If you run a business in India that collects, stores, or processes personal data — and let’s be honest, almost every modern business does — there is a law you need to know about, and a clock quietly ticking in the background.

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) has moved from legislative ambition to enforceable reality. The DPDP Rules, 2025 were officially notified by the Ministry of Electronics and Information Technology (MeitY) on November 13, 2025. The Data Protection Board of India (DPBI) is now operational, the digital complaint portal is live, and the full compliance deadline — covering everything from consent management to breach notification — is May 13, 2027.

That is an 18-month window. And for most businesses, that is far shorter than it sounds.

At TechMonarch, we manage IT infrastructure for businesses across Ahmedabad, and the DPDP Act is now front and centre in every conversation about data management, server configuration, and cloud architecture. This article is our honest attempt to break down what the Act actually requires of your IT systems — not in legalese, but in practical, infrastructure-level terms.

Important Disclaimer: This article is for informational purposes and reflects our understanding of the DPDP Act, 2023 and DPDP Rules, 2025 as of April 2026. It does not constitute legal advice. We strongly recommend consulting a qualified legal or compliance professional for advice specific to your organisation.

First, What Exactly Is the DPDP Act?

The Digital Personal Data Protection Act, 2023 is India’s first comprehensive, standalone data privacy law. It governs how personal data of Indian residents must be collected, processed, stored, and deleted — whether by Indian companies or foreign ones offering services to people in India.

Think of it as India’s answer to Europe’s GDPR, though with some uniquely Indian characteristics. It introduces two key roles: the Data Fiduciary (any organisation that decides why and how personal data is processed — that’s almost certainly your business) and the Data Principal (the individual whose data is being processed — your customers, employees, and users).

The DPDP Rules, 2025 are what gave the Act its teeth. They converted the Act’s high-level principles into concrete, operational requirements — covering consent management, breach notification timelines, data retention, individuals’ rights, and security safeguards. The Rules are now in force. The Board is active. Early enforcement actions have already begun.

The DPDP Act applies if you process digital personal data within India, OR if you process data of Indian residents from outside India. It does not matter where your servers are located — if you serve Indian users, you are in scope.

The Compliance Timeline — Where Are We Right Now?

Stage	When	What Kicks In
Stage 1	Nov 13, 2025 (Live)	Data Protection Board of India (DPBI) established; enforcement powers active; digital complaint portal live
Stage 2	Nov 13, 2026 (~7 months away)	Consent Manager registration & oversight obligations come into force
Stage 3	May 13, 2027 (Full deadline)	Full operational compliance: notices, consent, breach reporting, security safeguards, retention, rights management, cross-border transfers

The phased structure gives businesses breathing room, but the window is narrower than most people realise. Stage 2 — Consent Manager obligations — kicks in less than seven months from the date of this article. Full compliance is required by May 2027. For organisations that need to overhaul their data architecture, 12 to 18 months of runway disappears very quickly.

The Penalties — Why This Cannot Wait

Let’s address the elephant in the room: the DPDP Act has some of the steepest data protection penalties in Asia. The Data Protection Board of India has full investigative and enforcement powers. Here is what non-compliance can cost:

Violation	Penalty (Up To)
Failure to implement adequate security safeguards	₹250 Crore (~€27 million)
Failure to notify breach to Data Protection Board	₹200 Crore
Non-compliance with children’s data provisions	₹200 Crore
Breach of obligations by Data Processor	₹10 Crore
Other violations of Act or Rules	₹50 Crore

To put that in perspective: the DPDP Act’s maximum penalty of Rs. 250 crore is actually higher in absolute terms than GDPR’s €20 million ceiling. For a small or mid-size business in Ahmedabad, even a lower-tier penalty of Rs. 10 crore would be existential. This is not a regulatory formality — it is a genuine business risk.

What Does the DPDP Act Actually Require of Your IT Architecture?

This is where we get practical. The Act and Rules translate into a set of concrete IT infrastructure and systems requirements. Let’s walk through the critical ones.

1. Data Mapping and Inventory — Know What You Have

You cannot protect data you cannot see. Before anything else, your IT systems need to support a complete and accurate Record of Processing Activities (RoPA) — a documented inventory of what personal data you collect, from whom, where it is stored, how it is used, who has access to it, and when it is deleted.

