DPDP-ready by design: eCorpIT's compliant app development for Indian fintech and healthcare

DPDP compliance lands in phases through May 2027, with penalties up to Rs250 crore. eCorpIT builds fintech and healthcare apps DPDP-ready by design.

Read time
7 min
Word count
739
Sections
7
FAQs
8
Share
Glowing smartphone wrapped in a data shield with consent icons over India map
eCorpIT builds fintech and healthcare apps that are DPDP-ready by design.
On this page · 7 sections
  1. Why this matters now, not in 2027
  2. The requirements that shape the build
  3. What "DPDP-ready by design" means in practice
  4. Fintech and healthcare specifics
  5. FAQ
  6. How eCorpIT can help
  7. References

Summary. India's data-protection clock is ticking on a fixed schedule. The Digital Personal Data Protection Rules were notified on November 13, 2025, the Consent Manager framework becomes operational on November 13, 2026, and the full weight of the Act, covering consent, data-principal rights, breach notification, children's data and cross-border transfer, is enforceable from May 13, 2027. Penalties reach up to ₹250 crore for failing to implement reasonable security safeguards, and they are counted per violation, not capped per year. The Act covers any app offering goods or services to people in India, whatever country you are incorporated in. Retrofitting compliance later is expensive and fragile. eCorpIT, a Gurugram-based, CMMI Level 5 consultancy founded in 2021, builds fintech and healthcare apps that are DPDP-ready by design. Here is what that means and how we do it.

Why this matters now, not in 2027

Teams that read May 2027 as a distant deadline miss the intermediate one. The Consent Manager framework activates in November 2026, and consent captured before your data model supports withdrawal, purpose limitation and audit is consent you will have to re-collect. Because the Act reaches any service offered to people in India, an app on the Indian App Store or Play Store is covered regardless of where the company sits. Building the controls in from the first sprint is far cheaper than bolting them on after launch, which is the same lesson we drew from India's IT Rules 2026 for synthetic content.

Phase Date What activates
Scope In force now Any app offering goods or services to people in India
Rules notified November 13, 2025 Framework and phased compliance calendar
Consent Manager framework November 13, 2026 Consent Managers operational and registered
Full compliance May 13, 2027 Consent, rights, breach, children, cross-border enforceable
Penalty exposure In force Up to ₹250 crore, counted per violation

The requirements that shape the build

DPDP is not a privacy policy you paste in at the end; it is a set of constraints on the data model, the consent flow and the logging. The requirements below decide the architecture.

Requirement What eCorpIT implements Why it matters
Consent Purpose-specific, unbundled, withdrawable consent with local-language options Pre-ticked or bundled consent is non-compliant
Data minimisation Collect only what is needed, with least-privilege access Smaller data footprint lowers breach and penalty risk
Data-principal rights Access, correction and erasure flows Rights become enforceable from May 2027
Breach readiness Detection plus 72-hour data-principal notification tooling Board and affected users must be notified
Children's data Verifiable parental consent; no behavioural tracking of minors Strict rules apply to anyone under 18
Data residency Regional residency for BFSI and health workloads Sensitive sectors face localisation pressure

Consent is the clearest example. The Act requires consent that is clear, specific, freely given, collected separately from your terms of service, and withdrawable, with local-language options. Pre-ticked checkboxes, consent buried in onboarding, and blanket "by using this service you agree" language are all non-compliant, so the consent flow has to be designed, not decorated.

What "DPDP-ready by design" means in practice

We treat data protection as an architecture decision. From the first sprint, we model only the personal data the product genuinely needs, wire purpose-specific consent that a user can withdraw, and give every data field a defined retention and access rule. We build the access, correction and erasure flows that data-principal rights require, and we add breach detection with a notification path that meets the 72-hour window to affected users. Every access to personal data is logged so the system is auditable. We design applications aligned with DPDP requirements rather than claiming certification, and we build the same way for the sectors where the data is most sensitive.

Fintech and healthcare specifics

These two sectors carry the heaviest load. For fintech, the DPDP obligations sit on top of RBI data-localisation norms for payment-system data and outsourcing rules for financial entities, so regional data residency and tight vendor controls are part of the build, not an afterthought. Our fintech app development priorities cover the wider stack. For healthcare, health data is among the most sensitive categories, and localisation pressure is strongest, so we default to hybrid architectures with data kept in-region; our healthcare app development guide goes deeper. Both should plan for significant-data-fiduciary-grade readiness now, before formal designation.

