DPDP Rules Are Live: A 7-Day Action Plan for Indian SaaS Founders (and Why Phase-3 Matters Most)

On November 14, 2025, MeitY published the Digital Personal Data Protection Rules, 2025 in the Gazette — finally operationalising the [DPDP Act 2023](https://www.meity.gov.in/) two years and three months after Parliament passed it. The Rules give you 18 months on a phased schedule. The marketing teams at most Indian SaaS firms are reading this as "we have time." We do not. Phase 3, the one that breaks your product if you ignore it, is the May 2027 milestone — and the engineering changes it requires take 12 to 18 months for any product with non-trivial user data. This is the founder-friendly action plan, with the 12 specific engineering tasks our team is now running for SaaS clients in Bengaluru, Hyderabad, and Pune. ## The 60-second answer The DPDP Rules notified on Nov 14, 2025 set off a three-phase compliance schedule: the Data Protection Board is being constituted now (Phase 1), Consent Manager registration opens in November 2026 (Phase 2), and the operational obligations — consent notices, security safeguards, breach notification, Significant Data Fiduciary duties, data principal rights — kick in around May 2027 (Phase 3). The penalty ceiling is ₹250 crore per breach. The 12 engineering tasks below are what an Indian SaaS founder should start this quarter so Phase 3 lands without a fire drill. ## The phased timeline at a glance ## What you should ship in the next 90 days (the 12 engineering tasks) ## What changes IMMEDIATELY (Phase 1) Three things go live the moment the Rules were notified: 1. The Data Protection Board exists. It can take complaints. It does not yet have full enforcement teeth, but it can conduct fact-finding and refer matters. 2. The breach-notification expectation is set, even before formal enforcement. A breach in November 2025 that you fail to disclose is a problem in 2027 when investigators look back. 3. Industry norms are shifting. Procurement teams at every Indian enterprise are starting to ask "are you DPDP-ready?" as part of vendor selection. Saying "we have until May 2027" is the wrong answer for a sales call in Q1 2026. ## What the rules actually say (the bits that matter)

Rule / Section	What it means for engineering	When it bites
Rule 3 + Section 5 (Notice)	A separate, plain-language consent notice for every purpose of processing. No bundling.	Phase 3 (May 2027)
Rule 4 (Consent Manager)	Optional integration with licensed Consent Managers; opens up cross-fiduciary consent UX.	Phase 2 (Nov 2026)
Rule 6 (Reasonable Security Safeguards)	Encryption, access controls, logs of access, retention limits, deletion procedures.	Phase 3 (May 2027)
Rule 7 (Breach intimation)	Notify users without delay; notify the Board within 72 hours with detailed submission.	Phase 3 (May 2027), de facto Phase 1
Rule 10 (Children data)	Verifiable parental consent for users under 18. Specific carve-outs for healthcare, education.	Phase 3 (May 2027)
Rule 12-15 (SDF obligations)	Annual DPIA, independent audit, DPO who is an Indian resident, algorithmic-risk review.	Phase 3 (May 2027)

