Complying with
India’s Digital Personal
Data Protection Act (DPDPA)

Protect customer privacy, streamline
data management, and reduce the risk
of data breaches.

Digital Personal Data Protection Act compliance guide

What is DPDPA?

What is DPDPA?

The Digital Personal Data Protection Act, 2023 (DPDPA), is India's data privacy law that aims to protect individual's privacy rights and establish a framework for the lawful processing of personal data. It defines how digital personal data must be collected, used, protected, and governed across the country.

Any personal data processed within the Indian territory, regardless of how it is collected (online or offline), that is subsequently digitized will be subject to this law. The DPDP Act is also applicable to data processed outside India if it is in connection with any activity relating to the offering of goods and services to individuals within India.

Be DPDPA ready: ManageEngine’s quick-start guide to support your compliance journey.

E-book

Why should my organization comply with DPDPA?

The release of the DPDP Rules, 2025 on 13 Nov. 2025 marks India’s transition to a fully
enforceable data-protection framework. Along with the DPDP Act, 2023, it defines how digital
personal data must be collected, used, protected, and governed across the country.

Here are some other compelling reasons why you should start preparing for compliance.

Avoid penalties

A failure to implement security safeguards that prevent breaches of personal data could result in a penalty.
Stay ahead of competition

Attract privacy conscious customers and gain a trust worthy reputation.
Reduce risk

Implement safeguards to minimize operational disruptions caused by security incidents or a data breach to ensure better business continuity.

DPDPA implementation timeline

The law introduces an eighteen-month period for phased compliance.
Full compliance obligations begin 18 months after publication (13 Nov. 2025).
That means likely mid-2027 for complete operational compliance.

Phase 1

13 Nov. 2025

Activates the regulator and overall enforcement setup.

Phase 2

13 Nov. 2026

Switches on a limited set of rules early, mainly the rules tied to Consent Managers and the Board's power to recognize and regulate them.

Phase 3

13 May 2027

The real compliance obligations kick in, everything from consent and user rights to security, children's data, breach reporting, international transfers, and penalties becomes enforceable.

Being GDPR compliant doesn't mean that you're DPDPA compliant.
Here are the differences
Practical steps IT teams must take to implement the DPDPA
Get ready for DPDPA

Leverage ManageEngine solutions
to support DPDPA compliance

ManageEngine's suite of IT management solutions can help your
organization prepare for DPDPA compliance. Manage and secure
data throughout its life cycle, from data collection, processing,
transfer, and storage with the help of our solutions.

In the following section, we outline how our IT solutions can assist
your organization in addressing certain technical and
organizational control requirements under DPDPA.

Leverage ManageEngine solutions to support DPDPA compliance

Rule 6: Security safeguards
Rule 7: Breach notification
Rule 8: Data discovery, retention and deletion

Rule 6: Security Safeguards

As per Rule 6, organizations must safeguard all personal data it controls or processes by implementing reasonable security measures to prevent breaches.

Meet this requirement with ManageEngine:

Protect personal data by enforcing strong encryption, controlled access, and selective data masking across identities, endpoints, infrastructure, and IT operations.

Encryption at rest and in transitMeet this requirement with ManageEngine:
Full-disk encryption on end-user devicesAll end-user devices use full-disk encryption to protect data in case of loss, theft, or compromise.
Centralized key and certificate managementCryptographic keys and certificates are centrally generated, stored, rotated, and monitored to ensure strong, current encryption across all systems.
Data masking and redactionPersonal data is masked or redacted in interfaces, reports, dashboards, and data transfers to minimize exposure to only what is necessary.
Controls against unauthorized data extractionTechnical controls prevent copying personal data to unauthorized or unencrypted removable media.
Application-level encryption and obfuscationSensitive attributes (emails, phone numbers, IPs, URLs, hostnames, access tokens) are encrypted or obfuscated at the application layer to limit internal exposure.

Meet this requirement with ManageEngine:

Strict, end-to-end control over access to computer resources by enforcing identity-based access controls, least-privilege principles, and continuous oversight across users, administrators, endpoints, and privileged systems.