From an IT architecture standpoint, this means your systems need to be structured enough that you can actually answer those questions. Fragmented data spread across personal Gmail accounts, undocumented shared drives, and legacy databases makes this nearly impossible.

What to implement: Data classification tools, structured database schemas with clear purpose fields, centralised data inventory platforms, and — at minimum — a maintained Record of Processing Activities document

TechMonarch’s approach: For clients starting from scratch, we typically begin with a data flow mapping exercise, identifying all collection touchpoints (website forms, CRMs, HR systems, ERP) before recommending any technical changes

2. Consent Management Infrastructure

The DPDP Act is fundamentally consent-driven. Every piece of personal data you collect must be backed by clear, specific, informed, and freely given consent — and that consent must be recorded and stored for seven years.

The Rules introduce a new concept called a Consent Manager — a registered intermediary that can help organisations manage consent on behalf of users. While integrating with a registered Consent Manager is optional for most organisations (mandatory integration frameworks are still being finalised), you will need your own consent management infrastructure regardless.

What to implement: Consent Management Platform (CMP) integrated with your website, mobile apps, and data collection forms; granular opt-in mechanisms with clear purpose descriptions; audit logs of every consent action; automated withdrawal processing; and seven-year retention of consent records

IT architecture implication: Your databases need consent status fields tied to every data record. Your CRM, marketing platform, and HR system all need to be capable of honouring consent withdrawal by suppressing or deleting the relevant data on demand

One common mistake we see: organisations collecting consent on their website but having no way to push that consent status into their CRM, email platform, or analytics tools. DPDP requires end-to-end consent enforcement — not just a checkbox on a form.

3. Security Safeguards — The Infrastructure Baseline

The DPDP Rules mandate that all Data Fiduciaries implement ‘reasonable security safeguards’ to prevent personal data breaches. While the Rules do not prescribe a specific technical standard, the industry interpretation — and the approach we apply — is broadly aligned with ISO 27001 and CERT-In’s cybersecurity guidelines.

At minimum, your IT infrastructure needs to demonstrate:

• Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• Role-based access controls (RBAC) — only those who need personal data for their job function should have access to it
• Multi-Factor Authentication (MFA) on all systems that store or process personal data
• Regular vulnerability assessments and patch management
• Audit logging — a record of who accessed, modified, or exported personal data, retained for at minimum one year
• Network segmentation to isolate systems processing personal data from general office networks
• Endpoint security across all devices that access personal data

If your current IT setup does not meet this baseline — and many growing businesses in Ahmedabad’s SME sector do not — then DPDP compliance is an immediate prompt to address it. Fortunately, the security improvements required by DPDP are also simply good IT practice.

4. Breach Detection and Notification Systems

This is one of the most operationally demanding requirements of the DPDP Act. When a personal data breach occurs, you must notify the Data Protection Board of India — and the affected individuals — promptly. The Rules do not specify an exact number of hours (unlike GDPR’s 72-hour requirement), but the language used is ‘without delay,’ and the DPBI has enforcement powers to investigate the timeliness of notifications.

This has a direct IT architecture implication: you need systems that can actually detect a breach, and processes that can respond to one. Flying blind on your network — with no SIEM, no monitoring, no alerting — is not a viable posture under DPDP.

What to implement: Security Information and Event Management (SIEM) or at minimum a centralised log management solution; intrusion detection / intrusion prevention systems (IDS/IPS); automated alerting for anomalous access patterns; a documented Incident Response Plan that includes a data breach notification workflow; and tabletop exercises to test your breach response before you need it for real

5. Data Retention and Automated Deletion

The DPDP Act is clear: personal data must not be retained longer than is necessary for the purpose for which it was collected. Once the purpose is served — or once an individual exercises their right to erasure — the data must be deleted.

For most businesses, this is a significant operational challenge because data tends to accumulate indefinitely. Old customer records sit in CRMs forever. Ex-employee HR data lives in shared drives. Email archives go back a decade.

