DPDP Act compliance is now mandatory for Indian B2B SaaS companies, fintech wallets, and HealthTech patient portals operating from Bangalore. The Digital Personal Data Protection Act 2023 governs how you collect, process, store, and transfer personal data — and the obligations are materially different from the old IT Act 2000 regime. If you run a B2B SaaS platform, a fintech wallet, or a HealthTech patient portal from Bangalore, the DPDP Act changes your legal obligations in ways that the old IT Act 2000 and SPDI Rules 2011 never did. This guide is the pillar reference we use with our own DPDP implementation clients — written for the CTO, the legal counsel, and the compliance officer who need to know exactly what to do, in what order, and by when.
Skip ahead to the implementation roadmap if you already understand the definitions. Otherwise, the article moves top-down: what the Act actually covers, who is a Data Fiduciary, how consent works, what the Data Protection Board can penalise, and how to build a compliance programme that survives a Bangalore regulator audit.
What the DPDP Act 2023 actually is
The Digital Personal Data Protection Act, 2023 (Act 22 of 2023) is India’s first comprehensive data-protection statute. It was enacted on 11 August 2023 and received presidential assent the same day. The Act creates a new regulator — the Data Protection Board of India — and introduces a consent-based framework for processing digital personal data of Indian residents.
The Act applies to:
- Processing of digital personal data within India
- Processing of digital personal data outside India if the processing is in connection with any activity related to offering goods or services to Data Principals within India
The Act does not apply to:
- Personal data processed by an individual for personal or domestic purposes
- Personal data that is made publicly available by the Data Principal
- Data processed for research, archiving, or statistical purposes under specific exemptions
The DPDP Act is not a copy of GDPR. It borrows concepts, but the consent architecture, penalty structure, and board-enforcement model are materially different. Treating them as interchangeable is a common compliance failure.
Who is a Data Fiduciary under the DPDP Act
A Data Fiduciary is any person who alone or with others determines the purpose and means of processing personal data. In practice, this means:
- SaaS platforms that collect user registration data
- Fintechs that process KYC documents
- E-commerce sites that store delivery addresses
- HealthTech apps that process patient records
- EdTech platforms that store student and parent data
Significant Data Fiduciaries (SDF)
The Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries based on:
- Volume and sensitivity of personal data processed
- Risk to the rights of Data Principals
- Potential impact on the sovereignty and integrity of India
- Risk to electoral democracy
- Security of the State
SDFs face additional obligations: data protection impact assessments, appointment of a Data Protection Officer, periodic audits, and record-keeping requirements.
Practical SDF designation thresholds we see emerging
Although the Central Government has not yet published a definitive volumetric threshold, the consultation drafts and operational guidance from the Data Protection Board point at three indicative bands. Bangalore consumer SaaS platforms with more than 5 million Indian users should expect designation. Healthcare and EdTech entities handling sensitive personal data of children, patients, or financial records at scale are likely to be designated regardless of total user count. Cross-border data flow volume — particularly to non-notified jurisdictions — is also emerging as a designation trigger. We advise clients in these brackets to build SDF-grade controls preemptively rather than retrofitting after notification, because the Board has indicated that designation can take effect within 90 days of notice and the build-out of a DPIA programme alone takes longer than that.
What is a Data Principal under the DPDP Act
A Data Principal is the individual to whom the personal data relates. The Act recognises:
- Adults who can exercise rights directly
- Children (under 18) whose rights are exercised by parents or lawful guardians
- Persons with disabilities whose rights may be exercised through a nominated representative
Children’s data processing carries heightened obligations: verifiable parental consent, no tracking, no behavioural monitoring, and no targeted advertising directed at children.
Data Principal rights — operational implementation
The Act grants four core rights that every Data Fiduciary must operationalise. These are not aspirational; they are statutorily enforceable, and the Data Protection Board has begun receiving complaints from Data Principals whose rights have not been honoured within reasonable timelines.
Right to access information about personal data. A Data Principal can request a summary of personal data being processed and the processing activities undertaken. The response must be furnished within a reasonable period — emerging board guidance suggests 30 days — in a format the Data Principal can understand. Most Bangalore SaaS platforms underestimate the engineering effort here: producing a complete inventory across customer-facing systems, internal tooling, third-party processors, and offline copies is materially harder than producing a CSV export from one database.