Role-based and least-privilege accessAccess to systems, applications, and devices is enforced through RBAC, ensuring users and administrators have only the permissions required for their roles.
Context-aware access controlAccess decisions are dynamically evaluated using contextual signals such as user identity, device posture, location, IP address, and time of access to reduce unauthorized or high-risk access.
Automated access life cycle managementUser provisioning, role changes, and deprovisioning are automated to ensure access is granted, modified, or revoked immediately as responsibilities change.
Privileged access managementAccess to sensitive resources is approval-based and time-bound, using JIT elevation and periodic access reviews to minimize standing privileges.
Credential isolation and session monitoringPrivileged access is mediated without exposing credentials, and all privileged sessions are monitored, recorded, and auditable.
Endpoint and device access controlsLocal administrator rights, device-level access, removable media, and peripheral usage are restricted to authorized users.
Continuous logging and monitoringAll access to computing resources is logged and monitored, with alerts for anomalous or unauthorized activity.

Meet this requirement with ManageEngine:

Continuous and auditable visibility into how personal data is accessed by collecting, correlating, and analyzing access-related events across identities, endpoints, applications, networks, and data flows.

Centralized access loggingAccess events from directories, endpoints, applications, servers, network devices, and data protection systems are centrally collected and normalized to create a single audit trail.
Real-time monitoring and analyticsUser and system activity is continuously monitored and analyzed to detect anomalous or suspicious access to systems processing personal data.
Comprehensive audit trailsLogs capture authentication events, resource access, administrative actions, file operations, data transfers, peripheral usage, and security events to ensure full traceability.
Alerting and incident responseReal-time alerts flag unusual access patterns, policy violations, and potential security incidents for prompt investigation and response.
Log retention and forensic supportAccess logs are securely retained to support forensic investigations, internal audits, and regulatory inquiries.
Audit-ready reporting and visibilityRole-based dashboards, automated reports, and searchable logs provide clear evidence of access to personal data for auditors and stakeholders.
Cross-source correlationAccess data is correlated across IT and security systems to identify privilege misuse, hidden access paths, and high-risk activity.

Meet this requirement with ManageEngine:

Maintain the availability of systems processing personal data by combining reliable backup mechanisms, rapid recovery capabilities, and operational resilience controls to minimize downtime and data loss.

Automated and scheduled backupsSystems managing personal data are backed up on a scheduled basis with incremental backups and versioning to enable point-in-time recovery.
Granular recovery capabilitiesPersonal data and system components can be restored at granular levels (users, objects, attributes, files) to minimize recovery time and disruption.
Full environment rollbackIdentity and directory environments can be rolled back to known-good states following corruption, misconfiguration, or security incidents.
Resilient backup storage and retentionBackups are stored in resilient repositories with defined retention policies, supporting recovery from ransomware, disasters, or infrastructure failures.
Operational system and endpoint recoveryEndpoints and systems can be rapidly restored through centralized remediation, configuration enforcement, and patching.

Meet this requirement with ManageEngine:

Enables organizations to meet log-retention obligations by enforcing configurable, long-term storage of access logs and audit records related to personal data, while preserving integrity and ensuring retrievability for review and investigation.

Configurable long-term log retentionLog and audit data is retained for at least 365 days, with configurable retention periods to meet regulatory and organizational requirements.
Automated archiving with tiered storageLogs are automatically archived into tiered storage, keeping recent data searchable while securely preserving older records for compliance.
Uniform retention enforcementRetention policies are consistently applied across identity systems, endpoints, and monitoring platforms to prevent coverage gaps.
Tamper-resistant log storageArchived logs are stored in integrity-protected, tamper-resistant formats to prevent unauthorized modification or deletion.
Scalable storage backendsLong-term retention is supported across scalable on-premises and off-site or cloud storage.
Audit-ready access to historical logsArchived logs can be restored and queried for audits, investigations, and regulatory reviews.

Meet this requirement with ManageEngine:

Supports data fiduciaries in operationalizing contractual requirements by providing centralized contract governance, traceability of data processors, and technical controls that enable verification and enforcement of agreed security safeguards.

