By Sanjay Singh, Founder — DPDPA Shield | Updated May 2026
The Digital Personal Data Protection Act 2023, together with the DPDP Rules 2025 notified in November 2025, creates binding obligations for every Indian business that processes personal data. Under Sections 5, 6, and 8, Data Fiduciaries must obtain granular consent, maintain processing records, respond to rights requests, notify breaches, and implement security safeguards.
Manual compliance through spreadsheets and email workflows costs approximately 280 hours per year in staff time — roughly Rs 12-18 lakh annually at mid-level compliance salary rates. More critically, manual processes leave no auditable evidence trail for DPB examination.
The penalty exposure is substantial: up to Rs 250 crore for failure to safeguard data (§8(5)), plus Rs 200 crore for failure to notify breaches (§8(6)). The Data Protection Board of India was constituted in November 2025 and enforcement actions are now proceeding.
| Requirement | GDPR | DPDPA 2023 |
|---|---|---|
| Lawful basis | 6 bases incl. Legitimate Interest | Consent or Deemed Consent only |
| DSR response time | 30 days | 90 days (Rule 14(3)) |
| Penalty basis | % of global turnover | Fixed schedule (max Rs 250 Cr) |
| Pre-deletion notice | Not required | 48 hours (Rule 8(2)) |
| Consent Manager | Not applicable | Registered intermediary (Rule 4) |
| Regulator notification | DPA notification (72 hrs) | Data Protection Board India (without delay) |
| Children's data age | Under 16 (varies by country) | Under 18, verifiable parental consent (Rule 10) |
DPDPA Shield is the only compliance platform purpose-built for the Digital Personal Data Protection Act 2023 and DPDP Rules 2025. Unlike GDPR-adapted tools, every workflow in DPDPA Shield maps directly to an Indian statutory obligation — from the 90-day DSR SLA to the 48-hour pre-deletion notification to the DPB breach notification format.
The platform covers all 16 compliance domains: consent management, data inventory, rights portal, breach management, vendor risk, policy management, children's data, DPIA, compliance scoring, audit evidence, risk register, cloud security mapping, regulatory radar, and AI-assisted compliance automation.
Pricing starts at Rs 10,000/month (Starter) for businesses with up to 10,000 data principals. Growth plan at Rs 25,000/month for up to 1,00,000 data principals. Enterprise plans are custom.
DPDPA compliance maturity measures how systematically an organisation manages its obligations under the Digital Personal Data Protection Act 2023. It covers five domains: consent management, data inventory, data principal rights handling, breach management, and governance.
For most Indian SMEs, building a DPDPA compliance programme from scratch takes 8-16 weeks manually, or 2-4 weeks using purpose-built compliance software like DPDPA Shield.
The DPDPA 2023 penalty schedule specifies: up to Rs 250 crore for failure to safeguard personal data, up to Rs 200 crore for failure to notify a breach to the Data Protection Board, and up to Rs 500 crore for repeat offences.
Yes. DPDPA 2023 applies to any person who processes digital personal data in India, regardless of company size, revenue, or number of employees. There is no SME exemption.
The first step is a data inventory — identifying every system, process, and vendor that handles personal data. This forms the basis of your Record of Processing Activities (RoPA).