DPDP Act 2023

The Digital Personal Data Protection Act 2023 is India's data protection regime, and its obligations fall on Data Fiduciaries toward Data Principals. The Rules were notified in November 2025, and the remaining obligations become enforceable on May 13, 2027. The Act applies to every organisation in India that processes digital personal data, and to organisations outside India that offer goods or services to people in India. Employee data sits inside scope, which means payroll, HR, and attendance systems carry the same obligations as customer systems.

Our practice treats this law the way it actually behaves in an organisation. Consent is a record that software maintains, a notice must reach people in the languages the Rules require, a rights request runs on a workflow with a statutory clock, and a breach report to the Data Protection Board stands on logs and procedures that must exist before the incident. The work is engineering as much as it is documentation, and our teams do both.

DPDP Act overview
Where the work concentrates

Where the work concentrates

The work concentrates in five places: consent architecture and multilingual notices, Data Principal rights handling within statutory timelines, the grievance mechanism and vendor governance, breach reporting readiness toward the Data Protection Board, and the treatment of employee data across HR systems.

What we deliver

What we deliver

A DPDP Act engagement produces the following, each signed off against written acceptance criteria:

  • 1. Gap Assessment Report and Remediation Roadmap, priced item by item.
  • 2. Data Inventory and Record of Processing Activities.
  • 3. The notice suite with required language coverage.
  • 4. Consent capture and withdrawal built into websites and applications, with a purpose wise audit log.
  • 5. Rights request workflow with tracking against statutory timelines.
  • 6. Processor and vendor agreement remediation.
  • 7. Incident Response Plan with a conducted and recorded drill.
  • 8. Training for the client team and the complete evidence repository.
A typical engagement

A typical engagement

An implementation for an organisation with up to three systems runs eight to twelve weeks, and larger estates run longer, with system count and vendor volume as the drivers. The engagement begins with an assessment of two to three weeks that produces the roadmap and the exact fixed fee for every remediation item.

Significant Data Fiduciaries

Significant Data Fiduciaries

For organisations designated as Significant Data Fiduciaries, the practice delivers the Data Protection Impact Assessment, annual audit preparation, and the officer function through our DPO as a Service arrangement, on an annual term with board level reporting.

Begin with a scoping conversation

A scoping conversation and a short Scoping Questionnaire tell us your systems, data, and obligations, and this step carries no charge. The written proposal that follows states scope, approach, deliverables, timeline, team, and exact fixed fees. Write to consulting@codecolonies.com or visit codecolonies.com to begin.

whatsapp_icon