DPDP Act 2023: a practical compliance checklist for Indian SaaS

The Digital Personal Data Protection Act, 2023 (DPDP) is India's first horizontal data protection law. It applies to almost every Indian SaaS — there are no turnover thresholds, no exemptions for "small" platforms. If you handle personal data of natural persons in India, you are a Data Fiduciary, and the obligations are concrete.

This is a practical checklist, not a legal opinion. We've stripped out the philosophy and listed what your engineering, legal, and customer-success teams actually need to do.

Who the law applies to

The DPDP Act applies to processing of digital personal data:

• Within India, whether the data was collected online or digitised later;
• Outside India, if the processing is in connection with offering goods or services to people in India.

If you're a US-headquartered SaaS selling to Indian customers, you're in scope. If you're an Indian B2B platform whose users are all corporates, you're still in scope when you process the personal data of your customers' employees.

The three roles you need to map

Before writing a single notice, identify your role for each data flow:

• Data Principal — the natural person whose data you process. Always your end users, sometimes your customers' employees, sometimes your contractors.
• Data Fiduciary — the entity deciding the purpose and means of processing. This is almost always you, the SaaS.
• Data Processor — a third party processing data on your behalf under contract. Your hosting provider, email vendor, payment gateway, analytics tool.

You need a register of every Processor you use, and a DPA-style contract with each one.

Notices and consent

Section 5 of the Act requires a "clear and plain" notice before — or at the time of — collecting personal data. The notice must state:

• The personal data being collected and the purpose;
• The manner of exercising rights (correction, erasure, grievance redressal);
• The complaint mechanism;
• How the Data Principal may withdraw consent.

Consent must be free, specific, informed, unconditional, and unambiguous, by a clear affirmative action. Pre-ticked boxes don't count. Bundled consent (one tick for marketing + product + analytics) is risky.

Your to-do list:

• Rewrite your signup notice in plain English and your supported Indian languages.
• Build a separate, easy-to-find consent management page — toggleable per purpose.
• Treat withdrawal of consent as a P1 trigger: stop the relevant processing within a reasonable time.

Children and special categories

Processing data of anyone under 18 requires verifiable parental consent. There is no carve-out for "13+". This is a meaningful constraint for ed-tech and any consumer app — verifying parental consent at scale is a hard product problem.

Behavioural monitoring and targeted advertising for children are explicitly prohibited.

Breach reporting

Personal data breaches must be reported to both the Data Protection Board and every affected Data Principal. The Act doesn't specify a window, but draft rules suggest "without undue delay" — read that as 72 hours, matching GDPR practice.

Your engineering to-do list:

• Define what counts as a breach internally (data exfiltration, unauthorised access, accidental disclosure).
• Build an incident-response runbook that includes the notification steps.
• Pre-draft your notification templates so you're not writing them at 2 a.m.

Rights of Data Principals

You must provide:

• Right to access — list of what data you hold, who you've shared it with, summary of processing.
• Right to correction and erasure — correct inaccurate data, erase data no longer needed.
• Right to grievance redressal — name a Grievance Officer and publish their contact details.
• Right to nominate — designate a person to exercise rights on the Principal's behalf after death/incapacity.

You must respond to requests within a "specified period" (likely 30 days in the rules). Building a self-serve data export and delete flow now saves operational cost later.

Cross-border data transfers

Earlier drafts of the Bill had a "whitelist" approach. The final Act flips this: transfers are allowed except to countries specifically restricted by the Central Government. As of now, no country is on the prohibited list, but watch this space — geopolitical changes can update the list overnight.

Document your data flows. Know which Processor sits in which country. Be ready to switch providers if a region becomes restricted.

Significant Data Fiduciaries

The government may designate certain entities as Significant Data Fiduciaries based on volume of data, risk, and impact. SDFs face heavier obligations — appointing a Data Protection Officer based in India, conducting periodic Data Protection Impact Assessments, independent audits.

If you process data of millions of Indians, plan for SDF designation now even if you haven't been notified.

Penalties that actually bite

Penalties go up to ₹250 crore per instance for failure to take reasonable security safeguards, and ₹200 crore for failure to notify a breach. Lower-tier failures (notice, consent, rights) attract ₹150 crore. These are not theoretical — the Data Protection Board has investigative and adjudicatory powers.

Concrete next steps for your team this quarter

1. Map every personal data flow (collection, processing, storage, sharing). 2. Update your privacy notice and consent flows. 3. Sign DPA addenda with every Processor. 4. Appoint a Grievance Officer and publish contact details. 5. Build self-serve access, correction, and erasure flows. 6. Run a tabletop exercise on breach notification. 7. If applicable, prepare for Significant Data Fiduciary designation.

The DPDP Act is enforcement-first. Don't wait for a notice to find out you weren't ready.