DPDP 101: What Indian Businesses Must Know in 2026

The Digital Personal Data Protection Act (DPDP), 2023, fundamentally reshapes how Indian businesses handle personal data. Penalties reach ₹250 crore. Compliance is non-negotiable for any organisation processing data of Indian residents — and “Indian residents” includes most of your customer base if you operate in India.

This post is the executive-level primer. The full field guide expands each section with implementation detail.

The headline points

1. Penalties are material. ₹250 crore maximum penalty per violation category. Far above what historical Indian privacy regulation has imposed.
2. Consent must be explicit, granular, and revocable. Pre-ticked boxes, bundled consent, and consent-implied-by-continued-use are no longer compliant.
3. Data Principal rights are codified. Right to access, correction, completeness, erasure, grievance redressal — all enforceable.
4. Data Fiduciary duties are extensive. Accountability for security, breach notification, vendor governance, processing records, and DPO appointment for significant fiduciaries.
5. Cross-border transfers are restricted. A “blacklist” approach — most jurisdictions are permitted by default, but the government can restrict specific countries.
6. Children’s data has heightened protections. Under-18s require verifiable parental consent, with specific operational requirements.

The 90-day action plan

For organisations starting from a typical Indian mid-market baseline (some informal practices, no formal DPDP programme), the credible 90-day plan focuses on:

• Days 1–30: Data mapping, current-state audit, gap analysis, board-level briefing.
• Days 31–60: Consent management implementation, privacy notice rewrite, DSR workflow scaffolding, vendor contract review.
• Days 61–90: Breach response automation, ongoing-monitoring scaffolding, training rollout, DPO appointment if applicable.

Read the full field guide: DPDP 2026 — India Business Essentials

The guide expands each phase with templates, vendor lists, cost estimates, and the technical architecture choices that make compliance operationally tractable.

Why this matters across sectors

DPDP applies to every organisation processing personal data of Indian residents, but the operational impact varies by sector:

• Financial services: Stacked on existing RBI requirements; significant overlap but new obligations on consent and DSRs.
• Healthcare: Stacked on existing health data sensitivity; explicit children’s-data and consent-form requirements.
• Education: Children’s-data provisions are particularly material; verifiable parental consent is a meaningful operational change.
• B2B SaaS: Customer questionnaires now include DPDP-specific questions; vendor-readiness is a competitive factor.
• E-commerce: Granular consent and DSR-fulfilment-at-scale are the dominant operational challenges.

The full guide includes sector-specific implementation notes for each.

Read more: /field-guides/dpdp-2026-india-business-essentials · /markets/india · /sectors/financial-services · /sectors/healthcare