Swaran Soft
Compliance

DPDP & Cookie Consent Management A Fully Managed Compliance Service for Indian Websites

The Digital Personal Data Protection Act 2023 has moved from legislation to enforcement. Every Indian enterprise that processes personal data is now in scope — with penalties that can reach ₹250 Crore per incident. Here is the definitive 7-obligation compliance checklist, sector-specific requirements, how AI systems change the compliance calculus, and an 8-week path from gap to compliant.

July 8, 202610 min readBy Swaran Soft Research Desk
DPDP Act 2023 compliance guide for Indian enterprises — obligations, penalties, and AI-system impact

Enforcement Alert: The Digital Personal Data Protection (DPDP) Act 2023 is in force. Non-compliance penalties reach ₹250 Crore per incident — and are cumulative, not capped. Every enterprise processing personal data of Indian citizens is in scope with no size threshold and no sector exemption.

In Short

  • DPDP Act 2023 applies to every Indian enterprise processing personal data of Indian citizens — no size threshold, no sector exemption
  • Penalties reach ₹250 Crore per incident and are cumulative — not capped per enforcement period
  • AI systems are fully in scope: LLM pipelines, chatbots, and recommendation engines must comply with consent, erasure, and localisation obligations
  • BFSI, healthcare, and e-commerce face the strictest regime — sector-specific rules from RBI, IRDAI, and SEBI layer on top of DPDP
  • Fastest compliance path: India-resident data architecture with consent management built in from day one, not bolted on after the fact
₹250 Cr
Maximum penalty per incident
Cumulative — not capped per enforcement period
72 hrs
Breach notification deadline
To the Data Protection Board of India
30 days
Response to access / erasure requests
From the date of receiving the request
100%
Indian enterprises in scope
No size threshold. No exemption.

What the DPDP Act 2023 Actually Covers

The Digital Personal Data Protection Act 2023 regulates the processing of "personal data" — any data by which an individual can be identified. Every organisation that determines how and why personal data is processed is a "data fiduciary" under the Act. The individuals whose data is processed are "data principals." This relationship creates binding obligations on how data is collected, stored, processed, transferred, and deleted.

What changed versus the old IT Act framework is significant. Consent under the IT Act was often implicit or buried in terms and conditions. Under DPDP, consent must be explicit, purpose-specific, freely given, and revocable at any time. You cannot condition a service on consenting to unrelated data collection. The burden of proof — that valid consent was obtained — sits entirely with the data fiduciary.

Enforcement sits with the Data Protection Board of India, which can receive complaints directly from data principals, investigate, hold hearings, and impose financial penalties. The Board's orders are binding and can be appealed only to the Telecom Disputes Settlement and Appellate Tribunal. This is a real, operational regulator — not a consultation paper still under review.

DPDP Act 2023 obligations framework — data fiduciary responsibilities for Indian enterprises

The 7 Core Obligations: DPDP Compliance Checklist

The Act creates seven foundational obligations for every data fiduciary. For enterprises running AI systems, each carries a specific technical implication that goes well beyond updating a privacy policy.

ObligationWhat It RequiresAI-System ImpactPenalty Risk
Lawful basis & consentExplicit, purpose-specific, revocable consent before processing personal dataLLM training data, chatbot sessions, personalisation engines all need auditable consentUp to ₹250 Cr
Purpose limitationData used only for the purpose for which consent was obtainedCannot repurpose training data or use customer service logs for marketing modelsUp to ₹200 Cr
Data minimisationCollect only what is necessary for the stated purposeAI inputs and feature pipelines must be pruned of unnecessary PII fieldsUp to ₹150 Cr
Data accuracy & qualityMaintain accurate, current records and correct errors promptlyAI systems must not perpetuate stale or incorrect personal data in outputs or recommendationsUp to ₹100 Cr
Storage limitationDelete personal data once the processing purpose is fulfilledAI pipelines must honour data retention windows — logs and embeddings cannot accumulate indefinitelyUp to ₹100 Cr
Right to access & correctionRespond to data access or correction requests within 30 daysAI systems must be able to retrieve and surface all PII held on a specific individualUp to ₹150 Cr
Right to erasureDelete all personal data on request — the 'Right to be Forgotten'Vector DBs, RAG stores, and training datasets must support targeted purge operations without full retrainingUp to ₹250 Cr

How DPDP Affects Your AI Systems Specifically

Standard compliance programmes assume databases, forms, and CRM records. AI systems add a layer of complexity that most compliance frameworks have not caught up to yet — and that most vendors won't flag until you ask.

Consent for AI Training Data

Historical customer data used to train models may require retroactive consent audits. Data collected under the old IT Act framework often does not meet DPDP's explicit-consent standard.

Data Localisation for LLM Pipelines

Sending personal data to foreign AI APIs constitutes a cross-border transfer. For regulated sectors this is prohibited. For others, it requires explicit contractual safeguards.