The full text is on the [MeitY website](https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa) and the official PIB summary is [here](https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655). Read the full Rules at least once before delegating. ## Common mistakes we see in the wild Symptom: "We added a checkbox to the signup form. We are DPDP-compliant." No. The notice has to be a separate, standalone document with version control and audit-logged consent. A checkbox in a 2,000-word T&C does not satisfy Rule 3. Symptom: "Our T&C says users can email us to delete their data." Rule 13 requires a programmatic mechanism — a button, an API, something a user can use without you in the loop. An email-based process will fail audit. Symptom: "We don't process Indian data, we are a B2B SaaS for US clients." If any of your US client's employees are in India, or if any of your US client's customers are Indian — DPDP applies to that subset. The cross-border applicability is broader than most founders assume. Symptom: "We outsourced the DPO to our CA firm." The DPO must be an employee or contractor accountable to the board, with authority to escalate independently. A CA firm is an auditor, not a DPO. ## A real example: 110-staff Bengaluru fintech SaaS We started this work for a Bengaluru fintech SaaS in October 2025, in anticipation of the rules. The company had 380,000 Indian users, a Postgres + Redis stack on AWS Mumbai, and a 4-person engineering team. The 90-day plan we ran: - Days 1–14: Data-flow inventory. Found 23 places personal data was stored, including 4 forgotten S3 buckets and a Hubspot integration nobody could remember enabling. Tightened access on 11 of them. - Days 15–35: Built the consent-notice screen (separate page, version-controlled, audit-logged), the data-export API, and the erasure pipeline. Total: 9 engineering days. - Days 36–60: Encryption audit. Migrated DB to PostgreSQL TDE, enabled S3 SSE-KMS on every bucket, audited every API for TLS 1.2+. Two days of work; the discovery was that an internal admin tool was still on TLS 1.0. - Days 61–75: 72-hour breach playbook. Tabletop exercise in week 11. Three roles assigned: incident commander (CTO), comms lead (Head of Sales, surprisingly), Board-filing lead (Head of Legal). - Days 76–90: DPIA template, DPO appointment, data residency map. Total cost: ₹3.4 lakh in our consulting + 22 internal engineering days. The CFO logged the spend as "DPDP runway insurance." ## A subtle thing nobody talks about: the audit-log retention question DPDP requires you to keep access logs for "as long as needed to demonstrate compliance." There is no fixed number. In practice, our advice is 7 years, matching the cyber-insurance and tax-audit retention norms. That is a non-trivial storage cost for high-volume SaaS — budget it from the start. The cheapest way to do it: hot for 90 days in your primary DB, warm in a Postgres archive for 1 year, cold in S3 Glacier Deep Archive for years 2–7. We have built this layered retention for two SaaS clients; the storage cost for 50 GB/year of audit logs is roughly ₹14,000/year all-in. ## When NOT to start this work this quarter Skip the 90-day sprint if (a) you are pre-product-market fit with under 1,000 monthly active users — your product will look completely different in 12 months and you will rebuild the consent flow anyway; or (b) your SaaS is genuinely B2B-only with zero personal data, processing only company-name + contact-email — the basic Rule 6 controls are enough and you do not need the full programme. Anyone with a B2C product or a B2B product that handles employee/customer data should start now. ## Our take The DPDP Rules are an opportunity in disguise. The Indian SaaS firms that ship clean consent UX, programmatic erasure, and a defensible breach playbook in 2026 will close enterprise deals faster — because their procurement teams will not need to add a 12-week security review. The firms that wait until April 2027 will find that their best engineers are committed to product launches and that DPDP retrofits are taking 4× the planned time. We have already seen this pattern with EU GDPR — Indian SaaS firms that prepared in 2017 captured EU enterprise contracts that the laggards lost in 2018-2019. Our founder, [Vivek Singh](https://viveksinra.com), has been writing about the founder side of this — what it means for the consumer-product duty of care — and a sister post on Constitution Day (Nov 26) goes deeper into that angle. The technical playbook above came out of work our team did with [our QA and security lead Manvi](/team/manvi) and CTO [Hrishikesh](/team/rishikesh-baidya) for two SaaS clients between Sept and Nov 2025. ## FAQ ### What is the difference between the DPDP Act and the DPDP Rules? The Act is the law passed by Parliament in August 2023; the Rules are the operational details — what counts as a "valid consent notice," what counts as a "reasonable security safeguard," who is a Significant Data Fiduciary. The Rules give the Act teeth. Without the Rules, the Act was unenforceable, which is why nothing happened from August 2023 to November 2025. ### When can the Data Protection Board start fining us? The Board can take complaints now (Phase 1). The penalty regime is fully active in Phase 3 (May 2027). Between now and May 2027, expect investigations and informal compliance notices but not the headline ₹250-crore penalties. ### Do we need a Data Protection Officer (DPO)? If you are designated a Significant Data Fiduciary, yes — and the DPO must be an Indian resident, reporting to the board. If you are an ordinary Data Fiduciary, you need a "designated person" to receive grievances, but the role can be combined with another (CTO, COO). Most SaaS founders we work with appoint themselves until they cross the SDF threshold. ### What if our customer is in the EU and we are subject to GDPR? DPDP and GDPR overlap roughly 75%. The big differences: DPDP has no equivalent of GDPR's "legitimate interest" basis (consent is much more central in India), DPDP has stronger children-data rules, and DPDP penalties are calculated differently (capped per breach in INR, not as a % of global turnover). If you are GDPR-compliant, you are roughly 70% of the way to DPDP-compliant; the rest is local-language consent notices and the DPO-residency rule. ### How does DPDP affect AI training data? Training a model on personal data is "processing" under DPDP. You need a lawful basis — usually consent — for every personal-data row in the training set. Models trained on scraped Indian data without consent are exposed. Synthetic data and data that has been "anonymised in a manner that cannot reasonably be reversed" are out of scope. ### What is the role of the Consent Managers? Consent Managers are licensed intermediaries (think DigiLocker meets Plaid) that let an end-user manage consent across multiple Data Fiduciaries from one dashboard. The framework registration opens November 2026. SaaS founders should decide whether to integrate the API once it is published — for B2C apps that share data with partners, integrating early is a strong UX win. ### Where can we read what the community is saying? The [r/india](https://www.reddit.com/r/india/) and [r/IndianSaaS](https://www.reddit.com/r/IndianSaaS/) subreddits have active threads. The [Software Freedom Law Centre](https://sflc.in/) has a public reading guide. The [Internet Freedom Foundation](https://internetfreedom.in/) has been the most useful civil-society lens. We cross-checked our 90-day plan against the [Scrut Automation public guide](https://www.scrut.io/post/dpdp-rules) and the [KPMG implementation deck](https://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2025/11/dpdp-rules-2025-guidance-to-dpdp-act-implementation.pdf), both freely downloadable.