Right to correction and erasure. Inaccurate or out-of-date personal data must be corrected on request; personal data no longer needed for the purpose for which it was collected must be erased. Erasure is the operationally hardest right — most production architectures cascade data into analytics warehouses, backup snapshots, and third-party processors, and a single erasure request can trigger 12–18 downstream actions. Build the erasure pipeline before the first request lands; building it under regulatory pressure is materially more expensive.
Right of grievance redressal. Every Data Fiduciary must have a grievance redressal mechanism that responds within a reasonable timeframe. Bangalore consumer platforms typically need a dedicated DPDP grievance officer, separate from general customer support, with escalation to the Data Protection Board if grievances remain unresolved.
Right to nominate. A Data Principal can nominate another individual to exercise their rights in case of death or incapacity. This is a relatively novel right with limited operational precedent; most Indian organisations are in the design phase of accommodating it.
DPDP consent requirements: what changed in 2023
The Act mandates that processing of personal data must be based on:
- Consent — free, specific, informed, unconditional, and unambiguous
- Legitimate uses — a narrow list including performance of government functions, employment, medical emergencies, and disasters
Consent must be:
- Requested in clear and plain language
- Separate from other terms and conditions
- Granular (purpose-specific)
- Revocable as easily as it was given
Consent Managers
The Act introduces Consent Managers — entities that enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Sahamati and DigiLocker are emerging as the likely infrastructure layers for Indian consent management.
Granular consent and purpose limitation in practice
The “free, specific, informed, unconditional, and unambiguous” consent standard is more stringent than what most Indian B2C platforms shipped under the IT Act / SPDI Rules regime. In practice, this means a single sign-up checkbox covering “marketing, analytics, and product improvement” is no longer compliant. Each distinct purpose requires its own consent token, and the Data Principal must be able to revoke any one of them without breaking the others. Bangalore fintech wallets implementing this for the first time typically discover that their analytics-events pipeline is mixed in with their transactional pipeline, requiring a multi-month rework before the consent layer can route events selectively. Plan for this: the consent UI is the visible 10% of the work; the data-routing infrastructure is the invisible 90%.
Cross-border data transfer rules
The Act permits cross-border transfer of personal data to any country except those notified by the Central Government as restricted. As of the most recent operational guidance, no countries have been formally notified as restricted, but the Board has indicated that countries failing to provide reciprocal data-protection guarantees may be added to the restricted list with 60-day notice. For Bangalore SaaS platforms with US-based cloud infrastructure, this means the current architecture is compliant — but the dependency on AWS US-East or GCP us-central is a structural risk that warrants a contingency plan. We recommend our clients design their data architecture so that personal data of Indian Data Principals can be redirected to AWS Mumbai or GCP Mumbai within 60 days if the Board adds the United States or any other major jurisdiction to the restricted list.
Sectoral consent overlays
For BFSI, the DPDP consent layer overlays existing RBI requirements on customer authentication, account aggregator data flows, and KYC. The result is that a single Bangalore fintech wallet may need to honour DPDP consent, RBI Account Aggregator consent, and SEBI investor consent — all on different timelines and with different revocation semantics. We provide a unified consent abstraction layer in our DPDP implementations that maps each sectoral consent into a single user-facing UX, but the underlying obligations remain separate.
DPDP Act penalties: ₹50 Crore to ₹250 Crore by breach type
The Data Protection Board can impose penalties structured as follows:
| Breach type | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards | ₹250 Crore |
| Failure to notify the Board of a personal data breach | ₹200 Crore |
| Failure to comply with obligations of a Significant Data Fiduciary | ₹150 Crore |
| Failure to comply with duties of a Data Fiduciary (general) | ₹50 Crore |
| Failure to comply with duties of a Data Principal | ₹10,000 |
Penalties are adjudicated by the Data Protection Board, not civil courts. Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
DPDP implementation roadmap for Indian SaaS
Month 1 — Data inventory and classification
Map all personal data flows: what you collect, where it sits, who has access, how long you retain it, and where it crosses borders. This is the foundation of every downstream control.
Month 2 — Legal basis mapping and consent redesign
For each data flow, identify the legal basis. Redesign consent flows for web and mobile to meet the DPDP standard: free, specific, informed, unconditional, unambiguous, and easily withdrawable.