What to implement: Retention policy configuration in your storage systems, CRM, HR platforms, and databases; automated deletion workflows triggered by time or by user request; data lifecycle management tools that can enforce retention policies without manual intervention; and audit trails of deletion events

A practical starting point is identifying your highest-risk data stores — customer PII in your CRM, employee data in your HR system — and implementing automated retention schedules there first.

6. Data Principal Rights Management

Under the DPDP Act, every Indian resident has the right to access their personal data held by you, request corrections, and demand deletion — and you must respond within 30 days. For most organisations, this requires building a self-service privacy portal or at minimum a documented process backed by technical capability.

What to implement: A user-facing Privacy Centre or ‘Data Rights’ portal accessible from your website or app; backend workflows that can search, export, update, or delete a specific individual’s data across all your systems; a ticketing mechanism for rights requests; and response time monitoring to ensure you do not exceed the 30-day window

The 30-day response window sounds manageable — until you realise that for businesses with data spread across five different platforms (CRM, ERP, email, HR tool, analytics), fulfilling a deletion request manually across all of them is hours of work per request. Automation is not optional at scale.

A Special Note: Significant Data Fiduciaries

The DPDP Act creates a special category called Significant Data Fiduciaries (SDFs) — organisations designated by the Government based on the volume and sensitivity of data they process, or the risk they pose to data principals. SDFs face additional obligations including mandatory annual Data Protection Impact Assessments (DPIAs), annual audits, appointment of a Data Protection Officer (DPO), and potentially stricter data localisation requirements.

While SDF designation criteria are still being finalised by MeitY, businesses handling large volumes of health data, financial data, children’s data, or biometric data should assume they may qualify. If you are in that category, start planning for SDF-level compliance now — waiting for formal designation before acting is a risky strategy.

So, What Should Your Business Do Right Now?

Since we are already behind on the compliance timeline, here is a practical plan for businesses that haven’t started yet, broken down by quarter:

1. This quarter (Q2 2026): Do a data mapping exercise. Find out which systems store personal data, who has access to it, and what you really need. Then, hire someone to be the internal DPDP owner, whose job it is to make sure the company follows the rules.
2. Q3 2026: Implement the security baseline — encryption, RBAC, MFA, audit logging, and breach detection. Review and update your vendor contracts to include data processing obligations.
3. Q4 2026: Deploy consent management infrastructure. Build or procure your Privacy Centre. Implement data retention policies and begin automated deletion workflows.
4. Q1 2027: Conduct a full internal audit against DPDP requirements. Test your breach response process. Address gaps before the May 2027 full-compliance deadline.

How TechMonarch Can Help

We are not lawyers, and DPDP compliance is not purely an IT problem — you will need legal counsel too. But a significant chunk of what DPDP requires lives squarely in your IT infrastructure: your servers, your network, your access controls, your backup systems, your data architecture.

At TechMonarch, we help Ahmedabad businesses build IT environments that are not just functional and efficient, but secure and auditable. For DPDP specifically, we support clients with:

• IT security baseline assessments aligned with DPDP’s safeguard requirements
• Implementation of encryption, RBAC, MFA, and audit logging across your infrastructure
• Network segmentation and firewall configuration to isolate sensitive data systems
• Breach detection and incident response infrastructure
• Data lifecycle management — helping you build retention and deletion workflows into your existing systems
• Ongoing Managed IT Services to keep your compliance posture maintained month to month

If you want a straight answer on where your current IT setup stands against DPDP requirements, start with a conversation. We will tell you what needs to change, what can wait, and what you should prioritise this quarter.

The Bottom Line

The DPDP Act is not coming — it is already here. The Data Protection Board is operational, enforcement actions are live, and the full compliance clock is ticking toward May 2027. For many businesses, that is 12 months of actual implementation time after accounting for planning and procurement cycles.

The businesses that will navigate this most smoothly are the ones that start treating DPDP as an IT infrastructure project right now — not a legal checkbox to tick six months before the deadline. The good news is that most of what DPDP demands of your IT systems is simply good practice anyway: strong security, clear data governance, and the ability to find, control, and delete data on demand.

That is exactly what well-managed IT infrastructure looks like. And that is exactly what TechMonarch builds.