FAQ

How eCorpIT can help

eCorpIT is a Gurugram-based, CMMI Level 5 and MSME-certified consultancy founded in 2021, with senior engineers who build fintech and healthcare apps for the Indian market. We design consent, data minimisation, breach tooling and regional residency into the product from the first sprint, aligned with DPDP and RBI requirements rather than claiming certification. To scope a DPDP-ready build, talk to our team.

References

  1. India DPDP Act 2026: compliance reality for app developers - MakeAnAppLike.
  1. India DPDP Act for mobile apps: compliance deadlines, penalties, and what developers must do now - Respectlytics.
  1. How to build DPDP-compliant applications in India - Mobisoft Infotech.
  1. India DPDP Act Phase 1: complete compliance guide - Secure Privacy.
  1. DPDP Rules 2025: India's complete compliance guide - Seclore.
  1. India's DPDP Rules 2025: a practical guide with implementation checklist - Scrut.
  1. DPDP Act compliance checklist India 2026 - Vakilsearch.
  1. India Digital Personal Data Protection Act (DPDPA 2025): updated guide - CookieYes.
  1. Digital Personal Data Protection Act India: compliance guide 2026 - Atlas Systems.
  1. DPDP Act 2025: rules, compliance requirements and penalties explained - Prophaze.

_Last updated: July 10, 2026._

Frequently asked

Quick answers.

01 Who does the DPDP Act apply to?
It applies to any entity processing the personal data of individuals in India in connection with offering goods or services. If your app is available on the Indian App Store or Play Store, you are covered regardless of where your company is incorporated. Both Indian and foreign businesses serving Indian users fall within scope.
02 When must apps be DPDP compliant?
The Rules were notified on November 13, 2025, the Consent Manager framework becomes operational on November 13, 2026, and full substantive compliance, covering consent, rights, breach notification, children's data and cross-border transfer, is enforceable from May 13, 2027. Building controls in before those dates avoids costly retrofitting and re-collection of consent later.
03 What are the DPDP consent requirements?
Consent must be clear, specific, freely given and purpose-limited, collected separately from your terms of service, offered in local languages, and withdrawable as easily as it was given. Pre-ticked checkboxes, consent buried in onboarding flows, and blanket "by using this service you agree" wording are all non-compliant under the Rules.
04 What is the DPDP breach notification rule?
On discovering a personal-data breach, a Data Fiduciary must notify the Data Protection Board with details of the breach, the categories and number of people affected, likely consequences and measures taken. Affected individuals must be notified within 72 hours in plain language, including what data was exposed and how to seek help.
05 How does DPDP treat children's data?
The Act defines a child as anyone under 18 and imposes the strictest requirements. A Data Fiduciary must obtain verifiable parental consent before processing a child's data, and the Act prohibits behavioural monitoring of children, targeted advertising directed at them, and any processing likely to cause harm. Apps serving minors must design for this from the start.
06 Does DPDP require data localization?
The Act does not impose blanket localisation, but sensitive sectors face pressure. BFSI, healthcare and government-adjacent workloads should expect data-residency expectations, and RBI already requires localisation of payment-system data. We default to hybrid architectures with regional residency controls for these workloads, which is the safer design given the direction of the rules.
07 What does eCorpIT build for DPDP compliance?
We build the controls into the app: purpose-specific, withdrawable consent, data minimisation with least-privilege access, access, correction and erasure flows, breach detection with 72-hour notification, verifiable parental consent for minors, and regional data residency for sensitive workloads. Every access to personal data is logged so the system stays auditable through go-live and beyond.
08 What are the penalties under the DPDP Act?
The Schedule to the Act sets upper-limit penalties of up to ₹250 crore for failing to implement reasonable security safeguards. Crucially, penalties are assessed per violation rather than as an annual cap, so every unresolved obligation is a separate count, which is why designing compliance in from the start materially lowers exposure.

About the author

Manu Shukla

Founder & Director

Founder of eCorpIT. Hands-on engineer leading senior-only delivery for AI apps, custom software, and cloud systems for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.