The number that should worry you
Rs 250 crore
That is the maximum penalty the DPDP Act allows for one significant breach, per MeitY. IBM puts the average Indian data breach at Rs 19.5 crore. Neither number waits for you to be ready.
Why DPDP compliance is now a board-level deadline
The Digital Personal Data Protection Act is live, and through 2026 the draft rules from MeitY spell out what a data fiduciary must do. If you hold names, phone numbers, Aadhaar details, or health records of Indian citizens, you are on the hook.
Here is what changed. The penalty is no longer a slap on the wrist. A single failure to guard personal data can cost up to Rs 250 crore. Your board now treats this the way it treats a GST notice or an income tax raid.
We have seen the pattern repeat across Mumbai and Pune. A firm assumes its IT team has it covered. Then a customer files a grievance, a regulator asks for the consent record, and nobody can produce it. That is the gap. Our DPDP guide for MSMEs walks through the same trap in plain language.
Most teams know they should act. What stops them is not budget. It is not knowing where their data even lives. That is exactly where we start.
What the DPDP Act actually requires of you
Strip away the legalese and the Act asks for five things. You must know what personal data you hold. You must collect it with clear consent. You must protect it with real controls. You must let people see and delete their data on request. And you must report a breach fast.
Each one sounds simple on a slide. In practice they trip up good teams. Consent records get scattered across forms nobody owns. Data sits in old spreadsheets on a finance laptop. A vendor keeps a copy you forgot about. When a regulator asks for the trail, the silence is the problem.
The cost of getting it wrong is not theoretical. The penalty ceiling under the Act reaches Rs 250 crore per MeitY, and the reputational hit travels faster than any fine. A customer who learns their data leaked rarely comes back. That is the quiet tax on doing nothing.
We turn those five duties into a checklist with an owner and a date against each line. No theory. You either have the consent record or you do not. By the end you can answer a regulator in a single email instead of a panicked week.
How the package gets you audit-ready
The work runs in three clear stages. No jargon. Each stage ends with something you can show a regulator.
Stage one, we find your data. We map where personal data sits across laptops, file servers, email, and cloud apps. You get a data inventory and a risk score. This is the part most firms skip and later regret.
Stage two, we stop the leaks. We deploy the Data Protection for Indian Businesses | DPDP-Compliant DLP & controls that block data from walking out the door. USB copy, unapproved cloud uploads, and risky email attachments get watched and stopped. Where endpoints need a security layer, we pair this with Bitdefender GravityZone.
Stage three, we write the paperwork. Consent notices, a data processing record, a breach response plan, and a privacy policy your legal team can sign. We hand you the policy generator so you can keep these current as you grow. I have watched teams pass their first internal review on the strength of this document alone.
What does it cost?
| Tier | Best for | From |
|---|---|---|
| Essentials | 25 to 100 users getting started | Rs 40,000 / month |
| Growth | 100 to 500 users, multi-site | Rs 85,000 / month |
| Enterprise | BFSI, pharma, 500+ users | Custom quote |
Applicable GST extra. Pricing covers tooling, deployment, and a named consultant. One-time data mapping billed separately for sites above 500 users.
No card. No contract. A real consultant reviews your case.
How we compare to building it in-house
You could hire a privacy officer, buy a tool, and write the policies yourself. Some firms do. The honest answer is that it takes a year and a person who has done it before.
A pure software route is the other option. Tools like GTB, Safetica, Bitdefender, Sophos, Forcepoint, Trellix, Fortra, and Microsoft Purview each solve a slice of the problem. We are tool-neutral and deploy several of these. But a licence alone does not map your data or write your consent notices. Someone still has to do the work.
Our package bundles the people and the platform. We have done this for firms that tried the do-it-yourself path first and lost six months to it. The tool was fine. What they lacked was a person who had run the project before and knew which corners not to cut. That is what you rent when you bring us in. For deeper risk discovery you can also bolt on , , or ARCON PAM India: 2026 Privileged Access Buyer Guide for privileged access.
Which industries this fits best
BFSI. Banks, insurers, and NBFCs face the DPDP Act on top of IRDAI and RBI rules. Our BFSI compliance playbook maps the overlap so you do one project, not three.
Pharma and healthcare. Patient records are sensitive personal data. The bar is higher and so is the scrutiny. We classify health data first and lock it down before anything else.
Manufacturing. Designs, vendor terms, and worker records all leak through the same channels. A factory with a small IT team gets the most relief from a managed package, because nobody on the floor has time to chase consent forms. We carry that load so your plant keeps running.
Logistics. Driver and customer data moves across phones and apps every hour. We watch those endpoints and pair the controls with Microsoft Purview where a firm already runs Microsoft 365. Buying 50 or more managed devices alongside this? Ask about Device Lifecycle Management India – DaaS from Rs 499 per dev.
Questions Indian compliance teams ask
How long does it take to get compliant?
A mid-size firm reaches a defensible position in about 30 days. Larger BFSI or pharma estates take longer because the data is messier and the scrutiny is higher. You can gauge your starting point with our 10-question readiness check.
Who counts as a data fiduciary?
If your business decides why and how personal data gets used, you are a data fiduciary under the Act. That covers almost every company with customers or staff. Our note on what a data fiduciary must do breaks it down.
Do we need new tools or just policies?
Both. Policies tell people what to do. Tools stop the data from leaving when people forget. Buy only software and you get gaps the audit will find. Write only policy and you get a binder nobody follows. We deploy the controls and write the policies in one project so they actually match.
What proof will we have for an audit?
A data inventory, a processing record, consent notices, a breach plan, and logs from the Secure Data Guard controls. Our DPDP audit guide shows what a reviewer looks for.
Is this only for large companies?
No. The Essentials tier is built for firms with 25 to 100 users. The law applies the moment you hold one Indian citizen’s personal data.
Get your free DPDP gap review
Tell us what you hold and where it sits. We come back within 4 working hours with a plan and a fixed quote. Every week you wait, the exposure compounds.
Explore the full Secure Data Guard practice. 200+ Indian businesses already trust us.
P.S. Last month a Navi Mumbai insurer called us the week after a customer asked for their consent record and the team could not find it. We mapped their data, fixed the controls, and handed them a findings document in under four weeks. The next grievance was a non-event. That is the whole point.
Written by Priya Sharma, DLP and DPDP lead, Sirius Star.