Month 3 — Policy and notice framework
Draft and approve: privacy notice, data retention schedule, data subject rights procedure, breach notification playbook, and vendor DPA templates.
Month 4 — Technical controls and access governance
Implement encryption at rest and in transit, role-based access control, audit logging, and data-localisation measures for sensitive categories.
Month 5 — DPO appointment and board registration
If you are or may be designated an SDF, appoint a Data Protection Officer and register with the Data Protection Board.
Month 6 — Audit and attestation
Engage an independent auditor for a DPDP readiness assessment. The auditor should verify that your controls map to the Act’s obligations and that your documentation will withstand regulatory scrutiny.
Industry vertical applications in Bangalore
The DPDP Act applies horizontally — every Data Fiduciary, regardless of industry, has the same baseline obligations. But the operational implementation differs sharply by sector, because the data flows, the volume of Data Principal interactions, the lawful-basis mix, and the sectoral regulatory overlay are all sector-specific. Below is the application of the Act to the verticals we deliver into most often from Bengaluru.
BFSI — banks, NBFCs, payment aggregators
RBI’s pre-existing data-protection regime — KYC norms, customer-information protection, payment-data localisation under the 2018 circular, account-aggregator framework — interacts with DPDP. Where they conflict, the more-stringent applies. Practical impact: BFSI Data Fiduciaries need a layered notice-and-consent architecture (RBI requirements + DPDP requirements), heightened security safeguards (DPDP “reasonable security safeguards” plus RBI’s prescriptive expectations), and breach-notification flows that satisfy CERT-In, RBI, and the Data Protection Board on overlapping but not identical timelines. Our BFSI engagements produce a unified compliance pack rather than four separate playbooks.
Fintech — lending, wealth, insurtech
Lending fintechs operating under the RBI Digital Lending Guidelines have specific consent, lookalike-data-restriction, and grievance-redressal obligations that pre-date DPDP. The Account Aggregator framework provides a Consent Manager rail that lending fintechs increasingly rely on; the DPDP-compliant consent record is generated through the Sahamati flow. Insurtech under IRDAI guidelines has data-classification and data-retention obligations that intersect with DPDP retention principles. Our fintech engagements integrate the sectoral specifics rather than treating DPDP as a layer on top.
HealthTech — telemedicine, diagnostics, EHR
Health data is sensitive personal data under the Act’s emerging guidance. The DISHA framework where applicable, Telemedicine Practice Guidelines (March 2020), the National Digital Health Mission’s ABDM data-protection expectations, and the Clinical Establishments Act all interact with DPDP. Children’s data has specific additional obligations under DPDP — and pediatric / family-health applications need to design for them. Bangalore HealthTech engagements typically result in a longer-than-average documentation pack because the regulatory overlay is dense.
EdTech — school, higher-ed, professional learning
Children’s data under DPDP carries enhanced protection — age-verification, verifiable parental consent, prohibition on tracking and behavioural monitoring of children, prohibition on targeted advertising. EdTech platforms serving K–12 face the most-onerous DPDP implementation in any vertical because every interaction is potentially a child-data interaction. Our EdTech engagements typically focus on age-verification implementation and parental-consent workflow.
SaaS — B2B exporters and data processors
B2B SaaS operates in a layered relationship — Data Processor for customer data, Data Fiduciary for employee / lead / customer-employee data. The two roles have different obligations; conflating them produces compliance gaps. Our SaaS engagements untangle the two roles, draft the Data Processing Agreement clauses for each customer, and design the obligation-allocation between the SaaS company and the customer.
Consumer apps — e-commerce, social, content, gaming
Consumer apps with high-volume Data Principal interaction face the largest operational implementation surface. Notice-and-consent at scale, Data Principal rights workflow at volume, retention-policy enforcement across many data stores, and breach-notification readiness are all volume-driven challenges. Consumer apps are also the most-likely candidates for SDF designation; pre-emptively building SDF-grade controls is a defensible strategic move.
Cross-framework mapping
The DPDP Act intersects with several frameworks Indian organisations already maintain:
- ISO 27001:2022 — Annex A 5.34 (privacy and data protection) and 5.35 (independent review) map directly to DPDP audit expectations. See our ISO 27001 service page.
