Skip to main content
~20 Years — Continuous operations in cybersecurity, privacy, and compliance

DPDP Act Compliance for Indian Enterprises

The DPDP Rules 2025 were notified on 14 November 2025 and the Data Protection Board of India is now established. Indian data fiduciaries and processors must move from awareness to implementation, evidence, and audit readiness in FY26.

Request a Scoping Call Our Methodology
DPDP 2023
Act Coverage
India-Aligned
Methodology
6,700+
Assessments
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Assess

We map your data fiduciary and processor roles, build a data inventory, assess consent and notice mechanisms, evaluate Data Principal rights workflows, and identify gaps against DPDP Act requirements and the 2025 Rules.

STEP 02

Remediate

We deliver a prioritized remediation roadmap with owners and target dates. Our team supports policy development, consent and notice template creation, breach notification playbook design, processor due diligence, and technical control implementation.

STEP 03

Validate

We perform a closure validation audit to confirm all gaps are resolved, evidence is documented, and your organization can demonstrate compliance to the Data Protection Board, regulators, customers, and board-level stakeholders.

What Is the DPDP Act?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection law governing the processing of digital personal data. It establishes obligations for Data Fiduciaries and Data Processors around consent, notice, Data Principal rights, breach notification, grievance redressal, and child data protection.

Who Needs to Comply with the DPDP Act?

The DPDP Act applies to every organization that processes digital personal data in India or processes personal data outside India in connection with offering goods or services to individuals in India

Data Fiduciaries

Any entity that determines the purpose and means of processing digital personal data of individuals in India.

Data Processors

Entities that process personal data on behalf of a Data Fiduciary, including cloud providers, SaaS vendors, and outsourced service providers.

Significant Data Fiduciaries (SDFs)

Entities notified by the Central Government based on data volume, sensitivity, and risk, with enhanced obligations including DPO appointment and independent audits.

BFSI and Regulated Entities

Banks, NBFCs, insurers, AMCs, payment aggregators, and fintechs processing large volumes of customer financial and identity data.

SaaS and Technology Companies

Platforms handling user data, behavioral data, analytics, and cross-border data flows for Indian and international customers.

Healthcare and Pharma

Entities processing sensitive health records, patient data, clinical trial data, and insurance-linked personal data.

E-Commerce and Consumer Platforms

Marketplaces, delivery platforms, and consumer apps collecting personal data, location data, payment information, and behavioral profiles.

Entities Processing Child Data

Organizations processing personal data of children must obtain verifiable parental consent and cannot engage in tracking, behavioral monitoring, or targeted advertising directed at children.

Methodology

6 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Applicability and Role Mapping

We determine your DPDP obligations by mapping your entity as Data Fiduciary, Processor, or both. We assess whether Significant Data Fiduciary criteria apply and identify all digital personal data processing activities across your organization.

02

Data Discovery and Inventory

We build a comprehensive data inventory covering what personal data you collect, where it is stored, how it flows through systems and third parties, what processing purposes exist, and where cross-border transfers occur.

Testing
03

Gap Assessment

We assess your current state against every DPDP Act obligation: consent and notice mechanisms, Data Principal rights workflows, breach notification readiness, processor controls, child data handling, grievance redressal, retention and deletion, and security safeguards.

04

Technical Validation

Unlike advisory-only firms, Security Brigade validates privacy controls technically. Our B-52 framework and application security teams test consent flows, access controls, data exposure through APIs, insecure data handling, logging practices, deletion mechanisms, and data leakage paths.

Delivery
05

Remediation and Implementation

We deliver a prioritized remediation roadmap and support implementation: policy and procedure packs, consent and notice templates, Data Principal rights workflows, breach notification playbooks, processor due-diligence frameworks, and data retention and deletion plans.

06

Closure Validation

We perform a closure validation audit confirming all identified gaps are resolved, evidence is documented, and your organization can demonstrate DPDP compliance to the Data Protection Board, sectoral regulators, enterprise customers, and board-level stakeholders.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Indian Private Sector Bank

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Lemon Audit Platform

Manages the entire DPDP compliance workflow: evidence collection, control owner assignment, gap tracking, remediation tickets, closure validation, and audit trail. Your compliance and legal teams get real-time visibility without email clutter.

B-52 Technical Validation

Validates privacy-impacting technical controls that advisory firms cannot test: consent API flows, data access controls, insecure API data exposure, logging and audit trails, deletion mechanism effectiveness, and data leakage through application and infrastructure paths.

ShadowMap External Monitoring

Monitors your external exposure continuously: leaked credentials on the dark web, exposed cloud storage buckets, developer leaks on code repositories, shadow IT assets, and third-party vendor signals that could indicate data exposure risk.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

Consent and Notice
Consent mechanism review, notice templat
Data Principal Rights
Workflow design and validation for right
Breach Notification
Breach notification playbook development
Security Safeguards
Technical validation of security control
Processor and Vendor Governance
Processor due-diligence framework, contr
Data Retention and Deletion
Data retention policy development, delet
Child Data Protection
Review of age verification mechanisms, v
Significant Data Fiduciary Obligations
SDF readiness assessment including Data

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

DPDP Compliance Assessment Report

Comprehensive assessment of your organization's compliance posture against every DPDP Act obligation with evidence references and gap analysis.

Data Fiduciary and Processor Role Mapping

Document mapping your entity roles, processing activities, and obligations under the DPDP Act.

Data Inventory and Processing Register

Complete inventory of personal data collected, stored, processed, and shared across systems, applications, and third parties.

Gap Assessment with Risk Ratings

Prioritized gap report with risk ratings, evidence status, and remediation recommendations for each identified non-compliance.

Policy and Procedure Pack

Privacy policy, data protection policy, consent management procedures, breach notification procedures, and data retention schedules.

