The DPDP: An 18-month compliance imperative for the C-suite

First published on Express Computer.

Authored by Subroto Kumar Panda

The notification of the Digital Personal Data Protection (DPDP) Rules, 2025, marks the formal operationalization of India’s first comprehensive data privacy regime. This event transforms the foundational legal principles of the DPDP Act, 2023, into an enforceable, time-bound compliance mandate. The time for analysis has concluded; the timeline for implementation has begun, signalling a fundamental shift for all Indian enterprises.

I. The Compliance Imperative: The ₹250 Crore Risk and the SARAL Mandate

A. Legislative Shift: From Principle to Playbook

While the DPDP Act established the core framework and principles, the Rules provide the critical operational procedures, specific technical standards, and enforcement timelines—the “how”—that organizations must follow.

Risk Quantification: The ₹250 Crore Liability

The most critical factor demanding immediate executive attention is the quantified risk of non-compliance. Failure to implement “reasonable security safeguards” (Rule 6) is explicitly cited as carrying the highest potential penalty under the Act: up to ₹250 crore for a single instance of failure that leads to a personal data breach. This potential liability establishes data privacy compliance as a top-tier enterprise risk that must be addressed with C-suite urgency.

B. The SARAL Design Philosophy: UX Is Compliance

The entire DPDP framework is intentionally built on the SARAL design philosophy: Simple, Accessible, Rational, and Actionable.

The Death of Legalese and Jargon
Rule 3 mandates that all consent notices must be provided in “clear and plain language.” This means that traditional, lengthy, jargon-laden, legalistic privacy policies are now considered prima facie non-compliant. Compliance is no longer solely a legal documentation exercise; it is a mandatory product, design, and user-experience challenge. Organizations must allocate resources to Product and UX teams for a complete redesign of user onboarding flows and settings menus, ensuring simplicity and clarity in communicating data practices and rights.

C. Defining Your Role: The Data Ecosystem
Compliance obligations fall primarily on the Data Fiduciary, defined as the entity (company, organization, or individual) that determines the purpose and means of processing personal data.

• Data Principal: The individual (user, customer, or employee) whose personal data is protected.
• Data Fiduciary: The organization directly responsible for compliance, deciding why and how data is used.
• Data Processor: Any entity processing data on behalf of the Fiduciary (e.g., cloud providers, payroll vendors). The Fiduciary is responsible for ensuring its Processors are compliant, establishing a “flow-down” liability.
• Significant Data Fiduciary (SDF): A specific class designated by the Central Government based on qualitative risk factors, such as the volume or sensitivity of data and the potential impact on national security.

II. The 18-Month Compliance Clock: Preparation, Not Delay

The government has adopted a deliberate, staggered, three-phase rollout spanning 12 to 18 months, providing a clear “transition time” for alignment.

A. The Phased Implementation Roadmap

The Regulator Is Battle-Ready
The sequencing of the rollout provides the Data Protection Board (DPB) of India, the enforcement body, with a significant head start. The DPB is established immediately in Phase 1 (Rules 17–21). Core operational obligations only become enforceable in Phase 3, at the end of the 18-month window. The DPB will utilize this period to establish its “digital-first office” infrastructure, staff its teams, finalize investigative procedures, and define its enforcement priorities. This window is intended for preparation; any business delaying readiness until the final months will face a fully staffed, “battle-ready” regulator upon the enforcement deadline.

Key Table 1: The 18-Month DPDP Compliance Clock: Strategic Decision Points

B. Phase 1 Mandates (Immediate Action: Governance)

The immediate priority is to establish governance and secure resources. This requires the establishment of a C-level-sponsored, cross-functional DPDP compliance task force (Legal, IT/Security, HR, Product). This task force must immediately secure executive and Board approval for a comprehensive, dedicated 18-month transformation budget covering technology upgrades and necessary personnel, such as a Data Protection Officer (DPO). A formal executive briefing must frame compliance as a critical, top-tier enterprise risk to the Board, citing the potential ₹250 crore penalty exposure.

C. Phase 2 Deep Dive: The Consent Manager Dilemma (Rule 4)

Phase 2, activating at 12 months (November 13, 2026), introduces the Consent Manager (CM) framework. The CM is a new, registered intermediary that provides a centralized, interoperable platform for individuals to manage, review, and withdraw consent across multiple Fiduciaries.

