DPDP at T-minus 11 Months: The Indian B2B SaaS Compliance Checklist

The DPDP Act enforcement window opens May 13, 2027. As of this writing, that’s roughly eleven months out. The conversations we’re having with founders, CEOs, and CIOs across Indian B2B SaaS in mid-2026 fall into three buckets:

1. “We’re already compliant.” Almost never true on inspection. Usually they have an opt-in checkbox and a privacy policy refreshed in 2023.
2. “We’re starting in Q4.” Common. Often the deadline arrives before the plan does.
3. “We have no idea what this requires.” Surprisingly common at the CEO level even when the legal team has been working on it for months.

This post is for all three. It’s not legal advice — for that you need counsel who’ll sign on it. It’s the engineering and operational checklist we work through with B2B SaaS leadership teams in the first hour.

The penalty math, briefly

Under DPDP, the statutory maximum is ₹250 crore per violation category. That’s not a “you will pay this” number. It’s a “the regulator can pay this” number. The cases that result in actual fines so far have ranged from ₹1 crore to mid-double-digit crores depending on volume of affected data subjects, presence of children’s data, and demonstrable bad faith.

The real cost of non-compliance for a B2B SaaS company isn’t the fine. It’s three things:

• Procurement disqualification by your enterprise buyers. Indian banks, BFSI, healthcare, and increasingly public sector won’t sign with non-compliant vendors.
• Cross-border data restrictions. If you serve clients outside India, your data-processing posture interacts with both DPDP and the destination jurisdiction’s regime (typically GDPR or sectoral US rules). Non-compliance on one side blocks contracts on the other.
• Breach disclosure timelines. DPDP requires fast notification. A breach detected on day 30 instead of day 3 is the difference between containable and existential.

The 11-month checklist

Group your work into four streams. Each stream has a designated owner. If your org chart doesn’t already have those owners, pick them this week.

Stream A — Data inventory (weeks 1–4)

Owner: head of engineering or product.

You can’t be compliant with respect to data you don’t know you have. The inventory should capture, for every system:

• What personal data classes you collect (names, emails, financial, biometric, children’s, sensitive personal as defined under DPDP)
• Why you collect it (lawful purpose under DPDP)
• Where it’s stored (region, tenancy, retention period)
• Who has access (role-based, with documented justification)
• Where it goes (every third-party processor, every API, every export)

The output is a personal data register that gets updated quarterly. This document is what regulators ask for first.

Stream B — Consent and rights workflows (weeks 4–12)

Owner: product manager + legal.

DPDP grants data principals four core rights: access, correction, deletion (with carve-outs), and grievance. Your software needs to honour all four within statutory windows.

The engineering work:

• Build the data subject access request (DSAR) handler — a single endpoint that, given an authenticated subject identifier, can produce a downloadable export of all personal data the org holds about that person within 30 days.
• Build the deletion workflow — same trigger, but a coordinated cascade across production, backups (with documented retention exceptions), and third-party processors.
• Refit consent capture at every collection point. The DPDP-grade pattern is granular, purpose-bound, withdrawable, and audit-logged.

This is where most B2B SaaS companies underestimate the scope. The consent model in your sign-up form is the easy part. The DSAR plumbing across 12 microservices and 8 third-party processors is where the real engineering lives.

Stream C — Vendor governance (weeks 6–16)

Owner: legal + procurement, with engineering input.

Every SaaS tool your company uses that touches Indian user data is a sub-processor. DPDP holds you (the Data Fiduciary) accountable for breaches in their systems involving your data.

The work:

• Inventory every sub-processor. Most B2B SaaS firms find 30–80 of them after the audit. Most have not been touched contractually since the original signup.
• Re-paper the DPAs with DPDP-specific clauses. Carve out cross-border transfer obligations where applicable.
• Implement vendor monitoring — your incident response can’t depend on the vendor self-disclosing.

The seven defense-in-depth layers we use for vendor API governance live in our field guide on this exact topic.

Stream D — Breach response runbook (weeks 12–20)

Owner: CISO or head of engineering.

The runbook is the artefact that gets used at 2am during an actual breach. It must specify:

• Detection thresholds and on-call routing
• Internal escalation path to the legal team within the first hour
• Notification template to the Data Protection Board
• Customer communication template
• Forensics + immutable log preservation steps

Test it. A tabletop exercise costs a day. A botched real-incident response costs your business.

What this costs

For a mid-market B2B SaaS company at ₹50–₹500 crore revenue, the full DPDP compliance program — engineering work, legal re-papering, vendor governance build, runbook — typically lands between ₹35 lakh and ₹90 lakh of one-time investment. That’s 6–18 weeks of dedicated work split across legal, engineering, and operations.

This is materially less than the procurement deals you’ll lose by missing the deadline. It’s an order of magnitude less than the breach math if you don’t have a runbook.

What we ship

We run fixed-price DPDP compliance build engagements for Indian B2B SaaS firms. The deliverable is a documented, audit-ready compliance posture across all four streams above, with the artefacts (data register, DSAR handler, DPA library, runbook) committed to your repo and signed off by your counsel.

Run the DPDP penalty exposure calculator — three minutes, no signup — to get a baseline number for your specific configuration and the 90-day plan we’d recommend.

Read more: /sectors/financial-services · /markets/india · /calculators/dpdp-penalty