DPDP Tracker
India's data-protection law, watched for you.
Every change to the Digital Personal Data Protection Act, its Rules, and CERT-In directions — translated into what it means for a business like yours, and what to do about it. No legalese.
until the DPDP Act's substantive obligations bite — 14 May 2027.
Latest updates
7 trackedDPDP penalties go up to ₹250 crore — and there's no cure period
The DPDP Act sets maximum penalties as high as ₹250 crore for security failures. They're ceilings the Board assesses case-by-case, not automatic fines — but there's no grace period to fix things after a breach.
- you want to size the financial risk of non-compliance
- you handle sensitive or large volumes of personal data
DPDP Rules 2025 are notified — the compliance clock has started
India's Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025, putting the 2023 Act into motion. The core obligations are phased in over 18 months, with the hard deadline for most businesses on 14 May 2027.
- you collect customer personal data
- you run a website or app with sign-ups
- you hold data on customers or employees
The DPDP timeline: what's due on 14 Nov 2025, 14 Nov 2026 and 14 May 2027
DPDP obligations don't all start at once. Some provisions began on notification, Consent Manager registration opens at the one-year mark, and the substantive obligations most businesses care about bite on 14 May 2027.
- you process personal data of people in India
- you need a compliance roadmap and dates
DPDP applies to you even if you're a small business or startup
There is no blanket small-business or startup exemption in the DPDP Act. If you decide how and why personal data is processed, you're a 'data fiduciary' regardless of your size or revenue.
- you're a small business, solo founder or startup
- you assumed data-protection law doesn't apply at your size
- you're a DPIIT-recognised startup
CERT-In already requires cyber-incident reporting within 6 hours
Separate from DPDP, CERT-In's 2022 directions require you to report specified cyber incidents within 6 hours of noticing them. This has been enforceable since June 2022 — it's a present-day obligation, not a future one.
- you run any internet-facing service in India
- you operate servers, websites or apps
The Data Protection Board isn't operational yet — use the runway
The Data Protection Board of India exists in law but isn't functioning yet — no chairperson or members are in office. MeitY only invited applications in May 2026. This is a window to prepare, not an excuse to delay.
- you're wondering whether anyone is enforcing DPDP yet
- you want to prepare ahead of active enforcement
There's no '50 lakh users' rule for Significant Data Fiduciaries
Despite what many blogs claim, neither the DPDP Act nor the 2025 Rules sets a numeric threshold (like '50 lakh users' or '₹250 crore turnover') for becoming a Significant Data Fiduciary. Only a government notification can designate you one.
- you've seen '50 lakh users / ₹250 crore' SDF claims online
- you're unsure whether extra SDF duties apply to you
Where every business starts
You don't need a lawyer to begin. These four steps apply to almost any business handling personal data in India:
- 01Write down every place you collect personal data — forms, logins, payments, support chats.
- 02Know who you share it with (analytics, payment, email, cloud vendors) and where it's stored.
- 03Have a plain consent notice and a way for people to ask for or delete their data.
- 04Be able to detect and report a breach fast — CERT-In already expects 6-hour reporting.
Don't just read it — find out where you stand.
A free scan shows what your live site is exposing today. When you're ready to be audit-ready, our Compliance Sprint gets you DPDPA-ready in 30 days.
Raksha Watch is general information, not legal advice. We cite primary sources on every update so you can verify — confirm specifics with a qualified advisor before acting.