Centralized management of processor contracts and DPAsProcessor contracts and DPAs are centrally stored, versioned, and managed to ensure security safeguard clauses are captured and audit-ready.
Traceability between processors, contracts, and systemsContracts are linked to vendors, services, and assets, providing clear visibility into which processors handle specific systems and personal data.
Contract life cycle governanceRenewal tracking, alerts, and historical records support periodic review of processor obligations and prevent lapses in contractual safeguards.
Security-by-design in onboarding and procurementContract management is integrated with procurement and approval workflows to ensure security requirements are enforced at processor onboarding.
Controlled and contract-aligned processor accessThird-party access is enforced through role-based, time-bound, and JIT mechanisms aligned with contractual restrictions.
Active monitoring of processor activityProcessor privileged sessions can be monitored, supervised, and terminated in real time to enforce contractual security obligations.
Verification of processor security postureCentralized visibility into processor endpoint security, patching, encryption, and access controls enables validation of contractual compliance.

Rule 7: Breach notification

As per Rule 7, upon becoming aware of a data breach, the data fiduciary is required to notify the affected data principal in a concise, clear, and plain manner.

Such notification shall also include the measures implemented or proposed, if any, to mitigate the associated risks, the remedial steps taken to prevent recurrence of the breach, and a report detailing the intimations provided to the affected data principals.

Meet this requirement with ManageEngine:

Detect personal data breaches early, manage them through governed incident workflows, and generate clear, auditable information required for timely and compliant breach notifications.

Early breach detectionSecurity events across endpoints, networks, applications, identities, and data flows are continuously monitored using real-time analytics and threat intelligence to identify potential personal data breaches early.
Incident triage and notifiability assessmentDetected events are correlated and prioritized based on severity and potential data impact to determine whether they constitute a notifiable personal data breach.
Scope and impact determinationLogs and correlated timelines identify affected systems, users, datasets, and access paths to assess potential access, alteration, exfiltration, or disruption of personal data.
Structured incident response managementBreaches are handled through formal workflows ensuring logging, assignment, investigation, containment, and resolution within defined timelines and a defensible chain of custody.
Breach documentation and communicationPlain-language summaries, timelines, and evidence support accurate notifications describing the nature, impact, and scope of the breach.
Mitigation and remediation evidenceContainment actions, remediation steps, and preventive measures are documented to demonstrate risk mitigation and prevention of recurrence.
Audit-ready breach reportingTime-stamped alerts, investigation records, and incident histories provide verifiable evidence of timely breach response and notifications.

Meet this requirement with ManageEngine:

Recover from personal data breaches quickly, remediate root causes, and produce clear, auditable evidence of corrective actions required for breach notifications.

Rapid service and data restorationSystems processing personal data can be quickly restored using incremental backups and multiple recovery options to minimize data loss and downtime.
Containment and isolation of compromised systemsAffected endpoints and environments can be isolated, locked, or wiped remotely to stop further exposure before services are restored.
Targeted remediation and rollbackMalicious activity, unauthorized data transfers, and misconfigurations are blocked, removed, or rolled back to return systems to a known-secure state and prevent recurrence.
Reinforcement of security baselinesAccess controls, endpoint policies, and device restrictions are reapplied to ensure recovered systems meet required security baselines prior to resuming operation.
Ransomware recovery controlsEncryption activity is halted, affected data is restored via rollback mechanisms, and lateral spread is contained before confirming recovery.
Documented remediation evidenceAll containment, recovery, and remediation actions are logged with timestamps to provide verifiable evidence of mitigation measures.

Meet this requirement with ManageEngine:

Generate, preserve, and review verifiable evidence logs required to substantiate breach notifications, mitigation disclosures, and regulatory reporting.

Comprehensive evidence loggingAccess events, system activity, data movements, endpoint actions, and malware or ransomware incidents are logged with full context, including actors, timestamps, and affected systems.
Centralized correlation and breach reconstructionLogs from endpoints, data protection controls, malware defenses, and system events are correlated into a unified investigation view to reconstruct breach timelines and impact accurately.
Forensic-grade retention and searchabilityEvidence logs are securely retained and searchable over extended periods to support investigations, regulatory inquiries, and validation of breach facts.
Documented data exposure attemptsRecords of attempted or blocked data transfers, file access, device usage, and malicious activity define the scope of potential personal data exposure and identify affected Data Principals.
Preserved mitigation and recovery evidenceDetection, containment, cleanup, and recovery actions are logged with timestamps to provide verifiable proof of mitigation and prevention measures.
Evidence-backed notification and reportingConsolidated evidence supports accurate, plain-language breach notifications and defensible reports to regulators and affected Data Principals.

