A Project by Meridian Bridge Strategy
Book Consultation
Compliance Guide

90-Day DPDP Compliance Roadmap

A practical, actionable 90-day plan to take your organization from zero to DPDP-compliant. Week-by-week activities for every business size.

Feeling a bit overwhelmed by India’s new privacy law, the Digital Personal Data Protection (DPDP) Act, 2023? You’re not alone! It might sound like complex legal jargon, but at its heart, the DPDP Act is about respecting people’s personal data. It’s about giving individuals (called Data Principals) more control over their information and making sure organizations (called Data Fiduciaries) handle it responsibly.

This guide isn’t here to scare you with legalese. Instead, we’ll walk you through a practical, 90-day DPDP compliance roadmap designed for small businesses, startups, and everyday teams. We’ll break down what you need to do, step by step, so you can achieve compliance and protect your business from potential penalties of up to ₹250 Crore. Let’s get started on your DPDP journey!

What Does the DPDP Act Mean for Your Business?

Simply put, if your business collects, stores, or processes any personal data of individuals in India, the DPDP Act applies to you. This includes your customers’ names, emails, phone numbers, addresses, payment details, and even your employees’ HR information.

You, as the organization, become a Data Fiduciary. This means you’re like the trustee of someone else’s personal information. The individual whose data you’re handling – your customer, user, or employee – is the Data Principal. The law says you have a responsibility to process their data lawfully, fairly, and transparently, only for the purpose for which it was collected, and with their clear consent. Think of it as a trust agreement: they trust you with their data, and you must protect it.

For example, if you run a local bakery with an online ordering system, you’re a Data Fiduciary when you collect a customer’s name, phone number, and delivery address. That customer is the Data Principal. The DPDP Act ensures you handle their data securely and only use it to deliver their delicious pastries.

Practical Requirements for DPDP Compliance

The DPDP Act brings a few non-negotiable requirements to your doorstep. These aren’t just good practices; they’re legal mandates:

  • Valid Consent: You need to get clear, specific, and informed consent from Data Principals before collecting their data. No more hidden checkboxes or confusing terms! This means telling them what data you’re collecting, why, and how long you’ll keep it.
  • Purpose Limitation: You can only use the data for the purpose for which you collected it. If you collected an email for order updates, you can’t suddenly use it for a marketing newsletter without new consent.
  • Data Minimisation: Only collect data that is absolutely necessary for your stated purpose. Don’t hoard information you don’t need.
  • Data Security: Implement reasonable security safeguards to prevent data breaches, loss, or misuse. This involves protecting your systems and training your staff.
  • Data Principal Rights: Individuals have rights, like asking to access their data, correct it, or even erase it. You need a way to handle these requests efficiently.
  • Data Breach Notification: In case of a data breach, you have a legal obligation to inform both the affected Data Principals and the Data Protection Board of India.

These requirements form the backbone of any DPDP implementation plan.

Common Mistakes Businesses Make

It’s easy to trip up when faced with a new regulation. Here are some common pitfalls that businesses, especially small ones, often encounter:

  • Ignoring it Until It’s Too Late: Many assume the law won’t apply to them or is only for large corporations. The DPDP Act applies to any entity processing digital personal data in India. Starting your DPDP compliance timeline early is crucial.
  • “One-and-Done” Approach: Privacy isn’t a checkbox; it’s an ongoing commitment. Implementing changes once and forgetting about them is a recipe for disaster.
  • Neglecting Employee Data: It’s not just customer data! Your employees’ HR records, contact information, and payroll details are all personal data and fall under the DPDP Act.
  • Overlooking Third-Party Vendors: If you share data with cloud providers, marketing agencies, or payment gateways, you’re still responsible for how they handle that data. Many businesses fail to vet their vendors’ privacy practices.
  • Confusing Consent: Using pre-ticked boxes or burying consent clauses in long, unreadable terms and conditions. The DPDP Act requires clear, affirmative action for consent.

Understanding these common mistakes can help you avoid costly errors and steer your business toward a smoother DPDP implementation plan.

Your 90-Day DPDP Compliance Roadmap: How to Comply

Here’s your actionable, week-by-week plan to navigate the DPDP Act. This DPDP compliance roadmap is designed to take you from bewildered to prepared in just three months.

Weeks 1-4: Assessment & Discovery – Know Your Data

  • Data Audit: Start by mapping out all the personal data your business collects, stores, processes, and shares.
    • What data do you have? (Names, emails, addresses, payment info, health data, HR data, etc.)
    • Where is it stored? (Databases, spreadsheets, cloud services like Google Drive, physical files.)
    • Who has access to it? (Employees, third-party vendors.)
    • Why are you collecting it? (E.g., order fulfilment, marketing, HR.)
    • How long do you keep it? This initial audit is the most critical step in your DPDP compliance roadmap.
  • Appoint a Privacy Champion: Designate an internal team member (or a small team for larger businesses) responsible for overseeing DPDP efforts. They don’t need to be a lawyer, but someone organized and committed to the cause.
  • Review Existing Policies: Look at your current privacy policy, terms of service, and any internal data handling guidelines. Identify gaps compared to DPDP requirements.
  • Understand Legal Basis: For each type of data, identify your legal basis for processing it (most commonly, consent, but sometimes “legitimate uses” apply). For deeper insights, explore our analyses on various aspects of the DPDP Act.

