India Digital Personal Data Protection Act · Enforcement 13 May 2027

Your product collects data. The law is about to audit how.

India's DPDP Rules are live. Most products have consent gaps they don't know about. We find them and fix them in your codebase, before enforcement begins.

₹250 Cr

MAX PENALTY ·

SECURITY SAFEGUARDS

₹200 Cr

MAX PENALTY · BREACH

NOTIFICATION

13 May 2027

FULL ENFORCEMENT

DEADLINE

Source: DPDP Act 2023, Schedule. Data Protection Board of India.

Check your compliance score

Inadequate security safeguards₹250 Cr//Failure to notify breach₹200 Cr//Children's data violations₹200 Cr//Non-compliance with DPDP Rules₹50 Cr//Enforcement begins13 May 2027//Penalty powers activate13 May 2027//Maximum single penalty₹250 Cr//Consent must be explicit and revocableSection 6//Data principal rights: access, correction, erasureSection 12-14//Breach notification window72 hours//Inadequate security safeguards₹250 Cr//Failure to notify breach₹200 Cr//Children's data violations₹200 Cr//Non-compliance with DPDP Rules₹50 Cr//Enforcement begins13 May 2027//Penalty powers activate13 May 2027//Maximum single penalty₹250 Cr//Consent must be explicit and revocableSection 6//Data principal rights: access, correction, erasureSection 12-14//Breach notification window72 hours//

A privacy policy is not compliance.

Most legacy consent is already invalidunder DPDP's verifiable-consent standard. Pre-ticked boxes and buried opt-ins won't pass muster. The law requires clear, explicit, and revocable consent, and it must be technically auditable.

The obligations are engineering problems, not legal problems. Consent flows, rights portals, and breach detection are code, not documents. A privacy policy tells users what you do. Compliance means building the systems that prove you do it.

The enforcement window is real and closing. Full enforcement begins 13 May 2027. The Data Protection Board is live. Penalties are not theoretical; they are enumerated in the statute.

Time remainingThe deadline is fixed. Every sprint cycle you don't spend on DPDP is a sprint cycle you'll need under pressure in 2026.

"We don't hand you a checklist. We ship the fix into your product."

Audit

Map your data flows and identify every gap against DPDP Rules 2025

Gap Report

Scored findings with severity, obligation, and fix priority

Engineering Sprint

Consent flows, rights portal, breach runbook, shipped into your codebase

Evidence Pack

Documentation ready for regulatory audit

Built for product companies, not law firms.

D2C

Indian D2C and e-commerce brands

Consumer brands collecting purchase history, preferences, and marketing consent across web and app, where DPDP's purpose-limitation and consent obligations hit hardest.

FINTECH

Fintech and lending platforms

Products handling financial data, KYC, credit scoring, and transaction records, with strict obligations on sensitive personal data and data minimisation.

SAAS

SaaS and LMS products

B2B platforms processing user data, analytics, and workspace information, and managing data principal rights across multiple organisational contexts.

HEALTH

Health and clinic platforms

Healthcare services managing patient records, appointments, and sensitive health data, where DPDP's special-category obligations are most acute.

Audit

Data flow mapping and gap analysis against DPDP Rules 2025

Sprint

Consent flows, rights portal, and breach systems built and shipped

Handoff

Evidence pack and documentation ready for your audit trail

See the full process →

Start here

Don't know where you stand? Find out in 10 questions.

Answer 10 questions about your product. We analyse your gaps and send a personalised DPDP compliance report to your inbox.

Start the readiness check →

No pitch. No invoice. Just a gap report.