The stakes

What DPDP actually puts at risk — and why the clock has already started.

The Act is passed, the Rules are notified and phasing in through May 2027, and the Data Protection Board has been constituted. Below: the penalties, the statutory clocks that start without you, and the everyday events that quietly trigger them.

§ 01 — The stakes

DPDP isn't a future problem. It's law today, with real penalties and a fixed compliance timetable.

The Act is passed, the Rules are notified and phasing in through May 2027, and the Data Protection Board has been constituted. The businesses most at risk are the ones who assume "it doesn’t apply to us."

₹250 crore
Maximum penalty under the Act

For failing to take reasonable safeguards against a data breach. Other failures — ignoring a deletion request, mishandling children's data, not reporting a breach — carry their own penalties, per instance.

Obligation clocks · illustrativeRunning
Cyber incident → CERT-InIT Act regime06:00:00
Personal-data breach → BoardDPDP · initial intimation72:00:00
"Delete my data" requestdata-principal right30 days
Grievance redressalstatutory cap90 days

Each deadline starts the moment an event happens — whether or not you noticed. Miss one and it's a reportable failure.

01
It already applies to youIf you hold any customer's personal data — names, emails, phone numbers, PAN, payment details — you're a Data Fiduciary with obligations today.
02
The clocks don't wait for you to noticeA breach, an unsubscribe, a deletion request — each starts a statutory deadline the instant it happens. "We didn't realise" is not a defence.
03
A policy in a drawer isn't complianceA one-time privacy notice doesn't catch the request that came in this morning. Compliance is continuous — or it isn't real.
§ 02 — Your hidden exposure

The danger isn't what you know. It's what you don't.

Most DPDP obligations are triggered by everyday events you’ve never thought of as "compliance." They happen quietly, in tools you already use — and the clock starts whether you saw it or not.

Someone unsubscribes

To you it's an email setting. Under DPDP it's a withdrawal of consent — and it starts obligations across every system that held their data.

Clock starts on click

A vendor holds your data

Your CRM, your payment gateway, your mailing tool — each is a Processor. When a customer asks to be deleted, you're responsible for them too.

You carry the liability
06:00:00

A breach you haven't reported

A leaked spreadsheet, a compromised login. A cyber incident can carry a CERT-In reporting window as short as six hours — running from the moment you became aware, not when you've finished investigating. DPDP's notice to the Board runs on its own clock.

Cyber incident · 6h (CERT-In)
Start here

Get a free DPDP exposure review.

Find out, with no obligation, where your business stands under DPDP — and what it would take to be continuously compliant. A short call with our team.

  • A plain-language read on your actual exposure
  • The specific obligations that apply to your business
  • No jargon, no pressure — just a clear picture

Book your review

We'll get back to you within one business day.

By submitting you agree to be contacted about your review. We don't share your details.