- SOC 2 — Common Criteria CC6.1 (logical access) and CC7.2 (system monitoring) support DPDP security-safeguard obligations. See our SOC 2 service page.
- CERT-In Directions — Incident reporting under Direction 20(3)/2022 now overlaps with DPDP breach notification to the Board.
- RBI Master Direction — BFSI entities must layer DPDP consent onto existing RBI outsourcing and data-localisation requirements.
Building a unified compliance backbone
Most Bangalore organisations we engage with already operate ISO 27001 or SOC 2; some operate both. Adding DPDP as a third parallel programme is operationally wasteful. Instead, we design a unified compliance backbone — a single control framework that satisfies all three frameworks with shared evidence, shared internal audit cycles, and shared management review meetings. The cost saving is roughly 35 to 45 per cent versus running three separate programmes; the audit burden on engineering teams is reduced by a similar margin. The cross-framework mapping above is the starting point for that consolidation.
Common DPDP compliance mistakes
- Treating DPDP as GDPR with a different name. The consent standard, penalty structure, and board-enforcement model are materially different.
- Ignoring children’s data obligations. EdTech and gaming platforms face the highest regulatory risk here.
- Failing to map cross-border transfers. The Act permits transfers to notified countries; transfers to non-notified jurisdictions require additional safeguards.
- Overlooking employee data. Employment is a legitimate use, but employee data still requires notice and security safeguards.
- Waiting for the Board to publish detailed rules. The Act is already in force. Organisations should begin implementation now, not after subordinate legislation.
- Underestimating erasure-pipeline complexity. Building the deletion cascade across analytics warehouses, backups, and third-party processors takes 8–12 weeks of engineering effort that founders routinely under-scope.
- Treating the privacy notice as a marketing page. The notice has statutory content requirements; failing to include any required element exposes the entire notice to challenge.
- Confusing Data Processor obligations with Data Fiduciary obligations. B2B SaaS companies frequently mis-apply Fiduciary-level controls when only Processor-level controls are required, or vice versa.
- Skipping the DPIA for SDF candidates. Even if you have not been formally notified as an SDF, building the DPIA muscle pre-emptively is materially cheaper than retrofitting under regulatory pressure.
- Ignoring the grievance officer obligation. Most Indian platforms have customer-support but no dedicated grievance officer; the Board has indicated that this is a common compliance gap in early enforcement.
Vendor evaluation rubric for DPDP consulting
When selecting a DPDP implementation partner, ask:
- Have you implemented DPDP programmes for Indian SaaS or BFSI entities? Theory is not enough; the Act’s Indian context matters.
- Do you provide a fixed-price implementation scope in INR? Ambiguous hourly billing destroys budget predictability.
- Can you map DPDP controls to ISO 27001 and SOC 2? Most Indian SaaS companies already maintain one or both.
- Will the partner who scopes the engagement also attend the regulator meeting if required? Partner continuity matters.
- Do you include a post-implementation audit and attestation letter? The Board may request evidence of independent review.
We answer all five specifically and in writing during scoping.
DPB enforcement trajectory — what we expect through 2026–2027
The Data Protection Board of India is operational but has been measured in initial enforcement, focusing on systemic clarification rather than aggressive penalisation. Industry watchers expect enforcement to scale through 2026 and 2027 as the Board builds investigative capacity, the DPDP Rules are tested in practice, and high-profile cases create precedent. Sectors expected to see early enforcement attention: EdTech (children’s data), HealthTech (sensitive data), large consumer platforms (volume), and B2B Data Processors that fail to flow contractual obligations through to sub-processors.
The defensible posture is to be operationally compliant before enforcement attention, rather than after. The cost of a DPDP compliance engagement is meaningfully less than the cost of post-enforcement remediation under DPB scrutiny — and is dramatically less than the headline penalty figures in the Schedule. Most Bangalore companies that engaged us through 2025 and early 2026 did so on this defensible-posture rationale rather than under specific complaint or investigation. We expect that posture to harden through 2027 as the first material enforcement actions are reported and procurement teams begin requiring DPDP attestation in vendor due-diligence packs.
