DPDP Compliance Software: How to Choose a DPDP Act Platform
Most of the DPDP compliance software demos I sit through solve the wrong problem. They show you a beautiful consent banner and a colour-coded dashboard, then go quiet the moment you ask the only question that matters in an actual notice from the Data Protection Board: show me, for this one data principal, every place their personal data lives, why you hold it, what consent you have on record, and when you will delete it.
That single question is the whole game. The Digital Personal Data Protection Act 2023 (DPDP Act) does not reward pretty screens. It rewards evidence you can produce on demand. So before you sign a contract, stop evaluating the tool as a marketing asset and start evaluating it the way an auditor will: as an evidence machine. This piece walks through what a DPDP platform must actually do, what to ignore, and how to test a vendor before they test your budget.
Why the DPDP Act is harder to tool for than people think
The DPDP Act 2023 was passed in August 2023, and the draft DPDP Rules were published for consultation in January 2025. As of now the operational timelines flow from those Rules, which stagger obligations rather than switch everything on at once. That staggering lulls teams into treating compliance as a future project. It is not. The obligations that hurt most are the ones that require you to have already built plumbing before an incident or a complaint arrives.
Here is what separates DPDP from a checklist regime like a one-time ISO 27001 certification. DPDP is continuous and principal-centric. Your obligations are triggered by individuals exercising rights, by breaches happening, and by the Board asking questions. You cannot pass by producing a policy PDF. You pass by producing records: consent artefacts, processing purposes, data flows, retention decisions, and grievance logs, all tied to specific people and specific moments in time. Software that cannot reconstruct that timeline is decoration.
The terms your vendor must speak fluently
- Data Principal: the individual whose personal data you process. In the EU GDPR this is the data subject.
- Data Fiduciary: you, the organisation deciding the purpose and means of processing. GDPR calls this the controller.
- Data Processor: a vendor processing on your behalf, under contract.
- Significant Data Fiduciary (SDF): a class the Central Government may notify based on volume and sensitivity of data, subject to extra duties like appointing a Data Protection Officer resident in India, an independent data auditor, and periodic Data Protection Impact Assessments.
- Consent Manager: a Board-registered intermediary through which a principal can give, manage, review and withdraw consent. This is a DPDP-specific role with no clean GDPR equivalent, and most software has not caught up to it.
The four jobs a DPDP platform actually has to do
Strip away the branding and there are four core jobs. If a tool is weak on any one of them, you will be doing that job in spreadsheets, which means you are not compliant, you are hoping. I grade every platform against these four before I look at anything else.
| Job | What the DPDP Act demands | Failure mode if the tool is weak |
|---|---|---|
| Consent lifecycle | Free, specific, informed, unambiguous consent for each purpose, in a clear notice, with equally easy withdrawal (Section 6). Notice must be available in English and the Eighth Schedule languages. | Bundled consent, no per-purpose granularity, no withdrawal trail. Board asks for proof and you have a checkbox with no record. |
| Data mapping and purpose | Knowing what personal data you hold, where, why, and on what legal basis, so you can honour access, correction and erasure requests. | Data scattered across CRM, marketing, support, backups. You physically cannot answer an erasure request in full. |
| Evidence and records | Time-stamped, tamper-evident records of consent, processing activities, retention decisions and DPO/grievance actions. | Logs exist but are editable, ungoverned, or siloed. Nothing you can hand the Board with a straight face. |
| Breach reporting | Report every personal data breach to the Board and to affected principals, without a materiality threshold, in the form and time the Rules specify. | No detection-to-notification workflow. Clock runs out while legal, security and the vendor argue about who owns it. |
Consent: where the cheap tools quietly fail
Consent is the feature every vendor demos and the one most of them get subtly wrong. The DPDP standard under Section 6 is that consent must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action, and limited to the personal data necessary for the stated purpose. It must be as easy to withdraw as to give. And the notice you present must be itemised by purpose, not a single wall of text.
Watch what happens when you push a demo on this. Ask the sales engineer to withdraw consent for one purpose only, say marketing, while keeping consent for service delivery intact, and then show you the downstream effect: does the marketing system actually stop, and is there a record of exactly when and by whom it stopped. Many tools capture consent beautifully and then do nothing with the withdrawal. The consent record and the operational reality drift apart. That gap is precisely what a complaint to the Board will expose.
A consent record that survives scrutiny
- Purpose-level granularity, so each purpose has its own consent state and its own withdrawal.
- The exact notice text and version the principal saw at the moment of consent, retained, not just a pointer to the current notice.
- Timestamp, identity of the principal, and the channel or interface used.