Rule 8: Data discovery, retention and deletion

As per Rule 8, the Data Fiduciary is obligated to retain all personal data it processes along with the associated traffic data and processing logs for a minimum period of one year. After this mandatory retention period, the Data Fiduciary must ensure that such personal data and logs are erased, unless their continued retention is required for compliance.

Meet this requirement with ManageEngine:

Systematically discover, classify, and map where personal data resides across endpoints, file systems, databases, and removable media thereby forming the foundation for compliant retention and deletion.

Automated personal data discoveryStructured and unstructured data sources are scanned to identify personal data and maintain an inventory of where it is stored.
Risk-based data classificationDiscovered data is classified by sensitivity and context to distinguish high-risk personal data and apply appropriate retention and deletion rules.
Endpoint and user-environment visibilityManaged endpoints and user systems are inventoried to identify locations where personal data may exist, including local storage and application data.
Monitoring of data movement and temporary storageFile transfers involving removable media and peripherals are monitored and logged to map personal data movement and storage paths.
Identification of incident-affected dataData impacted by malware or ransomware is identified to assess potential exposure and support retention or deletion decisions.
Discovery reporting for complianceDiscovery reports and risk indicators support defensible decisions on retention scope, mandatory retention, and lawful deletion timelines.

Meet this requirement with ManageEngine:

Apply classification-driven controls that support mandatory one-year retention of personal data and systematic deletion thereafter, unless continued retention is legally required.

Automated retention enforcementPersonal data is automatically retained and expired based on classification-driven retention policies aligned with regulatory requirements.
Automated identification of deletion-eligible dataData exceeding mandatory retention periods is continuously identified and flagged for deletion without manual intervention.
Controlled, system-enforced deletion workflowsDeletion is executed through system-controlled, reviewable workflows to prevent premature erasure while ensuring timely compliance.
Automated handling of lawful retention exceptionsLegal, regulatory, and investigative holds are system-enforced, automatically excluding applicable data from deletion.
Audit-ready retention and deletion evidenceAutomated reports and logs provide verifiable evidence of retention enforcement and deletion actions.

Meet this requirement with ManageEngine:

Identifies inactive users and stale data, supporting lawful minimization and deletion of personal data after the mandatory one-year retention period.

Detection of inactive user accountsUser activity is monitored to identify accounts inactive beyond defined thresholds.
Evidence-based inactivity recordsHistorical logon and inactivity data is retained to support defensible disablement or deletion decisions.
Automated handling of stale accountsInactive accounts are automatically disabled, moved, or removed through controlled workflows to reduce risk and unnecessary data retention.
Review of personal data linked to inactive usersPersonal data associated with inactive accounts is flagged to determine deletion or lawful extended retention.
Audit-ready inactivity reportingReports capture identified inactive accounts, actions taken, and retention outcomes to evidence compliance with minimization and deletion requirements

Meet this requirement with ManageEngine:

Retain processing and traffic logs for the mandated minimum period and ensure their timely, lawful erasure thereafter.

Configurable minimum log retentionProcessing and traffic logs are retained for at least one year through configurable retention policies.
Automated log archivingOlder logs are automatically archived with defined retention windows to preserve availability without impacting system performance.
Integrity-protected storageArchived logs are encrypted and time-stamped to prevent tampering and preserve evidentiary integrity.
Automated post-retention deletionLogs are automatically deleted once retention periods expire to prevent unlawful over-retention.
Consistent retention enforcementRetention policies are applied uniformly across endpoints and systems to avoid compliance gaps.

Strengthen DPDPA readiness with ManageEngine

Download the guide to explore how ManageEngine products can support various technical and organizational measures required for DPDPA compliance.

