India DPDPA: Practical Compliance Roadmap for the May 2027 Enforcement Deadline

India's Digital Personal Data Protection Act (DPDPA), enacted on August 11, 2023, has moved from statute to active enforcement preparation. The DPDP Rules 2025, notified in early 2025, set the operational framework and confirmed the full effective date of May 13, 2027 for consent, privacy notice, and security requirements. The practical compliance window is approximately twelve months with severe penalties: up to INR 250 crore (~USD 30 million) per significant breach.

Cross-Border Data Transfer: Blacklist Approach

The DPDPA takes a blacklist approach to cross-border transfers — the opposite of GDPR's whitelist/adequacy model:

"Personal data can be transferred from India to any country except those notified by the central government as restricted. As of late 2025, no countries have been notified as restricted under the DPDPA framework, although sectoral regulators (RBI for banking, IRDAI for insurance, SEBI for securities) retain authority to impose data localisation requirements that may override the DPDPA's permissive default."

Significant Data Fiduciary (SDF) Designation

The government may designate an organization as an SDF based on volume, sensitivity, systemic importance, risk to electoral democracy, sovereignty, security, and public order. SDFs face additional obligations: India-based DPO appointment, periodic DPIAs, audits, and other measures. The criteria have yet to be fully detailed but large consumer tech platforms, financial services, healthcare processors, and significant cross-border data exporters should plan for SDF compliance as a base case.

90-Day Priority Checklist for APAC GCs

1. Confirm scope: Map data flows involving Indian residents. Any product or service touching Indian consumers — including through a website or app — is in scope, regardless of entity presence.
2. Inventory consent practices: DPDPA's requirements are specific and exceed what most existing privacy notices satisfy.
3. Assess SDF likelihood: Plan for SDF designation as base case if India processing volumes are material or industry is regulated.
4. Build the breach notification playbook: Timing is "as soon as possible" without fixed deadline, but enforcement guidance suggests treatment closer to 72-hour standards.
5. Review vendor contracts: Data processors need contractually allocated DPDPA responsibility, breach notification timelines, and audit rights.
6. Confirm sectoral data localisation: RBI, IRDAI, SEBI rules may impose stricter requirements than the DPDPA itself.

"The May 2027 effective date sounds distant; in practice the operational lead time on consent flow redesign, vendor contract papering, and Significant Data Fiduciary readiness is twelve to eighteen months."