- Language of the notice served, given the multi-language obligation.
- Verifiable parental consent handling for children (defined as under 18), which is a hard requirement, not an afterthought.
- A clean interface to a registered Consent Manager, or at minimum an architecture that can plug into one when the ecosystem matures.
Data mapping: the job nobody wants and everybody skips
Data discovery and mapping is unglamorous, so vendors underinvest and buyers under-scrutinise. Then a data principal exercises their right to erasure under Section 12, and the organisation discovers their personal data lives in the CRM, the email marketing tool, three shared drives, a support ticketing system, a data warehouse, and six months of database backups. The tool that promised compliance mapped exactly one of those.
A real scene from an assessment. A mid-size lender, roughly 40 lakh customer records, bought a well-known consent platform. It worked. Then a principal filed a grievance that his data was still being used after withdrawal. On investigation, consent had been withdrawn in the platform, but a nightly ETL job kept copying fresh records from the core banking system into a marketing data mart that the platform had never been told existed. The consent state was correct in one system and invisible in the one actually sending the messages. The fix took eleven weeks and a lot of uncomfortable meetings. The tool was not lying. It was simply never connected to reality.
So the question for any platform is not can you store consent. It is how do you discover and keep in sync every system that touches personal data. Look for automated discovery, connectors to your real stack, and a way to represent data flows, not just a static register you update by hand and quietly stop maintaining after quarter two.
Breach reporting: the clock that starts before you are ready
This is the obligation that turns a bad week into a regulatory event. Under the DPDP framework you must notify the Data Protection Board and each affected data principal of a personal data breach. Critically, DPDP does not carry a materiality or risk-of-harm threshold the way GDPR Article 33 does. The plain reading is broad: personal data breaches are reportable. That is a heavier default than most Indian teams are used to.
Layer on the CERT-In directions of April 2022, which already require reporting specified cyber incidents to CERT-In within 6 hours of detection. So a single incident can trigger two clocks running to two regulators with different forms and timelines. If your DPDP tool and your security incident response live in separate worlds, you will lose time you do not have reconciling them. The platform should let you move from detection to a structured, defensible notification without a committee meeting to decide who owns the template.
| Regime | Who you notify | Timeline | Threshold |
|---|---|---|---|
| DPDP Act / Rules | Data Protection Board and affected data principals | As specified in the Rules (intimation without undue delay, with follow-up detail) | No materiality threshold in the Act; broad by default |
| CERT-In Directions 2022 | CERT-In | Within 6 hours of noticing the incident | Specified incident types listed by CERT-In |
| Sectoral (e.g. RBI) | Regulator per sector guidance | Often within hours for regulated entities | Sector-specific |
How to actually evaluate a vendor without getting demoed to death
Vendor demos are choreographed. Break the choreography. Bring your own scenarios and make them run your data, not their sandbox. Below is the test script I use. If a platform passes these, it is doing real work; if it deflects, you have your answer.
Six tests to run in the demo, live
- Withdraw one purpose, keep another, and prove the downstream system stopped. Ask to see the record of when it stopped.
- Fulfil a full erasure request across at least two connected systems including one backup or warehouse, and show what happens to data you are legally required to retain under another law.
- Produce the complete consent history for one principal, including the exact notice version they saw eighteen months ago.
- Export a Record of Processing Activities that maps purpose to data category to system to retention period, without manual assembly.
- Run a breach from detection to a drafted Board notification and a drafted principal notification, and show the audit trail of who did what.
- Show the records model: are logs immutable and tamper-evident, or can an admin quietly edit them. Ask to see the access controls on the evidence itself.
Indicative cost and effort in the Indian market
Ballpark figures so you can sanity-check a quote. These move with data volume, number of systems, and whether you are a Significant Data Fiduciary carrying DPO and audit duties. Treat the low end as a small single-entity deployment and the high end as a multi-system enterprise.
| Item | Indicative annual cost (INR) | Notes |
|---|---|---|
| SME consent and grievance tooling | 3 to 12 lakh | Fewer connectors, single jurisdiction, lighter records needs |
| Enterprise DPDP platform with discovery and connectors | 15 to 60 lakh plus | Scales with systems mapped and data volume |
| DPDP readiness assessment and data mapping (one-time) | 5 to 20 lakh | Gap assessment, RoPA build, data flow mapping |
| Data Protection Officer (SDF obligation) | 18 to 40 lakh salary, or retained | Must be based in India and answerable to the board |
| Independent data audit (SDF) | 6 to 20 lakh per cycle | Periodic, by an independent data auditor |
Buy, build, or bolt on to what you have
Not everyone needs a dedicated platform on day one. The honest answer depends on your data footprint and your risk. A single-product SaaS company with one customer database and clean architecture can get a long way with a well-configured consent module, a maintained processing register, and a disciplined incident runbook. A bank, insurer, hospital chain, or ad-tech firm processing sensitive data across dozens of systems cannot, and should stop pretending a banner will save them.