Consent and Notice Templates

Ready-to-implement consent forms, privacy notices, and consent withdrawal workflows aligned to DPDP Act requirements.

Breach Notification Playbook

Step-by-step playbook for personal data breach notification to the Data Protection Board and affected Data Principals.

Data Principal Rights Workflow Documentation

Documented workflows for fulfilling access, correction, erasure, and nomination requests with SLA targets and escalation paths.

Processor and Vendor Due-Diligence Framework

Assessment framework and questionnaire for evaluating data processors and vendors against DPDP obligations.

Remediation Roadmap

Prioritized remediation plan with owners, target dates, effort estimates, and dependencies for each identified gap.

Board and Management Readiness Presentation

Executive presentation summarizing DPDP compliance posture, key risks, remediation progress, and investment requirements for board and management review.

Closure Validation Report

Post-remediation validation confirming all gaps are closed, evidence is documented, and compliance readiness is demonstrated.

Continuous Compliance with ShadowMap

The audit gives you a snapshot. ShadowMap gives you the always-on view.

An annual audit proves your posture at a single point in time. Between audits, attack surfaces drift, credentials leak, sub-domains get added, vendors get breached. ShadowMap watches the boundary continuously so the next audit isn't a surprise.

Dark Web Intelligence

9.7B+ breach records indexed; monitors Telegram, paste sites, criminal forums, and ransomware leak sites for credentials, leaked data, and threat actor mentions.

Find leaked data before regulators do.

Explore on ShadowMap

Brand Protection

Detects phishing domains, fake mobile apps, social media impersonation, and domain squatting — with SLA-backed takedowns.

Stop impersonation before customers fall for it.

Explore on ShadowMap
See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is the DPDP Act 2023 and when does it come into effect?+
The Digital Personal Data Protection Act, 2023 is India's comprehensive data protection law governing the processing of digital personal data. The DPDP Rules, 2025 were notified on 14 November 2025, giving full operational effect to the Act. The Data Protection Board of India was established by Gazette notification in November 2025 with its head office in the National Capital Region, making enforcement operational.
Who qualifies as a Data Fiduciary under the DPDP Act?+
A Data Fiduciary is any entity that alone or in conjunction with others determines the purpose and means of processing digital personal data. This includes businesses, government bodies, and organizations that collect, store, or process personal data of individuals in India. If your organization decides what data to collect and why, you are a Data Fiduciary with obligations under the Act.
What are the penalties for DPDP Act non-compliance?+
The DPDP Act prescribes penalties of up to INR 250 crore (approximately USD 30 million) per instance of non-compliance. Penalties apply to failures including inadequate security safeguards, breach notification failures, non-compliance with Data Principal rights, and violations of child data protection provisions. The Data Protection Board of India has the authority to investigate and impose these penalties.
What is a Significant Data Fiduciary and what additional obligations apply?+
A Significant Data Fiduciary is an entity notified by the Central Government based on factors such as volume and sensitivity of personal data processed and risk to Data Principals. Additional obligations include appointing a Data Protection Officer based in India, conducting Data Protection Impact Assessments, undergoing independent data audits, and publishing the business contact information of the DPO and a representative for grievance redressal.
How is the DPDP Act different from GDPR?+
The DPDP Act is India-focused with a simpler structure using Indian terminology such as Data Fiduciary, Data Processor, and Data Principal. It focuses on consent, notice, rights, breach notification, grievance redressal, and child data protection. GDPR is EU-focused with global reach, more mature regulatory ecosystem, broader legal bases, DPIA requirements, Records of Processing Activities, DPO mandates, Standard Contractual Clauses, and cross-border transfer mechanisms. Indian enterprises serving EU customers or handling EU data may need to comply with both.
Does the DPDP Act apply to data processed outside India?+
Yes. The DPDP Act applies to the processing of digital personal data outside India if such processing is in connection with any activity related to offering goods or services to Data Principals within India. This means international companies serving Indian customers or processing data of individuals in India fall within the scope of the Act.
What are Data Principal rights under the DPDP Act?+
Data Principals have the right to access information about their personal data being processed, the right to correction and erasure of personal data, the right to nominate another person to exercise their rights, and the right to grievance redressal. Data Fiduciaries must establish workflows and mechanisms to fulfill these rights within the timelines prescribed by the Rules.
How long does a DPDP compliance assessment take?+
A typical DPDP compliance assessment takes 8 to 12 weeks depending on organizational complexity, number of data processing activities, vendor ecosystem size, and current compliance maturity. This includes applicability assessment, data inventory, gap analysis, technical validation, remediation support, and closure validation. Organizations with existing ISO 27001 or SOC 2 frameworks typically progress faster.
Can Security Brigade help with both DPDP and GDPR compliance simultaneously?+
Yes. Security Brigade bridges DPDP with GDPR, SOC 2, ISO 27001, RBI, SEBI, and NPCI requirements in a single coordinated engagement. For Indian SaaS companies, fintechs, and enterprises with EU customers, this eliminates duplicate effort and ensures controls satisfy multiple frameworks. Our Lemon platform tracks compliance status across all applicable frameworks in a unified dashboard.
What are the DPDP Act requirements for child data protection?+
The DPDP Act requires verifiable consent of the parent or lawful guardian before processing personal data of a child or a person with disability who has a lawful guardian. Data Fiduciaries are prohibited from tracking, behavioral monitoring, and targeted advertising directed at children. Organizations processing child data must implement age verification mechanisms and parental consent workflows to comply with these provisions.

Start Your DPDP Compliance Journey Before Enforcement Catches Up

The DPDP Rules are notified, the Data Protection Board is operational, and Indian enterprises are expected to demonstrate compliance readiness. Do not wait for the first enforcement action to make headlines.

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call