Erasure from Trained Models

When an individual requests erasure, you must remove their data from vector databases, RAG stores, and training datasets — without necessarily retraining the full model. Design this in from day one.

Automated Decision-Making Disclosure

When an AI system makes a decision that significantly affects an individual — a loan rejection, a hiring decision — the Act requires disclosure that the decision was made by an automated system.

Sector-specific DPDP compliance — BFSI, healthcare, e-commerce, and HR technology obligations in India

Sector-Specific Requirements

The DPDP Act sets a compliance floor. Several regulated sectors face additional requirements from their sectoral regulators — RBI, IRDAI, SEBI — that stack on top of DPDP and are often significantly stricter. Failing to account for both layers is one of the most common compliance gaps we see.

BFSI
RBI + DPDP + SEBI

Payment data, customer financial records, and transaction histories must remain in India. Foreign AI APIs are effectively prohibited for this data. On-premise or India-hosted LLMs are the only compliant path.

Healthcare
DPDP Sensitive Data

Patient records are sensitive personal data under DPDP, attracting the highest penalty tier. Explicit consent is required before every AI use — diagnostic AI, appointment scheduling, patient communication.

E-commerce & D2C
Marketing Consent

Marketing consent cannot be bundled with T&Cs or purchase flows. Opt-out must be as easy as opt-in. Behavioural data and purchase history used for AI recommendations need purpose-specific consent.

HR Tech & Enterprises
Employee PII

Employee personal data in HRMS, payroll, leave systems, and AI-driven performance tools is fully in scope. Employers are data fiduciaries for their employees under DPDP — no blanket employment-contract exemption.

The 8-Week DPDP Compliance Path

Most enterprises can move from a cold start to a defensible DPDP compliance posture in 8 weeks — not because the task is simple, but because the work is well-structured. The key is to sequence correctly: understand before you fix, fix architecture before you update policy.

Week 1–2Data Inventory & Flow Mapping
  • List every system that stores or processes personal data of Indian citizens
  • Map data flows: who collects, processes, shares, or transfers personal data
  • Identify all AI systems handling personal data — including third-party APIs
  • Flag cross-border transfers to foreign cloud infrastructure or AI APIs
Week 3–4Gap Assessment & Consent Audit
  • Audit existing consent mechanisms against DPDP's explicit-consent standard
  • Identify data uses that lack a lawful basis or valid consent record
  • Review data retention schedules — flag data held beyond its purpose
  • Assess erasure capabilities of AI systems, vector DBs, and data stores
Week 5–6Architecture Changes
  • Implement a consent management system (CMS) with auditable records
  • Migrate high-risk data flows to India-resident infrastructure
  • Retrofit erasure workflows into AI pipelines, vector databases, and RAG stores
  • Configure automated data retention schedules and deletion policies
Week 7–8Policy, Training & Incident Response
  • Update privacy policy and consent notices to DPDP standard
  • Train staff on DPDP obligations, data handling, and breach detection
  • Document the 72-hour breach notification runbook and test it
  • Appoint a Data Protection Officer (DPO) if required by sector rules

Swaran Soft — Compliance by Architecture

The fastest way to comply with DPDP is to build AI systems where compliance is a property of the architecture — not an afterthought bolted onto a foreign cloud setup. At Swaran Soft, every AI deployment runs on open-source models (Sarvam AI, Mistral, Llama) on-premise or on Indian cloud infrastructure — AWS Mumbai, Azure India. No personal data leaves Indian jurisdiction.

This approach means consent management, data erasure workflows, and breach notification readiness are designed into the system from day one — not retrofitted six months after go-live. Enterprises we work with achieve DPDP compliance while cutting AI operating costs 70–80% versus foreign proprietary APIs. The same architectural decision that satisfies the regulator also eliminates per-token API costs.

25+
Years enterprise delivery
350+
Global clients
ISO 27001
Information security certified
NASSCOM
Member & verified partner

Get a Free DPDP Compliance Assessment

Our architects will map your data flows, identify DPDP gaps, and design a remediation path — in a free 45-minute session. No commitment required.

  • Your data flows mapped — what's in scope and where the risk sits
  • Consent gaps identified against DPDP's explicit-consent standard
  • AI-system obligations clarified — erasure, localisation, disclosure
  • Remediation roadmap with the 8-week implementation path

Frequently Asked Questions

Share this article:
Yogesh Huja — Founder & CEO, Swaran Soft
Yogesh HujaFounder & CEO

AI Architect and Entrepreneur building India's Edge AI ecosystem. 25+ years in enterprise technology. Founder of Swaran Soft, Gignaati, and Copilots.in.

Published: 10 min read

Get the DPDP Act Compliance Checklist

The 7-obligation DPDP checklist with AI-system requirements — ready to share with your legal and engineering teams.

Talk to a DPDP Architect

Free 45-min assessment. Map your data flows and identify DPDP gaps before the regulator does.

Book Free Assessment