DPDP Act 2026: the engineering playbook for Indian startups (deadlines, consent, breach)

DPDP Rules 2025 set full compliance for mid-May 2027 with fines up to Rs 250 crore. Here is the system-by-system engineering playbook for startups.

Read time
11 min
Word count
1.7K
Sections
9
FAQs
8
Share
A glowing data vault with locked document panels flowing along guided pathways, representing privacy engineering
DPDP turns consent, retention and breach response into engineering requirements.
On this page · 9 sections
  1. The DPDP timeline: what is due when
  2. Who this applies to
  3. The engineering work, system by system
  4. What it costs to get wrong
  5. DPDP vs GDPR: what changes for engineers
  6. A 2026 build plan
  7. FAQ
  8. How eCorpIT can help
  9. References

Summary. India's Digital Personal Data Protection (DPDP) Rules, 2025 were notified in November 2025, and the deadlines are now fixed. The Data Protection Board of India is already live and taking complaints. The consent manager framework becomes operational in November 2026, and full compliance with every substantive obligation is due by mid-May 2027. Get it wrong and a single failure to keep reasonable security safeguards can cost up to Rs 250 crore, about $30 million; a missed breach notice up to Rs 200 crore; and penalties stack. Yet only 16% of Indian consumers understand the law, per a PwC India survey, while cyber incidents in India rose from 1.03 million in 2022 to 2.27 million in 2024. DPDP is not a policy document your legal team files away. It is a set of engineering requirements: consent as an auditable transaction, data-flow maps, 72-hour breach detection, erasure by design, and rights fulfilled within 90 days. This is the build playbook.

For a startup, 2026 is the build year. The runway to mid-May 2027 looks long until you count what has to change: every consent screen, every data store, every vendor contract, every logging pipeline, and the breach playbook you probably do not have yet. Joseph Harisson, CEO at IT Companies Network, put the shift plainly: "Privacy has transformed from a mere compliance requirement to a fundamental human right." The teams that treat DPDP as an engineering program starting now, rather than a legal scramble in early 2027, are the ones that will ship on time without a rebuild.

We build DPDP-aligned systems for Indian companies at eCorpIT, so this guide is written for founders and engineering leads who have to turn the Rules into code, not slides.

The DPDP timeline: what is due when

The Rules use a phased rollout, confirmed by Scrut's implementation guide and the government notification. Three dates matter.

Phase Date What it unlocks
Board live November 2025 Data Protection Board of India operational; complaints can be filed
Consent managers November 2026 Consent manager registration opens (12 months post-notification)
Full compliance Mid-May 2027 Notice, security, breach reporting, data-principal rights all enforceable

There is no expected grace period. Because the Board is already operational, the practical message is that enforcement infrastructure exists today and the substantive obligations arrive in about ten months. A build that starts in Q3 2026 has time to design, test, and harden. One that starts in 2027 does not.

Who this applies to

DPDP uses three roles. The Data Fiduciary decides why and how personal data is processed, the equivalent of a controller. The Data Processor processes on the Fiduciary's behalf. The Data Principal is the individual, including your users, employees, and contractors. The rule that trips teams up: compliance responsibility rests with the Data Fiduciary even when a processor does the actual handling, so your vendor contracts have to carry the obligations down the chain.

Reach is broad. The Act applies to any business processing digital personal data in connection with offering goods or services to individuals in India, regardless of where the business sits. A startup incorporated in Singapore or Delaware serving Indian users is in scope. Data collected offline and later digitised counts too.

The engineering work, system by system

Here is the part most summaries skip: what you actually build. Each item below maps to a specific Rule.

1. Consent and notice as an auditable transaction

Under Rule 3, the notice must be standalone, in clear plain language, separate from your terms of service, and list the exact data collected and the specific purpose. Pre-ticked boxes and bundled consent are dead. Engineering implications: a consent service that versions every notice, records the exact text a user agreed to and when, stores consent artifacts you can produce on demand, and makes withdrawal as easy as granting. Notices must be available in English and any of the 22 official Indian languages, so build for localisation from the start.

The consent manager framework (Rule 4) adds a second track. These are registered, India-incorporated intermediaries that let a user manage consent across many companies from one interoperable interface. You will not run one, but your systems must be able to accept and honour consent signals from a registered consent manager. Design the consent service with an API boundary now, not later.

