On this page · 7 sections
Summary. India's data-protection clock is ticking on a fixed schedule. The Digital Personal Data Protection Rules were notified on November 13, 2025, the Consent Manager framework becomes operational on November 13, 2026, and the full weight of the Act, covering consent, data-principal rights, breach notification, children's data and cross-border transfer, is enforceable from May 13, 2027. Penalties reach up to ₹250 crore for failing to implement reasonable security safeguards, and they are counted per violation, not capped per year. The Act covers any app offering goods or services to people in India, whatever country you are incorporated in. Retrofitting compliance later is expensive and fragile. eCorpIT, a Gurugram-based, CMMI Level 5 consultancy founded in 2021, builds fintech and healthcare apps that are DPDP-ready by design. Here is what that means and how we do it.
Why this matters now, not in 2027
Teams that read May 2027 as a distant deadline miss the intermediate one. The Consent Manager framework activates in November 2026, and consent captured before your data model supports withdrawal, purpose limitation and audit is consent you will have to re-collect. Because the Act reaches any service offered to people in India, an app on the Indian App Store or Play Store is covered regardless of where the company sits. Building the controls in from the first sprint is far cheaper than bolting them on after launch, which is the same lesson we drew from India's IT Rules 2026 for synthetic content.
| Phase | Date | What activates |
|---|---|---|
| Scope | In force now | Any app offering goods or services to people in India |
| Rules notified | November 13, 2025 | Framework and phased compliance calendar |
| Consent Manager framework | November 13, 2026 | Consent Managers operational and registered |
| Full compliance | May 13, 2027 | Consent, rights, breach, children, cross-border enforceable |
| Penalty exposure | In force | Up to ₹250 crore, counted per violation |
The requirements that shape the build
DPDP is not a privacy policy you paste in at the end; it is a set of constraints on the data model, the consent flow and the logging. The requirements below decide the architecture.
| Requirement | What eCorpIT implements | Why it matters |
|---|---|---|
| Consent | Purpose-specific, unbundled, withdrawable consent with local-language options | Pre-ticked or bundled consent is non-compliant |
| Data minimisation | Collect only what is needed, with least-privilege access | Smaller data footprint lowers breach and penalty risk |
| Data-principal rights | Access, correction and erasure flows | Rights become enforceable from May 2027 |
| Breach readiness | Detection plus 72-hour data-principal notification tooling | Board and affected users must be notified |
| Children's data | Verifiable parental consent; no behavioural tracking of minors | Strict rules apply to anyone under 18 |
| Data residency | Regional residency for BFSI and health workloads | Sensitive sectors face localisation pressure |
Consent is the clearest example. The Act requires consent that is clear, specific, freely given, collected separately from your terms of service, and withdrawable, with local-language options. Pre-ticked checkboxes, consent buried in onboarding, and blanket "by using this service you agree" language are all non-compliant, so the consent flow has to be designed, not decorated.
What "DPDP-ready by design" means in practice
We treat data protection as an architecture decision. From the first sprint, we model only the personal data the product genuinely needs, wire purpose-specific consent that a user can withdraw, and give every data field a defined retention and access rule. We build the access, correction and erasure flows that data-principal rights require, and we add breach detection with a notification path that meets the 72-hour window to affected users. Every access to personal data is logged so the system is auditable. We design applications aligned with DPDP requirements rather than claiming certification, and we build the same way for the sectors where the data is most sensitive.
Fintech and healthcare specifics
These two sectors carry the heaviest load. For fintech, the DPDP obligations sit on top of RBI data-localisation norms for payment-system data and outsourcing rules for financial entities, so regional data residency and tight vendor controls are part of the build, not an afterthought. Our fintech app development priorities cover the wider stack. For healthcare, health data is among the most sensitive categories, and localisation pressure is strongest, so we default to hybrid architectures with data kept in-region; our healthcare app development guide goes deeper. Both should plan for significant-data-fiduciary-grade readiness now, before formal designation.
FAQ
How eCorpIT can help
eCorpIT is a Gurugram-based, CMMI Level 5 and MSME-certified consultancy founded in 2021, with senior engineers who build fintech and healthcare apps for the Indian market. We design consent, data minimisation, breach tooling and regional residency into the product from the first sprint, aligned with DPDP and RBI requirements rather than claiming certification. To scope a DPDP-ready build, talk to our team.
References
- India DPDP Act 2026: compliance reality for app developers - MakeAnAppLike.
- India DPDP Act for mobile apps: compliance deadlines, penalties, and what developers must do now - Respectlytics.
- How to build DPDP-compliant applications in India - Mobisoft Infotech.
- India DPDP Act Phase 1: complete compliance guide - Secure Privacy.
- DPDP Act compliance checklist India 2026 - Vakilsearch.
- Digital Personal Data Protection Act India: compliance guide 2026 - Atlas Systems.
_Last updated: July 10, 2026._