The Act is passed, the Rules are notified and phasing in through May 2027, and the Data Protection Board has been constituted. Below: the penalties, the statutory clocks that start without you, and the everyday events that quietly trigger them.
The Act is passed, the Rules are notified and phasing in through May 2027, and the Data Protection Board has been constituted. The businesses most at risk are the ones who assume "it doesn’t apply to us."
For failing to take reasonable safeguards against a data breach. Other failures — ignoring a deletion request, mishandling children's data, not reporting a breach — carry their own penalties, per instance.
Each deadline starts the moment an event happens — whether or not you noticed. Miss one and it's a reportable failure.
Most DPDP obligations are triggered by everyday events you’ve never thought of as "compliance." They happen quietly, in tools you already use — and the clock starts whether you saw it or not.
To you it's an email setting. Under DPDP it's a withdrawal of consent — and it starts obligations across every system that held their data.
Your CRM, your payment gateway, your mailing tool — each is a Processor. When a customer asks to be deleted, you're responsible for them too.
A leaked spreadsheet, a compromised login. A cyber incident can carry a CERT-In reporting window as short as six hours — running from the moment you became aware, not when you've finished investigating. DPDP's notice to the Board runs on its own clock.
Find out, with no obligation, where your business stands under DPDP — and what it would take to be continuously compliant. A short call with our team.
We'll get back to you within one business day.
By submitting you agree to be contacted about your review. We don't share your details.