Skip to main content
Services · DPDP Compliance

DPDP Act 2023 & Rules 2025, Now in Force

Audit. Fix. Document. Defend.

India's Digital Personal Data Protection Act, 2023 is law, and the DPDP Rules 2025 are now in force. We make your website, consent flows and data handling compliant: a real audit, real documentation, and a privacy policy that matches your actual data. For SMBs, clinics, e-commerce brands, pharma exporters, B2B firms and government vendors across India.

What you get

A defensible compliance posture, not a copy-paste policy.

Seven deliverables, scoped to the size of your business and the data you actually handle.

DPDP gap audit

A complete review of how your website and business handle personal data, mapped against the DPDP Act and DPDP Rules 2025. Output: a gap report with risk ratings (Critical / High / Medium / Low) per section.

Privacy policy, drafted to your data

Not a template. A real policy written after auditing what your business actually collects, why, where it goes, and how long it stays.

Consent flows

Cookie banner (if applicable), form-level consent, granular opt-ins for marketing, implemented to satisfy DPDP Act Sections 5 & 6 and DPDP Rules 2025.

Sub-processor disclosure

A named list of every third party touching your data (hosting, analytics, CRM, email) with a public version on your privacy page.

DSAR workflow

A working process for handling Data Subject Access Requests, access, correction, deletion, consent withdrawal, within the 30-day window the law allows.

Staff training & awareness

A tailored DPDP awareness session for your team, what the Act means for their role, how to handle data requests, and what to do if there is a breach. Bilingual Hindi + English available.

DPO-as-a-Service advisory

For Significant Data Fiduciaries and growing businesses: a senior Data Protection Officer on retainer, available for queries and quarterly reviews.

Free tool

Not sure where you stand? Check in 3 minutes.

12 questions. Instant score. A prioritised fix list, no email required.

Take the free checker
How we work

Four phases, six to eight weeks for most businesses.

01

Audit

A 2-week mapping of every place personal data lives in your business, forms, CRM, email, analytics, hosting, third-parties. Output: a written gap analysis.

02

Remediation

We fix what needs fixing on the website (consent, policy, technical controls) and document what needs fixing operationally for your team.

03

Documentation

A defensible compliance binder, policies, records, sub-processor agreements, retention schedule, breach playbook.

04

Ongoing

Quarterly review retainer to keep your stack compliant as the law evolves and your business grows.

Common questions

DPDP compliance, plainly answered.

What is the DPDP Act 2023 and does it apply to my Indian business?

+

The Digital Personal Data Protection Act, 2023 is India's federal personal-data law. If your business collects any personal data from individuals in India, names, emails, phone numbers, addresses, photos, KYC documents, it applies to you. There is no minimum size threshold for compliance. Even a single-doctor clinic, a small e-commerce store, or a B2B services business with a contact form is a Data Fiduciary under the Act.

Are the DPDP Rules 2025 in force now?

+

Yes. The Digital Personal Data Protection Rules, 2025 were published on 13 November 2025. They operationalise the Act with detailed procedural requirements: notice formats, security safeguards (encryption, access controls, 72-hour breach notification), data retention timelines, and rights of Data Principals. The bulk of obligations under the Rules apply on a phased basis from 18 months of publication, meaning most businesses need to be compliant by mid-2027, but preparation should begin now.

How much does DPDP compliance cost for a small business in India?

+

RoseLeap's fixed-fee DPDP compliance package starts at ₹40,000 for a small marketing site (audit + privacy policy + basic consent flows + documentation). Mid-sized businesses with multiple data-collecting systems (CRM, email tools, analytics, payment processors) typically range from ₹1.2 lakh to ₹3 lakh. A full DPO-as-a-Service retainer runs ₹15,000 to ₹40,000 per month depending on data volume and complexity.

What happens if I ignore the DPDP Act?

+

Penalties under the DPDP Act can reach ₹250 crore per breach for the most serious violations, with significant penalties for failure to give notice of a breach, failure to maintain reasonable security safeguards, and failure to fulfil data principal requests. Smaller violations attract proportionate penalties, but even at the lower end, fines are an order of magnitude larger than the cost of compliance. Most Indian SMBs underestimate this risk because the Data Protection Board is still ramping up enforcement; that will change.

I am an Indian pharma exporter / clinic / B2B firm. Do I need a Data Protection Officer (DPO)?

+

Only Significant Data Fiduciaries (designated by the central government based on factors like data volume, sensitivity, risk of harm, and impact on national security) are formally required to appoint a DPO. Most Indian SMBs are not SDFs. However, having a designated person (in-house or outsourced) responsible for data protection is a strong defensive posture and clients increasingly expect it, especially in healthcare, financial services, defence, and any export-oriented vertical where overseas clients ask the question.

My company supplies to government departments. Do I need DPDP compliance?

+

Yes, and this is increasingly being scrutinised. Government tenders (including state-level rate contracts for DPDP compliance services) now expect vendors to demonstrate their own data protection posture. If you handle citizen data, employee records, or any personal data as part of a government contract, you are a Data Processor under the Act and subject to all security safeguard and breach notification obligations. Non-compliance can cost you empanelment.

Is a generic template privacy policy good enough?

+

No. A boilerplate privacy policy you grabbed off the internet does not satisfy the DPDP Act's notice requirements, it almost certainly does not match your actual data flows, name your real sub-processors, or specify your actual retention periods. The Data Protection Board can require you to produce evidence that your policy matches reality. A real policy is drafted after auditing your real data, and is updated when your data flows change.

How long does the DPDP audit take?

+

For a typical Indian SMB (a website, a CRM, a couple of email tools, an analytics setup, payment processing), the full audit and gap report takes about two weeks. Remediation, implementing changes on the website and documenting operational ones, usually adds another two to four weeks depending on the complexity of what needs fixing.

Do you handle DPDP for international clients selling into India?

+

Yes. The DPDP Act applies extraterritorially to any organisation processing personal data of Data Principals located in India, including foreign businesses selling into the Indian market. We work with international clients to make their websites and consent flows compliant for Indian users.

Get audited before the regulator does.

Tell us about your business. We'll come back with a fixed-fee scope and a date you can be compliant by, usually within one business day.