If your organization manages personal data in India, 2026 is the year to get serious about Digital Personal Data Protection (DPDP) Act compliance. With rules notified in 2025 and regulatory oversight now underway, organizations are figuring out how to operationalize it at scale.
The DPDP Act is not only a regulatory requirement, but also an operational one. The organizations that will do the best will be those that can clearly explain what data they collect, why they collect it, how they protect it, and how they respond when someone asks to access, correct, or delete it.
A Brief History of the DPDP Act
India’s path to a comprehensive data protection law evolved over several years, driven by both legal and regulatory developments.
Prior to 2022, India lacked a unified privacy framework. Data protection obligations primarily were governed by the Information Technology Act and the 2011 SPDI Rules, which offered only limited safeguards and didn’t keep pace with rapid digital growth.
A major turning point came in 2017 with the landmark Justice K.S. Puttaswamy (Retd.) vs. Union of India judgment. The Supreme Court recognized privacy as a fundamental constitutional right and highlighted the need for a robust data protection regime.
Following this decision, the government introduced multiple draft laws, including the Personal Data Protection Bill and the Data Protection Bill 2021. These proposals, influenced in part by frameworks like the General Data Protection Regulation (GDPR), faced significant scrutiny and were ultimately withdrawn in August 2022.
Later in 2022, a revised Digital Personal Data Protection Bill was introduced, simplifying earlier approaches and addressing prior concerns. After further refinement, this led to the Digital Personal Data Protection Act, 2023.
DPDP reflects years of iteration and debate, establishing a more practical and enforceable framework aligned with India’s modern digital economy.
The State of DPDP Compliance Today
The DPDP framework has entered its execution phase, but enterprise readiness tells a more nuanced story.
According to the report India’s Digital Privacy Crossroads: Understanding the DPDP Act and Rules Impact and Enterprise Readiness, awareness of the DPDP Act is rising, yet organizational maturity remains uneven across industries and functions. Nearly 70% of organizations report limited familiarity with the Act and its rules, while 71% struggle to interpret the law, revealing a significant gap between regulatory intent and real-world implementation.
Current adoption metrics illustrate the challenge: 48% of organizations have initiated gap assessments, 44% have documented data processing activities, and only 38% have classified personal data or identified third-party processors. Deeper operational implementation is still far off: Over 83% of businesses have not begun a full rollout, and nearly 80% have yet to update privacy policies or governance frameworks.
Enterprises face additional hurdles, with 77% lacking the ability to adopt privacy technologies, 76.4% citing limited expertise, and 45.3% dealing with budget constraints.
There is also a potential shift in the compliance timeline that could affect how readiness plays out. The Ministry of Electronics and Information Technology (MeitY) is consulting industry stakeholders on a proposal to shorten the DPDP Act’s compliance window for significant data fiduciaries from the currently envisioned 18 months to 12 months. Government officials indicate that consultations are ongoing and that a final decision will be made only after detailed industry feedback is received. The proposal has not yet been formalized, introducing both urgency and uncertainty as organizations weigh accelerating compliance alongside other implementation challenges.
Key Features of the DPDP Act
DPDP’s phased implementation continues through 2026 and 2027, covering all personal data processed in India and certain cross-border processing. The Act establishes the Data Protection Board of India to oversee compliance, investigate breaches, and impose penalties, with appeals handled by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Individuals, or data principals, are granted enforceable rights over their personal data. These include being informed about collection, purpose, and third-party sharing; accessing, correcting, or requesting deletion of their data; objecting to processing; exercising data portability; and, in certain cases, nominating a representative to act on their behalf.
Organizations, also known as data fiduciaries, must obtain explicit consent before processing data, use it only for declared purposes, implement robust security safeguards, and report data breaches promptly — typically within 72 hours for serious incidents. Compliance is being phased in, with full operational obligations rolling out through 2026–2027.
DPDP Act also introduces significant penalties for non-compliance, with fines reaching up to INR 250 crore for failing to implement reasonable security measures to prevent data breaches. Other breaches like failing to notify the Board or affected individuals of a breach or mishandling sensitive categories like children’s data can draw fines as high as INR 200 crore, and lesser violations up to INR 50 crore, all of which can accrue per instance of non‑compliance, making regulatory adherence essential to avoid crippling financial and reputational consequences.
Steps to Take to Achieve DPDP Compliance
Organizations processing personal data in India should take proactive measures to align with the DPDP Act ahead of full enforcement in May 2027:
- Assess data processing activities: Conduct thorough assessments and data mapping to identify practices requiring modification for DPDP compliance.
- Develop a data protection policy: Create formal policies outlining your commitment to data protection, consent management, and data processing practices.
- Appoint a data protection officer (DPO): Mandatory for Significant Data Fiduciaries, the DPO or compliance lead oversees strategy, breach response, and regulatory adherence.
- Implement technical and organizational measures: Establish robust security protocols, consent management systems, vendor oversight, and breach response processes.
- Employee training: Educate employees and stakeholders on their responsibilities and the principles of data protection under the DPDP.
- Prepare for compliance audits: Set up processes for periodic internal audits to ensure ongoing adherence to regulations, maintain documentation, and verify breach and consent handling.
Fortra’s Role in Ensuring DPDP Compliance
Fortra’s comprehensive suite of security solutions align with key DPDP regulatory expectations around data protection, risk management, and accountability:
- Data Classification: Our data classification tools apply visual labels and metadata tagging to personal and sensitive data, ensuring appropriate handling, retention, and disposal in line with DPDP principles of purpose limitation and data minimization.
- Data Loss Prevention (DLP): Helps prevent unauthorized use, leakage, or transmission of personal data across endpoints and networks, directly supporting compliance with DPDP’s usage and access control requirements.
- Secure File Transfer: Ensures encrypted and auditable transmission of personal data both in transit and at rest, supporting secure data flows and accountability documentation.
- Secure Collaboration: Enables encrypted sharing and fine-grained access control of sensitive files, ensuring only authorized users can interact with personal data and helping fulfill DPDP’s access restriction and governance expectations.
- Email Security: Provides real-time policy enforcement by sanitizing, encrypting, or quarantining sensitive content in emails, reducing exposure, and supporting adherence to privacy and breach minimization standards.
- Vulnerability Assessments and Intrusion Protection: Helps organizations identify security weaknesses and comply with audit requirements.
- Infrastructure Protection: Secures critical systems that store or process personal data, providing evidence of proactive risk control and technical safeguards.
- Security Awareness Training: Fortra’s human risk management solution reduces human-error–driven data breaches while supporting DPDP risk compliance.
Staying Ahead in a Changing DPDP Act Landscape
Compliance with the DPDP Act isn’t static as laws evolve and interpretations shift. A current example for DPDP is the Supreme Court of India reviewing what exactly qualifies as “personal data” under the Act. Outcomes from this review could reshape obligations for businesses, demonstrating that even well-prepared programs must remain adaptable.
The key to staying ahead is building compliance programs that are both thorough and flexible: mapping data flows, managing consent, enforcing robust access controls, and maintaining security safeguards. Organizations also should be ready to adjust quickly to regulatory clarifications or legal developments without disrupting operations.
Fortra collaborates with organizations to reach their DPDP compliance goals with solutions that protect, monitor, and control sensitive data. We ensure personal data is managed safely today and stays protected as the DPDP Act continues to evolve.