The Build vs. Buy Urgency

The strategic dilemma arises because the CM ecosystem activates at 12 months, six months before the Fiduciary’s own consent systems must be fully compliant at 18 months (Rule 3). Companies must commission a “build vs. buy” analysis now. Relying solely on a proprietary system risks creating incompatibility with the CM ecosystem that users may come to prefer. Regardless of the outcome, the organization’s technical systems must be scoped immediately to be capable of receiving, processing, and logging consent signals (e.g., “withdraw consent”) from an external, interoperable CM platform.

---

III. Operational Deep Dive: The 18-Month Readiness Checklist

Phase 3, enforcing all core operational obligations by May 13, 2027, demands immediate technical and operational transformation.

A. The Technical CIO & CISO Checklist: Security and Incident Response

Compliance with security and breach reporting mandates is critical due to the ₹250 crore risk exposure.

Supply Chain Liability and Safeguards (Rule 6)

Rule 6 mandates prescriptive minimum standards for security. Data Fiduciaries must implement appropriate measures, including encryption or masking for data at rest and in transit, strict role-based access control (RBAC), and robust logging and monitoring of data access. A mandatory requirement is the retention of all access and security logs for a minimum period of one year to enable breach investigations.

The Dual-Clock Breach Crisis (Rule 7)

Personal data breach notification is a high-pressure, dual-track process requiring adherence to two distinct regulatory deadlines:

1. DPB Notification: A detailed report must be filed with the Data Protection Board within 72 hours of becoming aware of the breach. The awareness clock starts immediately, not after the investigation concludes.
2. User Notification: Affected Data Principals must be notified “promptly” in plain language, detailing the impact, mitigation steps, and necessary user precautions.

This situation creates a “dual-clock crisis.” Security teams must simultaneously manage the high-impact 72-hour DPB deadline and the separate, often shorter, 6-hour CERT-In deadline (for technical cyber incidents). Incident Response (IR) plans must be overhauled and stress-tested with frequent “fire drills” to ensure the simultaneous generation of two distinct regulatory reports within these short deadlines.

B. Disruption and Redesign: UX, Rights, and Data Lifecycle

The Age-18 Commercial Wall (Rules 10 & 11)

Rules 10 and 11 introduce a high age threshold, defining a “child” as any individual under 18 years of age.

• Verification Mandate: Fiduciaries must obtain “verifiable parental consent” before processing any child’s data. This requires high-friction technical verification methods, such as integration with government-backed platforms like Digital Locker and Aadhaar, as simple self-declarations are insufficient.
• Hard Prohibitions: Tracking, behavioural monitoring, and targeted advertising directed at children (under 18) are strictly banned.

Data Lifecycle Automation (Rule 8)

Rule 8 operationalizes the purpose limitation principle, requiring data erasure when the “specified purpose is no longer being served.” Data Fiduciaries can no longer hoard data indefinitely.

Rolling Retention and Operational Paradox: While every user interaction (login, contact) resets the deletion clock for high-engagement platforms—creating a state of “rolling retention” for active users—Fiduciaries must still notify the Data Principal 48 hours before data erasure due to inactivity.

Grievance Redressal Firewall (Rule 14)

Rule 14 requires a mandatory, internal grievance resolution mechanism. Fiduciaries must provide an accessible system and resolve all complaints within a maximum 90-day period.

Crucially, Data Principals must exhaust this internal 90-day resolution process before they are permitted to file a formal complaint with the Data Protection Board. This 90-day SLA and exhaustion requirement act as a deliberate “filter” by the government. Investing heavily in an efficient, staffed, and demonstrable internal grievance system (e.g., a formal DSR portal) is a strategic risk mitigation strategy, acting as a “firewall” that resolves most user issues before they escalate into high-cost DPB investigations.

C. The SDF Compliance Premium (Rule 13)

The Significant Data Fiduciary (SDF) designation, reserved for entities posing a high risk to data principals, comes with enhanced obligations activated in Phase 3.

• DPO Appointment: Mandatory appointment of a Data Protection Officer (DPO) based in India.
• Annual DPIA: Mandatory Data Protection Impact Assessment (DPIA) every 12 months to formally assess and mitigate privacy risks.
• Annual Audit: Engagement of an independent data auditor for yearly compliance checks.

IV. Strategic Action Plan: Assess, Design, Deploy

The path to compliance requires a structured, three-phase approach spanning assessment, design, and deployment. The following checklist summarizes the mandatory actions required to mitigate the ₹250 crore liability risk.

Key Table 2: CIO/CISO 18-Month Operational Checklist: High-Risk Mandates