P Privyuh
DPDP Rules 2025 · notified 13 Nov 2025

DPDP compliance,
built for Indian SMBs.

Core obligations come into force on 13 May 2027. Fines start at ₹50 crore and top out at ₹250 crore. Privyuh (PRIV-yuh) makes getting ready boring — from startup to Significant Data Fiduciary.

Get the free Readiness Checklist Talk to us

No credit card. No sales deck. A 15-page PDF that maps every DPDP rule to three things you must do.

T-minus

Until Rule 6, Rule 7 and the rest kick in

13 May 2027 — the day SMB excuses stop working.

days
hrs
min
sec

The stakes

The maths is unforgiving.

The Schedule to the DPDP Act, 2023 sets out penalty ceilings per breach. These are not theoretical. The Data Protection Board operates as a digital office and can inquire on complaint or on reference.

Up to

₹250cr

Security safeguard failure

Missing encryption, broken access control, or the 1-year log retention mandated by Rule 6.

DPDP Act Schedule, Entry 1 · Section 8(5)

Up to

₹200cr

Breach + children's data

Miss the 72-hour Board report. Ignore parental consent for under-18s. Track a child's behaviour.

Schedule Entries 2 & 3 · Sections 8(6), 9

Up to

₹50cr

Everything else

Late response to a rights request. No DPO contact. A weak consent notice. Any other breach.

Schedule Entry 7

Who this is for

From startup to SDF.

If you process the personal data of Indians — at any scale — the obligations land on you the same way. We scale the work to fit. Startups get templates and a checklist; Significant Data Fiduciaries get an independent audit and a DPO function.

Startup & mid-market

  • D2C brands
  • Edtech platforms
  • SaaS startups
  • Clinics & health-tech
  • Online gaming
  • Agencies & studios

Enterprise & Significant Data Fiduciaries

  • Banks & NBFCs
  • Telecom operators
  • Healthcare systems
  • Large consumer tech
  • Public cloud
  • Notified SDFs

What we do

Three things, done well.

No platform play, no "end-to-end data governance suite." Just the three services Indian SMBs actually need to survive 13 May 2027.

01

Readiness Assessment

Fixed-fee gap audit. We map your systems against Rules 3, 6, 7, 8 and 14 and hand back a prioritised remediation plan in 10 working days.

  • · Data-flow and vendor inventory
  • · Rule-by-rule gap matrix
  • · 30-60-90 remediation roadmap

02

Template Pack

Drop-in, India-specific documents you would otherwise pay a boutique law firm ₹5-15 lakh to draft.

  • · Consent notice & privacy policy
  • · Data Processor Agreement
  • · Breach-response SOP + rights-request workflow
  • · Retention schedule + erasure runbook

03

Virtual DPO

A fractional privacy officer on retainer. We handle the messy ongoing work so your tech team can build.

  • · Rights-request handling within 90 days
  • · Vendor & processor diligence
  • · Quarterly breach drill
  • · Named grievance contact (Rule 9)
For Significant Data Fiduciaries

Heavier obligations. Same boring execution.

Section 10 and Rule 13 put Significant Data Fiduciaries under annual Data Protection Impact Assessments, annual independent audits, algorithmic due diligence, and — for specified data categories — data-localisation. Our enterprise practice takes the hit for you.

Talk to our enterprise team

Reply within one business day. NDA on request. No marketing follow-up.

Annual DPIA + Independent Audit

Rule 13(1), Rule 13(2)

Full Data Protection Impact Assessment plus an independent audit, with the observation report the Board is entitled to ask for. Delivered against a fixed scope, on calendar, every twelve months.

SDF Readiness & DPO function

Section 10(2)(a)–(c)

An appointable Data Protection Officer, board-level governance structure, algorithmic due diligence for ranking, targeting and automated decisions, and cross-border data-flow controls.

Breach War-Room retainer

Rule 7 · 72-hour clock

On-call incident response. We own the Data Principal notifications, the Board filing, and the post-mortem — so legal, security, and comms move in parallel instead of in sequence.

Why now

18 months is not a lot of time.

Data discovery, vendor contracts, consent-notice rewrites, logging, retention, rights-request plumbing — each of these takes weeks. Stacked end-to-end, they take a year.

  1. 13 Nov 2025

    Rules notified

    Data Protection Board live as a digital office. Complaints can be filed.

  2. 13 Nov 2026

    Consent Manager registration

    Rule 4 opens. Requires ₹2 cr net worth and Board approval — a niche, not a mass market.

  3. 13 May 2027

    Core obligations in force

    Rules 3, 5–16, 22, 23 switch on. Notice, security, 72-hour breach reporting, children's data, rights. No more runway.

Free · 15 pages · plain English

The SMB DPDP Readiness Checklist.

Every Rule mapped to the three things you must do, the evidence you must keep, and who on your team owns it. No fluff. No legalese. Written for founders, not for counsel.

We will email the PDF and nothing else. You can unsubscribe with one click. We practise what we sell.

Frequently asked

Questions SMBs keep asking.

If yours is not here, write to hello@privyuh.in.

Is anything on this site legal advice? +

No. Privyuh provides compliance tooling, templates, and advisory services. For legal opinions on your specific circumstances, consult a qualified advocate.

Does DPDP apply to my business? +

If you process the digital personal data of anyone in India, yes — even if your company is based outside India (Section 3).

When do I actually need to comply? +

The substantive obligations — notice, security, breach reporting, rights handling, children's data — come into force on 13 May 2027 (Rule 1(4)). The Board and its digital office have been live since 13 November 2025.

We are a 10-person startup. Does Section 17(3) get us off the hook? +

Only partially. The Central Government may exempt DPIIT-recognised startups from Sections 5, 8(3), 8(7), 10, and 11 — but not from the Rule 6 security baseline, Rule 7 breach notification, or Rule 14 rights handling. The exemption is conditional and must be notified.

Do we need a Data Protection Officer? +

Only Significant Data Fiduciaries (notified by the Central Government) must appoint a DPO under Section 10(2)(a). Every other Data Fiduciary still needs a named contact for grievance redressal — our Virtual DPO service covers that.

What exactly is a Consent Manager? Can Privyuh be one? +

A Board-registered intermediary that brokers consent flows between Data Principals and Data Fiduciaries (Rule 4 + First Schedule). It requires ₹2 cr net worth, independent certification, and strict conflict-of-interest separation. It is not part of Privyuh's current scope.

We are a Significant Data Fiduciary. What do you actually do for us? +

Annual DPIA + independent audit (Rule 13), an appointable DPO function (Section 10(2)(a)), algorithmic due-diligence reviews, cross-border data-flow controls, and a 72-hour breach war-room retainer. Write to enterprise@privyuh.in for a scoping call.

Talk to us

A 20-minute call beats a 200-page PDF.

We'll walk your system, tell you the three things that most expose you, and leave you with a written next-steps list. No slides.

hello@privyuh.in Or start with the checklist