Weeks 5-8: Implementation & Documentation – Build Your Defences

  • Update Consent Mechanisms: Redesign your website forms, app sign-ups, and data collection points to ensure clear, unambiguous consent. No pre-ticked boxes! Make it easy for Data Principals to understand and withdraw consent.
  • Develop Data Retention Policy: Based on your audit, create a clear policy outlining how long you’ll keep different types of data and how you’ll securely dispose of it when no longer needed.
  • Enhance Data Security: Review your existing security measures. This might involve:
    • Implementing strong passwords and multi-factor authentication.
    • Encrypting sensitive data.
    • Regularly backing up data.
    • Limiting access to personal data on a “need-to-know” basis.
  • Establish Data Principal Rights Request Process: Set up a clear system for individuals to submit requests to access, correct, or delete their data. Ensure you can respond within the legal timeframe.
  • Draft Data Protection Impact Assessments (DPIAs): For any new project or technology involving high-risk data processing, conduct a DPIA to identify and mitigate privacy risks proactively.

Weeks 9-12: Review, Training & Sustain – Maintain Momentum

  • Employee Training: Conduct mandatory training for all staff who handle personal data. Explain their roles, responsibilities, and the importance of DPDP compliance. Make it engaging and practical.
  • Vendor Due Diligence: Review contracts with all third-party vendors who process data on your behalf. Ensure they are also DPDP compliant and have adequate security measures. Update contracts with new data processing agreements if necessary. Check out our industry guides for sector-specific vendor advice.
  • Develop a Data Breach Response Plan: What will you do if a data breach occurs? Who will you notify (Data Principals, Data Protection Board)? What are the steps to contain and mitigate the damage? Practice this plan.
  • Regular Review Schedule: Implement a schedule for reviewing your DPDP policies, security measures, and compliance status at least annually, or whenever there are significant changes to your data processing activities.

Understanding Your Data: A Quick Risk Assessment

Not all data carries the same risk. Here’s a table to help you categorize common data types and their general risk levels under DPDP:

Type of DataExamplesDPDP RelevanceRisk Level
Basic IdentificationName, email address, phone number, addressCore identifier, requires consentMedium
Financial DataBank account numbers, credit/debit card details, UPI IDsHighly sensitive, requires robust security & consentHigh
Health DataMedical records, health conditions, diagnostic reportsHighly sensitive, specific consent requirementsHigh
Biometric DataFingerprints, facial recognition dataHighly sensitive, specific consent requirementsHigh
Workplace DataEmployee ID, salary, performance reviews, attendance recordsEmployer as Fiduciary, employee as PrincipalMedium
Online IdentifiersIP address, cookies, device IDs (if linked to an individual)Used for tracking/profiling, requires consentMedium

Successfully navigating this DPDP compliance timeline will not only protect you from steep penalties but also build trust with your customers and employees. Remember, compliance is an ongoing journey, not a destination.

Quick Actions You Can Start This Week:

Don’t wait 90 days to begin. Here are 5-7 immediate actions you can take:

  1. Form a “DPDP Squad”: Designate one person in your team to be the primary point of contact for DPDP efforts.
  2. Start Your Data Audit: Make a simple list of all the personal data you collect. Even a basic spreadsheet is a great start!
  3. Review Your Privacy Policy: Read your current privacy policy. Is it easy to understand? Does it clearly state what data you collect and why?
  4. Check Your Consent Mechanisms: Look at your website forms or app sign-ups. Are you using pre-ticked boxes? If so, change them to opt-in only.
  5. Talk to Your Team: Briefly explain to your employees that a new privacy law is coming and that data handling will change.
  6. Secure Your Devices: Ensure all company laptops and devices are password-protected and ideally, encrypted.
  7. Identify Key Vendors: List out all the third-party services you use that handle personal data (e.g., email marketing, payment gateways, cloud storage).

Real-World Examples Companies struggling with this issue

EV

Ather Energy

42

Ather Energy's privacy policy demonstrates a foundational commitment to data security and transparency in collection. However, it lacks specific alignment with the stringent requirements of India's Digital Personal Data Protection Act 2023. Key areas needing significant enhancement include explicit DPDP Act reference, granular and explicit consent mechanisms, defined data retention periods, robust Data Principal rights frameworks, and clear grievance redressal processes that include the Data Protection Board. The current policy's reliance on general 'applicable laws' rather than DPDP-specific provisions creates potential regulatory exposure, especially concerning consent and data principal rights.

⚠️ No explicit DPDP Act 2023 reference; relies on generic 'applicable laws' language
⚠️ Consent mechanism appears implied ('voluntarily provide') and not 'free, specific, informed, and unambiguous' as required by Section 6
+5 more gaps detected
Mar 2026 View Report
Automotive E-commerce

CarDekho (Girnar Software Private Limited)

48

CarDekho's privacy policy, while detailing data collection and usage, has not yet explicitly aligned with the Digital Personal Data Protection Act 2023. Key areas such as granular consent, specific data retention periods, a clear mechanism for Data Principal rights (including nomination), and escalation to the Data Protection Board are missing. The policy's reliance on general consent for cross-border transfers and lack of explicit DPDP references pose significant compliance challenges given the new Indian data protection landscape.

⚠️ No explicit DPDP Act 2023 reference — still implicitly operates under IT Act 2000 framework in earlier versions, and the most recent policy makes no explicit reference to DPDP Act.
⚠️ Consent mechanism appears bundled with service terms, not 'freely given' per Section 6; acceptance of policy implies consent.
+5 more gaps detected
Mar 2026 View Report
SaaS & IT

Freshworks

35

Freshworks' privacy policy, with a future effective date of July 2025, is primarily tailored for international laws like GDPR and CCPA. Despite having an Indian entity, the policy completely omits the DPDP Act 2023, broadly claims 'legitimate interests' for many processing activities, and lacks critical details on data retention and security measures (in the provided text), exposing its Indian operations to significant DPDP non-compliance risks.

⚠️ No explicit DPDP Act 2023 reference or compliance framework
⚠️ Broad use of 'legitimate interest' where DPDP requires consent
+6 more gaps detected
Feb 2026 View Report
📞 Free Consultation