2. Data-flow mapping and data inventory

You cannot honour purpose limitation or erasure if you do not know where data lives. The first build task is a complete inventory: every system, table, log, cache, analytics pipeline, and third-party vendor that touches India-linked personal data, tagged with purpose and legal basis. This is unglamorous plumbing and it is the foundation for everything else. Teams that skip it discover, during a breach or an access request, that personal data sits in five places they forgot. Treat it like the data-layer work in any serious monolith-to-microservices modernisation: map before you move.

3. Erasure and retention by design

Rule 8 enforces purpose limitation. Once the purpose you collected data for is served, you must erase it. Rule 6 requires you to keep security and processing logs for at least one year for detection and investigation. Large online platforms must erase certain user data after a defined period of inactivity and notify the user at least 48 hours before deletion. Engineering implication: retention is a first-class property of every data store, not an afterthought. Build TTL policies, automated deletion jobs, and a 48-hour pre-deletion notification path, and make sure erasure cascades through backups and analytics copies, which is where most deletion promises quietly break.

4. Breach detection and the 72-hour clock

Rule 7 is the sharpest operational demand. On becoming aware of a personal data breach, you must notify affected Data Principals without delay and file a detailed report with the Data Protection Board within 72 hours. Seventy-two hours is not long once you account for detection lag. This forces real security monitoring: intrusion detection, log aggregation, and alerting that surfaces a breach in hours, not weeks, plus an incident-response runbook, pre-written notification templates, and a rehearsed escalation path. Run tabletop exercises before enforcement, not after your first real incident.

5. Data principal rights within 90 days

Individuals can request access to a summary of their data, correction, completion, and erasure, and you must respond within 90 days. That means a rights-request pipeline: intake, identity verification, retrieval across every system in your inventory, and an auditable response. If your data is scattered and undocumented, a single access request becomes a fire drill. The inventory from step two is what makes this a routine job instead.

6. Children's data and verifiable parental consent

For anyone under 18, you need verifiable parental or guardian consent before processing, and targeted advertising or profiling of minors is prohibited. India's threshold of 18 is higher than many jurisdictions, so a design copied from another market will not pass. If your product can be used by minors, build an age-assurance and parental-consent flow, and gate ad and profiling logic behind it.

Beyond these, entities the government designates as Significant Data Fiduciaries face extra duties (Rule 13): an India-based Data Protection Officer, annual Data Protection Impact Assessments, and an independent audit every twelve months. Most startups will not be designated at launch, but if you process large volumes of sensitive data, design for it early so the audit does not become a rebuild.

What it costs to get wrong

The penalties are set by failure type under the DPDP Act's schedule, and they stack across categories.

Violation Maximum penalty Trigger
No reasonable security safeguards Rs 250 crore (~$30M) A breach caused by weak security
Failure to notify a breach / children's rules Rs 200 crore (~$25M) Missing the notice duty or minor protections
Any other Data Fiduciary violation Rs 50 crore (~$6M) Catch-all for other breaches of duty

Put those next to the operational cost of a breach. IBM estimates the average data breach in India at about Rs 220 million, driven by response, downtime, and lost trust. The regulatory fine is the visible number; the cleanup is the one that sinks a young company. For a startup, the cheapest path is to engineer the safeguards before the Board ever has a reason to look.

DPDP vs GDPR: what changes for engineers

If your team already built for GDPR, most of the machinery transfers, but three differences change the design.

Dimension DPDP (India) GDPR (EU)
Lawful basis Consent plus a few limited legitimate uses Six lawful bases, including legitimate interest
Breach notice Affected users without delay; Board within 72 hours Authority within 72 hours; users if high risk
Children Verifiable parental consent under 18 Threshold 13 to 16 by member state
Cross-border Allowed unless a country is on a negative list Adequacy decisions and safeguards required
Data localisation No blanket localisation; negative-list model No general localisation mandate

The practical takeaway: DPDP leans harder on consent than GDPR, so your consent infrastructure carries more weight, and the higher age threshold means minor-facing products need a stricter gate. The cross-border "negative list" is friendlier than GDPR's adequacy regime, but it can change by notification, so keep data-transfer paths configurable.

A 2026 build plan

Sequence the work so the foundation comes first. Start with the data inventory and flow map, because consent, erasure, and rights all depend on knowing where data lives. Next, rebuild consent and notice, since that is the highest-traffic user-facing change and the one regulators see first. Then wire retention and erasure into every store, stand up breach detection and the 72-hour runbook, and finish with the rights-request pipeline. Update vendor and processor contracts in parallel, because those are legal lead-time items. Teams pairing this with an enterprise AI and data strategy or a broader cloud cost and architecture review can fold privacy engineering into work they are already funding, which is the cheapest way to absorb it.

