DPDP Act 2023 — What Every Indian Organisation Must Do Before May 2027

India quietly passed one of the most significant data protection laws in its history in August 2023. The Digital Personal Data Protection Act, or DPDP Act, is now law. Full enforcement begins May 2027. And the penalties are not a slap on the wrist.

Up to rupees two hundred and fifty crore for a single violation.

Most Indian organisations are nowhere near ready. And the ones that think they are compliant because they have a privacy policy buried in their website footer are in for a very rude surprise.

This article is a plain language breakdown of what the DPDP Act actually requires, who it applies to, and exactly what your organisation needs to do before the deadline hits.

---

What is the DPDP Act and Why Does it Matter

The DPDP Act 2023 is India's first comprehensive data protection law. It governs how organisations collect, store, process, and delete personal data of Indian citizens. It is modelled partly on Europe's GDPR but designed specifically for India's digital infrastructure and regulatory environment.

Before this law, India had no dedicated data protection framework. Organisations could store your Aadhaar, PAN, medical records, and financial data with almost no legal obligation around how they handled it. That era is officially over.

The Act creates two categories of entities. Data fiduciaries are organisations that decide why and how personal data is collected and processed. That is almost every hospital, school, NGO, company, and government department in India. Data processors are entities that process data on behalf of fiduciaries. If you use a third party software or vendor that handles your user data, they are a data processor and you are still responsible for their compliance.

---

Who Does it Apply To

If your organisation collects, stores, or processes the personal data of any Indian citizen in digital form, the DPDP Act applies to you. Full stop.

This includes hospitals storing patient records. Schools managing student admissions. NGOs collecting beneficiary information. Companies holding employee documents. Hotels storing guest identity copies. Fintech platforms processing KYC. E-commerce platforms with customer data.

There is no minimum size exemption for most provisions. A fifty-person NGO in Pune is subject to the same fundamental requirements as a multinational corporation.

---

The Seven Things Your Organisation Must Do

1. Get explicit consent before collecting personal data

You cannot collect personal data without a clear, specific, and informed consent notice. Vague terms buried in a privacy policy do not count. The consent must be for a specific purpose, in plain language, and the user must be able to withdraw it at any time.

What this means practically: every form, onboarding flow, document collection process, and data intake system needs a proper consent mechanism built in. That WhatsApp message where you ask someone to send their Aadhaar copy needs to be replaced entirely.

2. Tell people exactly why you are collecting their data

The notice given at the time of collection must clearly state what data is being collected, why it is being collected, how it will be used, and who it will be shared with. Generic statements like "for internal use" will not be acceptable.

3. Only collect what you actually need

The Act mandates data minimisation. You can only collect personal data that is necessary for the specific purpose you stated. Collecting more than you need, just in case it becomes useful later, is a violation.

4. Keep data only as long as necessary

Once the purpose for which data was collected is fulfilled, you must delete it. You cannot hold onto personal data indefinitely. This means your organisation needs a clear data retention policy with actual deletion timelines and the systems to enforce them.

5. Implement proper security safeguards

You must implement reasonable security safeguards to protect personal data from breaches. The Act does not prescribe specific technical standards but the intent is clear. Storing sensitive documents in unencrypted Google Drive folders or sending them over WhatsApp will be treated as a failure of reasonable security.

6. Notify affected individuals and the Data Protection Board in case of a breach

If a data breach occurs, you must notify both the affected individuals and the Data Protection Board of India within a prescribed timeframe. Covering up a breach or delaying notification is a separate offence with its own penalties.

7. Honor data principal rights immediately

Every individual whose data you hold has rights under the Act. The right to access their data. The right to correct inaccurate data. The right to erasure — meaning they can ask you to delete all their personal data and you must comply. The right to nominate someone to exercise these rights on their behalf. Your organisation needs operational processes to handle these requests, not just a policy document.

---

The Penalties Are Real

The DPDP Act sets out a tiered penalty structure that should focus the mind of every board member and compliance head in India.

These are not theoretical numbers. The Data Protection Board of India will have investigative powers, the ability to conduct audits, and the authority to impose these fines. Enforcement is coming.

---

What Most Organisations Are Doing Wrong Right Now

Walk through any hospital, school, or mid-sized company in India today and you will find the same things. Patient documents scanned and sent over WhatsApp to the billing department. HR files stored in a personal Google Drive folder that three people share the password to. Vendor KYC documents sitting in an email thread from 2021 with no deletion plan. Beneficiary data in an NGO's Excel sheet emailed across the team with no access controls.

None of this is malicious. It is just how India has operated for years because there was no legal reason to do otherwise. The DPDP Act changes that calculation entirely.

The problem is not just the tools. It is the absence of any system. No audit trail. No consent records. No deletion workflows. No way to respond when an individual asks you what data you hold about them or asks you to delete it.

---

The Three Types of Organisations Right Now

Type one: organisations that do not know the law exists. These are the most at risk. They have until May 2027 to build compliance from scratch and most of them will not start until a year into enforcement when the first high-profile penalties are published.

Type two: organisations that know but think a policy document is enough. These are dangerously overconfident. Having a privacy policy on your website and telling staff not to share data on WhatsApp is not compliance. Compliance is operational. It lives in your systems, not your documents.

Type three: organisations that are building real compliance infrastructure now. These are the ones that will be able to demonstrate compliance on day one of enforcement, use it as a competitive advantage with enterprise clients, and avoid the panic of the deadline rush.

---

What to Actually Do Before May 2027

Start with a data audit. Map every type of personal data your organisation collects. Where does it come from. Where does it live. Who has access to it. How long you keep it. Where it goes when you are done with it. You cannot comply with a law about data you cannot locate.

Fix your consent flows. Every point where your organisation collects personal data needs a proper consent mechanism. Build this into your onboarding, your intake forms, your document collection processes.

Implement proper security infrastructure. This means encrypted storage, access controls, audit logs, and a breach response plan. If you are currently storing sensitive documents in shared drives and email threads, this is the most urgent operational change you need to make.

Build deletion workflows. You need the ability to actually delete an individual's data when they request it. This sounds simple but is operationally complex for most organisations whose data is scattered across multiple systems, hard drives, and email inboxes.

Train your team. Compliance fails at the human level. Every person in your organisation who handles personal data needs to understand what they can and cannot do with it.

Appoint a compliance point of contact. The Act requires larger organisations to designate a point of contact for data principal rights requests. Even if you are not technically required to do this yet, having a named person responsible for data compliance dramatically improves your organisation's ability to respond.

---

The One Thing to Remember

May 2027 sounds far away. It is not. Building real compliance infrastructure for an organisation of any size takes six to twelve months minimum. If you start in January 2027 you are already too late.

The organisations that start now will spend those months building systems that make their operations better, their clients more confident, and their data genuinely secure. The organisations that wait will spend those months in crisis mode, paying consultants emergency fees, and hoping they are not the first high-profile case the Data Protection Board of India chooses to make an example of.

The DPDP Act is not a bureaucratic hurdle. It is India catching up with the rest of the world on data rights. The question is not whether your organisation will comply. It is whether you will be ready when enforcement begins.

---

Sakshya is an AI-powered document intelligence platform built for Indian organisations. We help hospitals, schools, NGOs, and businesses become DPDP compliant with zero-knowledge encryption, immutable audit logs, and automated document workflows. All data on Indian servers.

Write to us at help@sakshya.io

---

Tags: #DPDPAct #DataPrivacyIndia #DocumentManagement #PrivacyLawIndia #DataProtectionIndia #CybersecurityIndia #StartupIndia #Compliance2027