Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
DPDP Rules 2025 Now Notified
From gap assessment to board-ready compliance — Tsaaro's structured DPDPA programme aligns your organisation with the Digital Personal Data Protection Act 2023 and DPDP Rules 2025, without disrupting operations.
Rules Notified
Nov 2025
Consent Manager Active
Nov 2026
Full Enforcement
May 2027
Max Penalty
₹250 Cr
Overview
What is the DPDPA?
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's data privacy law aimed at protecting personal data in the digital ecosystem and strengthening individual privacy rights. It establishes a legal framework for the responsible use of digital personal data while promoting transparency, accountability, and trust in digital services. The law gives individuals greater control over their personal information through rights such as access, correction, withdrawal of consent, data erasure, nomination, and grievance redressal. It also introduces enforcement mechanisms and penalties for data misuse and breaches, making it a significant step in India's evolving privacy and cybersecurity framework.
What is DPDPA Compliance & Who does DPDPA apply to?
DPDPA compliance means aligning your organisation’s data-handling practices with the requirements of India’s Digital Personal Data Protection Act 2023 and the DPDP Rules 2025. If your business processes personal data of individuals in India, you may be classified as a data fiduciary under the law. This usually includes but is not limited to companies operating in sectors such as:
SaaS & Technology
Fintech & Banking
Healthcare
E-commerce
Education
HR & Recruitment
Retail & Consumer
The law applies regardless of where the organisation is located if it processes the personal data of individuals in India. An organisation may also be categorised as a Significant Data Fiduciaries (SDF) based on factors such as the volume and sensitivity of personal data processed, the potential risk to individuals, and the organisation’s overall impact on the digital ecosystem.
DPDP Rules 2025 - Key changes and Timeline
Before the DPDP Act and the DPDP Rules 2025, India did not have a standalone and comprehensive data protection framework, relying mainly on the Information Technology Act 2000 and the SPDI Rules 2011, which provided limited protection for sensitive personal data.
The DPDP Rules 2025 significantly expand and clarify the legal framework by introducing detailed operational requirements for consent management, privacy notices, breach reporting, grievance redressal, children’s data protection, and the functioning of the Data Protection Board of India. Unlike the earlier regime, the Rules establish a structured, consent-driven approach to personal data processing and provide clearer accountability mechanisms and higher financial penalties for non-compliance.
Key Obligations under DPDP Act
Under the Digital Personal Data Protection Act (DPDPA), organisations processing personal data must follow a set of core compliance obligations to ensure lawful, transparent, and secure data handling practices.
Obtain Valid Consent
Organisations must collect free, specific, informed, unconditional, and unambiguous consent before processing personal data. Individuals should also be able to withdraw consent as easily as they provided it.
Process Data for Lawful Purposes
Personal data should only be processed for legitimate use i.e., pre-approved purposes under the DPDP Act 2023 and clearly communicated purposes by obtaining explicit consent. Organisations cannot use personal data for unrelated activities unless fresh consent, or another lawful basis is available under the law. Purpose limitation is one of the core principles of DPDPA compliance and helps prevent misuse of personal information.
Respect Data Principal Rights
Businesses must provide mechanisms for individuals to access, correct, update, or erase their personal data, exercise their right to nominate, and seek effective grievance redressal.
Implement Security Safeguards
Organisations are required to implement reasonable technical and organisational security measures to protect personal data from unauthorised access, misuse, disclosure, alteration, or breaches. These safeguards may include encryption, obfuscation, masking or utilizing virtual tokens, access controls, activity logs & monitoring, business continuity, third-party vendor management, internal security policies, employee awareness programmes, and incident response mechanisms to strengthen overall data protection practices.
Notify Personal Data Breaches
In the event of a personal data breach, organisations must immediately notify the Data Protection Board of India and affected individuals, and submit a detailed report to the board within 72 hours, the report should include the nature and extent of the breach, mitigation measures undertaken, responsible parties, root cause analysis, and proof of notifications issued to affected Data Principals. Additionally, CERT-In must also be informed within 6 hours and businesses should maintain a structured breach response process to quickly identify, investigate, contain, and report further security incidents to minimise potential harm and regulatory exposure.
Erase Data When No Longer Required
Personal data should not be retained indefinitely. Organisations must delete data once the processing purpose has been fulfilled, unless retention is legally required.
Appoint a Grievance Officer
Businesses processing personal data must establish a grievance redressal mechanism and publish clear contact details for individuals to raise concerns related to their personal data. The Grievance Officer is responsible for addressing complaints, handling requests, and ensuring that privacy-related issues are resolved within the required timelines.
Comply with Cross-Border Transfer Rules
Organisations transferring personal data outside India must comply with cross-border transfer requirements under the DPDPA framework. Data transfers may only be permitted to approved jurisdictions or in accordance with government-prescribed conditions. Businesses should ensure that appropriate safeguards are maintained while handling international data transfers.
Additional Obligations for Significant Data Fiduciaries
Certain organisations classified as Significant Data Fiduciaries (SDFs) may have extra responsibilities, including appointing a Data Protection Officer (DPO), conducting Data Protection Impact Assessments (DPIAs), and undergoing periodic audits.
Why does timely DPDPA Compliance matter?
Organisations that delay compliance efforts may face significant financial and legal risks.