| Profile | Sensible starting point | Watch out for |
|---|---|---|
| Simple SaaS, one main datastore | Consent module plus maintained RoPA plus incident runbook | Backups and analytics copies drifting out of consent sync |
| Multi-system enterprise | Full platform with discovery and connectors | Connectors that only cover the systems they demo, not yours |
| Likely Significant Data Fiduciary | Platform plus DPO plus independent audit plus DPIA cadence | Treating SDF duties as optional until notified |
The fix-it checklist
If you do only the things on this list, and you do them properly, you will be ahead of most enterprises I audit. None of it requires the fanciest tool. All of it requires discipline the tool must support rather than fake.
- Build a real data map first: every system, store and backup that holds personal data, refreshed on a schedule, not once.
- Make consent purpose-level and prove withdrawal propagates to the systems that act on data, not just the consent database.
- Retain the exact notice version each principal saw, in the language served, alongside their consent record.
- Wire breach detection into a single workflow that can serve both the CERT-In 6-hour clock and the DPDP Board notification.
- Make your evidence tamper-evident and access-controlled, so an admin cannot rewrite history and neither can an attacker.
- Stand up a grievance mechanism with logged, time-bound handling, because unresolved grievances are what escalate to the Board.
- Decide, and document, your retention and deletion rules per data category, reconciling DPDP erasure with other retention laws.
- If you are plausibly a Significant Data Fiduciary, act like one now: DPO in India, independent audit, DPIA cadence.
The point you started with
Go back to that one question: for this person, show me everything. A DPDP platform is worth its licence fee if, and only if, it lets you answer that question completely, quickly, and with records you would be comfortable placing in front of the Board. Every other feature is in service of that, or it is theatre. Buy the evidence machine, not the dashboard.
If you want a second pair of eyes before you sign, our team at CyberSigma are CERT-In empanelled auditors who run these vendor tests hands-on and map DPDP obligations to your actual data estate. We would rather help you buy the right thing once than remediate the wrong one later.
FAQs
When does the DPDP Act actually take effect for my organisation?
The Act was passed in 2023 and the draft DPDP Rules were published in January 2025. The Rules stagger obligations rather than switching everything on at once, so your specific timeline depends on the final notified Rules and your class of fiduciary. The practical answer is to build the plumbing now, because consent, mapping and breach obligations require infrastructure you cannot assemble reactively.
Does DPDP have a breach reporting threshold like GDPR?
No. Unlike GDPR Article 33, which lets you skip reporting where a breach is unlikely to result in risk to individuals, the DPDP Act does not carry a materiality or risk-of-harm threshold. The default reading is that personal data breaches are reportable to the Board and to affected principals, which is a broader obligation than many Indian teams expect.
Is a consent banner enough to be DPDP compliant?
No. A banner captures consent but does nothing to prove withdrawal propagated, to map where data lives, to produce a Record of Processing Activities, or to handle breaches and grievances. Consent is one of four jobs a real programme must do, alongside data mapping, evidence and breach reporting.
What is a Consent Manager under the DPDP Act?
A Consent Manager is a Board-registered intermediary through which a data principal can give, manage, review and withdraw consent across fiduciaries. It has no direct GDPR equivalent. Most software has not fully built for this role yet, so at minimum choose a platform whose architecture can integrate with one as the ecosystem matures.
Are we a Significant Data Fiduciary, and what changes if we are?
The Central Government may notify certain organisations or classes as Significant Data Fiduciaries based on the volume and sensitivity of personal data, risk to principals, and other factors. If notified, you must appoint an India-based Data Protection Officer answerable to your board, engage an independent data auditor, and conduct periodic Data Protection Impact Assessments. If you plausibly qualify, prepare for these duties now rather than waiting.
How does DPDP interact with the CERT-In incident reporting rules?
They are separate obligations that can fire together. The CERT-In directions of April 2022 require reporting specified cyber incidents within 6 hours of detection, while DPDP requires notifying the Data Protection Board and affected principals of personal data breaches. A single incident can trigger both, so your breach workflow should be able to serve both clocks and forms without starting from scratch each time.
Liked the post? Share on:





Leave A Comment