The DPDP Act is not just another regulatory checkbox. It introduces a genuine data rights framework modelled partially on GDPR but calibrated for the Indian market. Getting compliant does not have to be overwhelming -but it does require structure. This guide breaks the work into 10 concrete steps you can execute in 90 days.
If you have read our introduction to the DPDP Act, this is the implementation companion. The phases below assume a small-to-mid-size organisation with a clear scope and committed leadership.
Why 90 Days
The Data Protection Board of India is expected to begin formal enforcement in 2025-26. Companies that wait for penalty notices will pay far more -in fines, remediation costs, and reputational damage -than those who begin now. A 90-day sprint is achievable for most startups and mid-sized companies with the right structure. Larger organisations or those with sprawling vendor ecosystems may need longer; the structure remains the same.
"We tried" is not a defence. The Board will look at your privacy notice, consent logs, vendor DPAs, breach plan, and rights workflows. If those exist and are operating, you are defensible. If they do not, the company size or stage of implementation will not save you.
Step 1 -Determine If the Act Applies to You
Confirm scope
Not every entity falls under the Act. You are subject to DPDP if you process digital personal data of Indian individuals -either within India or overseas when offering goods or services to people in India.
- You operate a website, app, or platform that collects data from Indian users
- You process employee data digitally in India
- You are a Data Processor handling data on behalf of a Data Fiduciary
Quick check: if you have a sign-up form, a contact form, or any digital touchpoint that collects a name, email, phone, or location from someone in India -you are in scope.
Steps 2-3 -Data Mapping & Role Classification
Map your personal data
You cannot protect what you cannot see. Conduct a data mapping exercise across the entire organisation. For every data flow, record: what personal data is collected, from whom (customers, employees, vendors), where it is stored, who has access, and how long it is retained.
Document this in a data inventory register. This becomes the foundation for everything else -privacy notice, rights workflows, retention schedules, vendor reviews, and breach scoping.
Identify your role -Fiduciary or Processor
Under the DPDP Act, your obligations differ based on your role. A Data Fiduciary determines the purpose and means of processing. A Data Processor processes data on behalf of a Fiduciary. Many companies are both, depending on the context.
Key insight: if you use a third-party email platform to send notifications to your users, you are the Fiduciary and the platform provider is the Processor. If you provide a SaaS product to other companies, you are the Processor for their customer data and the Fiduciary for your own employees and vendor relationships.
Steps 4-5 -Privacy Notice & Consent Mechanism
Review and rewrite your privacy notice
Your existing privacy policy likely does not meet DPDP requirements. A compliant notice must clearly state what personal data is collected, the purposes of processing, how data principals can exercise their rights, who the data is shared with, and how to contact your grievance officer.
Write it in plain language. The Act requires notices to be clear and accessible -legalese-heavy policies will not satisfy the standard. See our DPDP privacy notice template for a structured starting point.
Build a lawful consent mechanism
Consent is the primary lawful basis under DPDP. It must be free, specific, informed, unconditional, and unambiguous -given through a clear affirmative action (no pre-ticked boxes) and easily withdrawable at any time.
Implement a consent management layer in your web and app. Store consent records with timestamps and the version of the notice in effect at the time. See our consent mechanism implementation guide for the technical detail.
Steps 6-7 -Rights Workflows & Grievance Officer
Establish data principal rights workflows
Data principals have rights under the Act, and you must respond to each within the specified timelines. Build internal workflows for: right to access, right to correction, right to erasure, right to grievance redressal, and right to nominate a nominee for data in case of death or incapacity.
Designate responsible owners for each right. Log every request and response. The volume will be low at first; the workflow needs to handle volume reliably when it grows.
Appoint a Grievance Officer
Every Data Fiduciary must designate a Grievance Officer who handles data principal complaints. This person must be contactable and must respond to grievances within the prescribed timeline. Publish their contact details in your privacy notice. This can be an existing employee (DPO, Head of Privacy, Legal Counsel, or CISO) with the authority and bandwidth to act.
Step 8 -Vendor Agreements
Review vendor and third-party agreements
If you share personal data with vendors (cloud providers, analytics tools, marketing platforms, payment processors), ensure your contracts include Data Processing Agreements (DPAs) that bind them to DPDP obligations. Review all existing vendor agreements for compliance gaps.
For each vendor processing Indian personal data: confirm the DPA is in place, confirm sub-processor disclosure, confirm breach notification timelines back to you, and confirm cross-border transfer terms align with our cross-border transfer guidance.
Steps 9-10 -Breach Plan & Compliance Audit
Implement a data breach response plan
The DPDP Act requires mandatory notification to the Data Protection Board and affected data principals in the event of a breach. You need an internal incident detection and classification process, clear escalation paths, pre-drafted notification templates, and a log of all incidents including near-misses.
The Board will want evidence that you had a plan, not just that something bad happened. See our breach notification guide for the full procedure.
Run a compliance audit and close gaps
In the final stretch, conduct an internal audit against your DPDP obligations using a structured checklist: privacy notice updated and published, consent mechanism live and logging correctly, data principal rights workflows tested end-to-end, grievance officer appointed and contactable, vendor DPAs in place, breach response plan tested.
Document your compliance status. This documentation becomes your evidence if the Board ever investigates.
Final Thoughts -Compliance Is a Programme
DPDP compliance is a programme, not a project. The 90-day sprint gets you to a defensible baseline. From there, you maintain, monitor, and continuously improve. Companies that treat compliance as ongoing practice will be far better positioned than those who do a one-time exercise and assume the work is done.
Need to run the 90-day sprint?
SecComply helps Indian startups and enterprises achieve DPDP compliance with a structured programme -scoping, data mapping, privacy notice, consent flows, rights workflows, vendor DPAs, and breach plan, end-to-end.
Book a DPDP scoping call โFAQ
Yes, if you process digital personal data of Indian individuals -including names, emails, phone numbers, or device identifiers -the DPDP Act applies, regardless of company size. Some obligations scale with volume and sensitivity (such as Significant Data Fiduciary designation), but the baseline requirements around consent, notice, data principal rights, and grievance redressal apply to every Data Fiduciary.
For a small-to-mid-size organisation with a clear scope and committed leadership, yes -90 days is enough to reach a defensible baseline. Larger organisations or those with sprawling vendor ecosystems may need longer. The 90-day target gets you to the point where you have a privacy notice, working consent flow, documented rights workflows, designated grievance officer, vendor DPAs, and a breach plan. Continuous maintenance follows.
Treating it as a one-time legal exercise rather than an operational programme. Companies that update the privacy notice and call it done are caught short when a data principal exercises a right, a vendor causes a breach, or the Board asks for evidence of consent. Operationalising the obligations -workflows, logs, vendor reviews, breach drills -is the real work.
Not necessarily a separate hire. The Grievance Officer can be an existing employee (commonly the DPO, Head of Privacy, Legal Counsel, or CISO) provided they have the authority and bandwidth to respond to data principal grievances within the prescribed timelines. The contact details must be published in the privacy notice.
You have three options -negotiate alternative terms that achieve equivalent protection, accept the residual risk and document it, or change vendors. For high-volume or sensitive-data vendors that refuse contractual protections, switching is usually the right answer. Documenting the risk decision is essential either way -the Board will want evidence you considered vendor compliance, not just whether you used vendors.