₹250 Crore
Critical
Failure to implement adequate security safeguards resulting in a data breach
₹250 Crore
Critical
Consent mishandling or unlawful processing
₹200 Crore
Critical
Failure to notify the Data Protection Board and affected individuals of a breach
₹200 Crore
Critical
Violation of children's data processing provisions
₹150 Crore
High
Non-compliance with significant data fiduciary obligations (DPO, DPIA, audit)
₹50 Crore
High
Breach of any other provision of this Act or the rules made
₹10000 per request
High
Non-fulfilment of data principal duties
Beyond penalties, non-compliance can also lead to:
Loss of customer trust
Business disruption after security incidents
Increased scrutiny from regulators
Contractual risks with enterprise clients and partners
Starting early gives organisations enough time to build sustainable privacy practices rather than rushing compliance efforts later.
Tsaaro's Step-by-Step DPDPA Compliance Programme
Our structured DPDP compliance guide takes your organisation from unknown exposure to board-ready DPDPA compliance without disrupting operations. Each phase is time-boxed, deliverable-driven, and aligned to DPDP Rules 2025.
Phase 1
DPDPA Gap Assessment (2–4 weeks)
A structured, documented assessment of your organisation's current posture against every DPDPA obligation and DPDP Rules 2025 requirement. You will receive a written gap assessment report with risk-prioritised findings. Deliverables include:
Review of all data processing activities and consent flows
Assessment of existing privacy policies and notices
Security controls review against CERT-IN guidelines
Risk-prioritised findings with clear remediation roadmap
Phase 2
Data Mapping & RoPA (2–3 weeks)
Mapping of all personal data flows across your organisation and it’s collection points, processing purposes, storage locations, third-party processors, and cross-border transfers. This results in a record of processing activities. The deliverables here include:
Interview-based data flow discovery across all departments
Third-party processor and sub-processor mapping
Cross-border transfer identification and risk assessment
Record of Processing Activities (RoPA) document
Phase 3
Policy & Controls Implementation (4–8 weeks)
Drafting and implementing all policies, notices, and technical controls your organisation needs to meet DPDPA obligations. Deliverables include:
Privacy policy and consent notice drafting
Grievance redressal mechanism and officer designation
Breach response plan and notification playbook
Data processing agreements with all processors
Phase 4
DPO Appointment & Training (Ongoing)
For significant data fiduciaries, Tsaaro provides DPO-as-a-Service, a qualified data protection officer fulfilling all statutory obligations. All-staff DPDPA awareness training included. Deliverables include
Named DPO fulfilling all DPDP Rules 2025 obligations
Regulatory liaison with the Data Protection Board
DPDPA awareness training for all teams
Monthly compliance review cadence
Phase 5
Ongoing Compliance Monitoring (Annual)
DPDPA compliance is not a one-time project. Tsaaro provides continuous monitoring, annual DPIA, breach response retainer, and regulatory update briefings to keep you compliant as the framework evolves. Deliverables include:
Annual Data Protection Impact Assessment (DPIA)
Breach response retainer - 24-hour activation
Regulatory update briefings for every DPDPA amendment
Annual compliance health check and gap review
Client Case Studies
IppoPay - DPDPA Compliance
Tsaaro helped IppoPay achieve full DPDPA compliance in a structured, practical way. Their team understood the regulatory nuances and delivered a compliance framework we could actually implement and maintain. Their structured methodology, responsiveness, and deep subject-matter expertise have significantly strengthened IppoPay's internal compliance posture.
Growth Architect, IppoPay · Fintech · DPDPA Compliance Programme
Centum Learning Limited - ISO 27001
The company successfully acquired an ISO 27001 certification, thanks to Tsaaro's support and guidance. The team met deadlines and was highly flexible. They informed the client about their steps and facilitated weekly calls to provide project overviews. Overall, the project was a success.
Hitesh Bopche, IT Manager, Centum Learning Limited
Svatantra Microfin - Privacy Programme
Preparedness and prior planning has been the key for Svatantra in its journey towards Privacy Program implementation. We are pleased to have partnered with Tsaaro in this journey and now that the Digital Personal Data Protection Rules have been notified, we feel assured to have our groundwork laid right and ready to sprint from here forward.
Vinati Gupta, VP & GC, Svatantra Microfin Pvt. Ltd.
Milestone Technologies - DPO-as-a-Service
Milestone partnered with Tsaaro for its privacy transformation through the DPOaaS programme. Throughout the engagement, Tsaaro's privacy consultant demonstrated unwavering commitment, strong expertise, and a high degree of professionalism.
Gayathri Sribharath, CISO, Milestone Technologies
Frequently Asked Questions (FAQs)
Q1. What is DPDP compliance, and what does it require?
Q2. What is a DPDPA compliance tool, and how do I use one?
Q3. What is the DPDPA, and does it apply to my organisation?
Q4. What do the DPDP Rules 2025 require beyond the Act?
Q5. What are the DPDPA penalties for non-compliance?
Q6. What is a Significant Data Fiduciary under DPDPA?
Q7. How long does DPDPA compliance take?
Q8. Does DPDPA apply to employee data?
Q9. What does CERT-IN empanelment mean for our DPDPA audit?
Deepen your understanding
Click here to explore our latest DPDPA compliance guides, DPDP Rules 2025 updates, data privacy insights, consent management articles, cybersecurity and privacy resources, and expert analysis on India’s data protection framework.
Start Your DPDPA Compliance Journey Today!
Assess your organisation’s readiness under the Digital Personal Data Protection Act (DPDPA) with Tsaaro’s free self-assessment tool. In just a few minutes, identify compliance gaps, understand your risk exposure, and take the next step toward DPDP compliance with us.