Practical steps IT teams must take to implement DPDPA controls
Rule-by-rule control mapping across ManageEngine products
A ready-to-use checklist for implementing DPDPA rules 6, 7, and 8

Frequently Asked Questions

The Digital Personal Data Protection Act (DPDPA), 2023 is India’s primary law governing the processing of personal data. It defines the rights of individuals (Data Principals) and the responsibilities of organizations that process personal data (Data Fiduciaries). The law requires consent-based processing, security safeguards, breach reporting, and regulatory oversight by the Data Protection Board of India.
The Digital Personal Data Protection Rules, 2025 introduce a phased implementation timeline. Some provisions became effective immediately upon publication in the Official Gazette, while other operational requirements will take effect one year or 18 months after publication depending on the rule.
Any entity that determines how and why personal data is processed must comply with the DPDPA. These entities are called Data Fiduciaries and include businesses, government bodies, and organizations processing personal data directly or through third-party Data Processors.
Personal data refers to information that relates to an identifiable individual, known as the Data Principal. Organizations that collect, store, or process such data digitally must ensure lawful processing, obtain consent where required, and implement safeguards to prevent unauthorized access or misuse.
The DPDPA requires organizations to process personal data lawfully and only for specific purposes. Data must be accurate, retained only as long as necessary, and protected with reasonable security safeguards. Organizations must also ensure transparency and accountability when handling personal data.
Data Principals have the right to access information about how their personal data is processed, withdraw consent, and raise grievances. Data Fiduciaries must provide clear mechanisms for submitting such requests and publish details of grievance redressal.
Yes. The DPDPA may apply to organizations outside India if they process personal data related to individuals within India. Entities providing digital services to users in India must comply with the law if their activities involve personal data processing.
The DPDPA allows personal data to be transferred outside India. However, the Indian Government may impose restrictions or conditions on transfers to specific foreign states or entities. Organizations must ensure compliance with these requirements when transferring personal data internationally.
Penalties may be imposed for violations, such as failure to implement security safeguards, failure to report data breaches, or non-compliance with obligations under the Act. The Data Protection Board of India investigates violations and determines penalties based on the severity and impact of the breach.
Data Processors handle personal data on behalf of Data Fiduciaries and must implement appropriate security safeguards. Data Fiduciaries must also ensure that contracts with Data Processors include provisions requiring protection of personal data and compliance with the Act.
Organizations should prioritize systems that collect, store, or process large volumes of personal data. These typically include identity systems, user accounts, databases, cloud platforms, and applications handling customer or employee data. Strong access controls, monitoring, and logging are critical for protecting such systems.
Organizations must allow individuals to withdraw consent as easily as it was provided. Data Fiduciaries must offer clear communication channels or platform links that allow users to withdraw consent and exercise their rights without unnecessary barriers.
Organizations should maintain documentation related to consent management, data processing activities, security safeguards, breach notifications, and compliance audits. Significant Data Fiduciaries must also conduct periodic Data Protection Impact Assessments and submit audit findings to the Data Protection Board.
Organizations must maintain logs that provide visibility into access to personal data. Logging, monitoring, and review mechanisms help detect unauthorized access, support investigations, and enable remediation of security incidents.
Organizations must retain logs and associated personal data for at least one year from the date of processing, unless a longer retention period is required under another law. After the required retention period, the logs and personal data must be erased.
Organizations must delete personal data once the specified purpose of processing is no longer served, unless retention is required by law. Data Fiduciaries must notify individuals before deletion and ensure that personal data and associated logs are erased after the required retention period.
Organizations must implement reasonable security safeguards, such as encryption, access controls, monitoring, and logging. These controls help detect unauthorized access to personal data, investigate incidents, and implement corrective measures to prevent recurrence.
Organizations should identify personal data processing activities, obtain informed consent, implement security safeguards, establish breach notification procedures, and maintain access logs. They must also provide mechanisms for individuals to exercise their rights and conduct periodic compliance assessments where required.
ManageEngine's suite of IT management solutions can help organizations address some of the technical and organizational control requirements under the DPDPA. Manage and secure data throughout its life cycle—from data collection, processing, transfer, and storage—with the help of our solutions.

Disclaimer:

The complete implementation of the DPDPA requires a combination of governance, policies, people, processes, and technical and organizational measures. The features and capabilities described above represent some of the ways in which our product may support customers in meeting certain requirements under the DPDPA. Organizations must conduct their own independent assessment of ManageEngine’s features and determine the extent to which they can help achieve compliance with this law.
This material is provided for informational purposes only and should not be construed as legal advice or a guarantee of compliance with the DPDPA. We make no warranties, whether express, implied, or statutory, regarding the information in this material. Please consult your legal advisor to understand how the DPDPA applies to your organization and the steps required to comply with its obligations.