DPDP terminology — a working glossary for engineering and product teams
The Act introduces a vocabulary that engineering and product teams should be operationally familiar with. Personal data is any data about an individual who is identifiable by or in relation to such data. Digital personal data is personal data in digital form. Data Principal is the individual to whom the personal data relates; for children and persons with disabilities, the lawful guardian. Data Fiduciary is the entity that determines the purpose and means of processing. Data Processor is the entity that processes data on behalf of a Data Fiduciary. Significant Data Fiduciary is a Data Fiduciary notified by the Central Government as such. Processing is collection, recording, organisation, structuring, storage, use, alignment, combination, disclosure, dissemination, restriction, erasure, or destruction. Consent Manager is a person registered with the Data Protection Board to manage consent on behalf of Data Principals. Notice is the document the Data Fiduciary provides to the Data Principal at or before processing, in clear and plain language, in English or any of the languages specified in the Eighth Schedule of the Constitution. DPIA is the Data Protection Impact Assessment required for SDFs. Cross-border transfer is the transfer of personal data outside India. The framework references should be precise — using “Data Subject” (the GDPR term) rather than “Data Principal” in DPDP context is a small marker that the operational team has not yet read the actual statute.
Practical next steps
If you are in the data-inventory phase, start with the breach-type penalty table above to socialise the financial risk with your board. If you are mid-implementation, cross-reference your control set against the framework mapping. If you need a downloadable checklist for your compliance team, see our DPDP Compliance Checklist for B2B SaaS companion post.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed price in INR, and direct partner-level accountability through the engagement.
DPDP Act FAQ — questions Bangalore CTOs ask most often
When did the DPDP Act come into force? The Act received presidential assent on 11 August 2023. Specific provisions are being notified by the Central Government in tranches. Indian organisations should treat the Act as operationally in force and begin compliance work now.
Do I need to comply if I only have B2B customers? Yes. Even pure B2B SaaS platforms process personal data of employees, customer-employees, leads, and prospects. Every Bangalore B2B SaaS company is a Data Fiduciary for these data flows.
Is consent the only lawful basis for processing? No. The Act recognises consent and “legitimate uses” — a closed list that includes employment, performance of legal obligations, medical emergencies, government functions, and certain statutory purposes. The list is narrower than GDPR’s “legitimate interests” basis.
Do I need a Data Protection Officer? DPO appointment is mandatory only if you are notified as a Significant Data Fiduciary. Voluntary appointment is encouraged for organisations approaching SDF designation thresholds.
What is the breach-notification timeline? “As soon as reasonably practicable” — emerging guidance suggests 72 hours as the operational expectation, similar to GDPR. The CERT-In Direction 20(3)/2022 six-hour window applies in parallel for cyber-security incidents.
Can I keep using AWS US-East for processing Indian Data Principal data? Yes, provided the United States has not been notified as a restricted country. As of current operational guidance, no countries have been formally notified as restricted, but the architecture should accommodate redirection within 60 days if notification occurs.
What if my customer is the Data Fiduciary and I am only the Data Processor? Your obligations are governed by your DPA with the customer plus the Act’s direct obligations on Data Processors. The DPA must include the Act’s mandatory clauses for processor agreements.
Are there penalties for non-compliance even before formal designation? Yes. The penalty structure applies to all Data Fiduciaries, not only SDFs. The general Data Fiduciary penalty band is up to ₹50 Crore per breach.
How does DPDP interact with sectoral regulations like RBI Cyber Security Framework? Sectoral regulations apply in addition to the Act, not as substitutes. Where they conflict, the more-stringent obligation applies. BFSI Data Fiduciaries face the most-layered compliance regime.
What is the children’s-data threshold? A child is anyone under 18. There is no GDPR-style “16 with parental consent” carve-out. EdTech and gaming platforms face the most-onerous implementation.
Do I need to register the Data Protection Officer with the Board? SDF designation triggers the DPO appointment, and the appointment is reportable to the Board. Non-SDF Data Fiduciaries who appoint a DPO voluntarily do not face a registration requirement.
Can I rely on cookie banners as DPDP consent? Standard cookie banners typically do not meet the DPDP “free, specific, informed, unconditional, unambiguous” standard. Most Bangalore platforms need to redesign their consent UI for DPDP compliance.
What evidence does the Board expect during enforcement action? Documented data inventory, lawful-basis mapping, consent records, Data Principal rights workflow records, breach-notification records, vendor DPAs, security-control documentation, internal audit reports, management review minutes. Organisations that maintain this documentation continuously are well-positioned for enforcement.