notified. We help you implement consent architecture, grievance officer setup, DPIAs, breach notification readiness, and the controls that map cleanly to GDPR/CCPA you already have.
The DPDP Act 2023 is India’s comprehensive personal data protection law. It introduces consent-by-design, purpose limitation, grievance officer requirements, breach notification, and significant penalties (up to ₹250 crore). We implement the management + technical program to make you compliant before enforcement begins.
- ·DPDP gap assessment against the Act + draft Rules
- ·Consent architecture design (granular consent, withdrawal, audit log)
- ·Data Inventory + Record of Processing Activities (RoPA)
- ·Data Protection Impact Assessment (DPIA) for high-risk processing
- ·Grievance Officer setup + grievance handling SOP (DPDP §10)
- ·Breach notification runbook (to Board + DP Board within timelines)
- ·Vendor / sub-processor governance (DPDP §8(2))
- ·Children's data handling controls (DPDP §9)
- ·Cross-border transfer controls (DPDP §16) — currently under government list
- ·Privacy notice rewrite + cookie consent revisit
- ·Employee training on DPDP obligations
- ◇OneTrust / TrustArc / Securiti (privacy platforms)
- ◇Custom consent manager (build vs buy decision)
- ◇Data discovery (BigID, Securiti)
- ◇Vendor management (Vanta, Whistic, OneTrust)
- ◇Cookie consent (custom or Iubenda, Cookiebot)
Inventory all personal data — where collected, why, retained how long, shared with whom.
Map current state vs. DPDP requirements + draft Rules. Identify consent gaps, retention violations, vendor risks.
Build consent flows, deploy grievance officer process, draft policies, train vendors, rewrite privacy notice.
Run a DPDP breach simulation with your team. Verify reporting timelines. Promote to live.
DPDP audits, vendor reassessments, policy refresh. Run as a retainer or one-time annual.
- ◆DPDPA 2023 + Rules (when notified)
- ◆GDPR + UK GDPR (significant overlap; reuse evidence)
- ◆CCPA / CPRA (for US customers)
- ◆ISO 27701 (Privacy Information Management) — companion cert
- ◆India SPDI Rules 2011 (still in force until DPDPA enforcement)
Consent Architecture Diagram + Grievance Officer SOP — flowchart showing exactly how consent flows through your stack (collection → storage → revocation → audit), plus a documented escalation process for DPDP-related complaints with response-time SLAs aligned to draft Rules.
Is the DPDP Act actually being enforced yet?+
The Act is passed; the Rules (which specify timelines and operational details) are notified in phases. Enforcement against violations starts after the implementation window. Most companies are starting now to avoid scrambling.
Do we need a Grievance Officer?+
Yes — DPDP §10 requires one for all data fiduciaries. Significant Data Fiduciaries (SDFs) also need a Data Protection Officer (DPO).
How does DPDP differ from GDPR?+
Similar foundation (consent, purpose limitation, breach reporting) but stricter on consent, no legitimate-interest basis, less guidance on cross-border (current government-list approach), and India-specific exemptions for certain processing.
What are the penalties?+
Up to ₹250 crore (~$30M) per category of contravention. Plus reputational and customer-trust costs.
Can you act as our Grievance Officer / DPO?+
Yes — we offer fractional Grievance Officer / DPO services as part of a retainer. Common for early-stage companies that do not justify a full-time hire.