Sector matters too. If you handle health data, the sensitivity raises the stakes, as our work on healthcare app development and AI medical diagnosis in Indian hospitals shows. Fintech and consumer apps carry similar weight. Build the privacy layer to the standard your most sensitive data demands.

FAQ

How eCorpIT can help

eCorpIT is a Gurugram technology consultancy, founded in 2021, with CMMI Level 5 certification and senior-led engineering teams that design applications aligned with DPDP Act requirements. We run the data inventory and flow mapping, build versioned consent and notice services with consent-manager-ready APIs, wire retention and erasure into every store, and stand up the detection and runbook that meet the 72-hour breach obligation. We work across fintech, healthcare, and consumer products where data sensitivity is highest. If 2026 is your build year, talk to our team about a DPDP engineering plan scoped to your stack and timeline.

References

  1. DPDP Rules, 2025 notification — Press Information Bureau, Government of India
  1. DPDP Act penalties and fines (up to Rs 250 crore) — iSpectra Technologies
  1. India's DPDP Rules 2025: a practical guide with implementation checklist — Scrut
  1. Enforcement of the DPDP Act and notification of the DPDP Rules — Shardul Amarchand Mangaldas
  1. The DPDP: an 18-month compliance imperative for the C-suite — Anand and Anand
  1. Data protection laws in India — DLA Piper
  1. Only 16% of Indian consumers understand the DPDP Act — PwC India
  1. Cost of a data breach report — IBM
  1. Cyber incidents in India, 2022 to 2024 — Press Information Bureau
  1. Telecom Disputes Settlement and Appellate Tribunal — appellate authority for DPDP decisions

_Last updated: 18 July 2026._

Frequently asked

Quick answers.

01 When is the DPDP compliance deadline?
The DPDP Rules, 2025 were notified in November 2025 with a phased timeline. The Data Protection Board is live now, the consent manager framework becomes operational in November 2026, and full compliance with all substantive obligations is due by mid-May 2027. No grace period is expected, so 2026 is the build year for engineering teams.
02 What are the penalties under the DPDP Act?
Penalties are set by failure type and can stack. Failing to keep reasonable security safeguards during a breach can cost up to Rs 250 crore, about $30 million. Failure to notify a breach or breaches of children's rules can reach Rs 200 crore, and any other Data Fiduciary violation up to Rs 50 crore.
03 What is the DPDP breach notification requirement?
Under Rule 7, once you become aware of a personal data breach you must notify affected Data Principals without delay and file a detailed report with the Data Protection Board within 72 hours. Meeting that clock requires real-time detection, log aggregation, alerting, and a rehearsed incident-response runbook, not a manual scramble after the fact.
04 Does DPDP apply to startups outside India?
Yes. The Act applies to any business processing digital personal data in connection with offering goods or services to individuals in India, regardless of where the business is incorporated. A startup based abroad that serves Indian users is a Data Fiduciary under the law and must meet the same obligations as a domestic company.
05 What is a consent manager under DPDP?
A consent manager is a registered, India-incorporated intermediary that lets a Data Principal give, review, and withdraw consent across multiple companies from one interoperable interface. You will not operate one, but your systems must be able to accept and honour consent signals from registered consent managers once that framework goes live in November 2026.
06 How should we handle children's data?
For anyone under 18, DPDP requires verifiable parental or guardian consent before processing, and it prohibits targeted advertising and profiling of minors. India's age threshold of 18 is higher than many jurisdictions, so you must build a dedicated age-assurance and parental-consent flow and gate advertising and profiling logic behind it rather than reusing another market's design.
07 How long can we retain personal data?
Only as long as the stated purpose of collection is served; after that, Rule 8 requires erasure. Security and processing logs must be kept at least one year. Large online platforms must erase certain user data after a period of inactivity and notify the user at least 48 hours before deletion, so retention has to be automated per data store.
08 Do we need a Data Protection Officer?
Not every company does. A DPO is mandatory only for entities the government designates as Significant Data Fiduciaries, which also face annual impact assessments and independent audits. For other businesses it is a best practice. If you process large volumes of sensitive data, design for the DPO and audit obligations early so they do not force a later rebuild.

About the author

Manu Shukla

Founder & Director

Founder of eCorpIT. Hands-on engineer leading senior-only delivery for AI apps, custom software, and cloud systems for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.