What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Playbook•5 min read

DPDP Annual Compliance Calendar: Your Month-by-Month Guide

Indian founders & CXOs: Get a practical, month-by-month DPDP compliance calendar. Understand yearly tasks, timelines, costs, and avoid common errors.

Sushant Pasumarty19 May 2026

DPDP Annual Compliance: Your Month-by-Month Action Plan

Many Indian businesses view DPDP compliance as a one-time project. However, the Digital Personal Data Protection Act, 2023, requires ongoing vigilance and periodic actions. A structured annual calendar ensures sustained compliance and minimizes the risk of penalties.

Sushant Pasamurty, founder of Meridian Bridge Strategy (MBS), has structured this guide to provide a clear, actionable calendar for your DPDP compliance efforts throughout the year. It details what to do when, what resources you need, and the typical costs involved.

Phase 1: Foundation & Initial Assessment (Months 1-3)

This phase is about establishing your baseline understanding and mapping your data landscape. It's often where businesses engage for their initial readiness.

Month 1: Data Inventory & Mapping Kick-off

What to do: Initiate a comprehensive data inventory. Document every personal data point collected, its source, purpose, legal basis, storage location, retention period, and who has access. Identify all third-party vendors (Data Processors) handling this data.
What you need: Cross-functional team (Legal, IT, HR, Marketing), data inventory templates, internal communication channels.
MBS Tier & Cost: This aligns directly with our Data Mapping service. Sushant and the MBS team will map every personal data flow, detailing collection, movement, and vendor touchpoints. This foundational service costs ₹1.5L – ₹3L and typically takes 1-2 weeks.

💡 Key Insight: A thorough data map is the bedrock of all DPDP compliance. Skipping this step leads to blind spots and potential non-compliance later.

Month 2: Gap Analysis & Policy Review

What to do: Analyze your existing data handling practices against DPDP requirements. Identify gaps in consent mechanisms, Data Protection Agreements (DPAs) with vendors, grievance redressal processes, breach notification plans, and data deletion protocols. Review and update privacy policies to reflect DPDP principles.
What you need: DPDP framework checklist, legal counsel review, existing policies, vendor contracts.
MBS Tier & Cost: Combining Data Mapping with Gap Analysis is part of our DPDP Readiness Audit. This comprehensive audit ranges from ₹2L – ₹6L and spans 2-4 weeks, providing a detailed understanding of your current state versus required state.

Month 3: Risk Assessment & Prioritization

What to do: Assess the risks associated with identified gaps. Prioritize these risks based on severity and likelihood. Develop a preliminary action plan for remediation.
What you need: Risk assessment matrix, internal risk management framework.
MBS Tier & Cost: This is a core component of the DPDP Workshop. Here, MBS provides Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap. This in-depth engagement costs ₹5L – ₹10L and typically takes 4-6 weeks.

Phase 2: Implementation & Operationalization (Months 4-6)

With a clear roadmap, this phase focuses on implementing changes and integrating DPDP into daily operations.

Month 4: Consent Management System & Data Principal Rights

What to do: Implement or update your consent management platform. Ensure mechanisms for Data Principals to exercise their rights (access, correction, erasure). Train front-line staff on handling these requests.
What you need: Consent platform, internal request forms, staff training materials.

Month 5: Vendor DPAs & Internal Procedures

What to do: Review and update all vendor contracts to include DPDP-compliant DPAs. Develop clear internal procedures for data breach response, data deletion requests, and data retention.
What you need: Legal templates for DPAs, incident response plan, deletion protocols.

Month 6: DPO Appointment & Training

What to do: Appoint a Data Protection Officer (DPO) if required, or assign DPO responsibilities internally. Provide comprehensive training to the DPO and relevant staff on their DPDP duties and responsibilities.
What you need: DPO job description, training modules.
MBS Tier & Cost: For comprehensive support including implementation, DPO training, and a final readiness opinion, our Full DPDP Consulting service covers these steps. This end-to-end solution costs ₹7L – ₹12L and typically lasts 3-6 months.

✅ Pro Tip: Refer to our DPDP 30-Day Action Plan for immediate foundational steps.

Phase 3: Ongoing Monitoring & Maintenance (Months 7-12)

Compliance is not static. This phase ensures your organization remains compliant throughout the year and adapts to new requirements.

Quarterly (Months 7, 10): Internal Compliance Reviews & Audits

What to do: Conduct internal audits of data processing activities. Review consent logs, DPA effectiveness, and adherence to internal policies. Monitor compliance with retention schedules.
What you need: Internal audit checklist, audit reports.
MBS Tier & Cost: While ongoing, a deeper dive or a full re-evaluation can leverage our DPDP Readiness Audit (₹2L – ₹6L) for specific areas or a comprehensive check, particularly after significant operational changes. Consider how often your business should audit.

Bi-Annually (Months 8, 11): Data Protection Impact Assessments (DPIAs) Review

What to do: Review existing DPIAs, especially for high-risk processing activities or new projects involving personal data. Conduct new DPIAs as needed for new product launches or significant process changes.
What you need: DPIA templates, project documentation.

Annually (Month 12): Annual Review & Report

What to do: Conduct a comprehensive annual DPDP review. Report findings to senior management or the board. Update policies, procedures, and training materials based on findings and any new regulatory guidance. Plan for the next year's compliance activities.
What you need: Annual compliance report template, updated policy documents, training plan for the upcoming year.
MBS Tier & Cost: For a comprehensive annual assessment and forward-looking strategy, the DPDP Workshop (₹5L – ₹10L) can be tailored for an annual refresh, providing an updated gap analysis and roadmap.

Common Mistakes to Avoid in Your DPDP Calendar

One-time Project Mentality: DPDP is continuous. Failure to plan for ongoing monitoring and updates leads to compliance drift.
Ignoring Third-Party Risk: Many breaches originate from vendors. Regular DPA reviews and due diligence are critical.
Lack of Internal Training: Employees are the first line of defense. Regular, updated training is essential.
Underestimating Data Subject Rights: Neglecting mechanisms for individuals to exercise their rights can lead to significant penalties.
Delayed Action: Procrastination on identified gaps increases risk.

Next Step: Calculate Your Specific DPDP Compliance Costs

Understanding the annual commitment is key to budgeting and resource allocation. While this calendar provides a general framework, your specific needs will influence the exact effort and investment.

Sushant Pasamurty and Meridian Bridge Strategy offer a free DPDP compliance cost calculator at dpdpworkshop.com to help you determine which service tier best fits your organization's current readiness and projected needs. After using the calculator, consider booking a call with Sushant to discuss a tailored plan.

Frequently Asked Questions

How often should internal DPDP training be conducted for all employees?

Annual refresher training is recommended for all employees, with more frequent, targeted training for teams handling personal data directly (e.g., HR, Sales, IT). New hires should receive DPDP training as part of their onboarding.

What is the typical time commitment for internal teams during a Data Mapping engagement?

For Data Mapping (MBS Tier 1), internal teams typically need to allocate 5-10 hours per week for 1-2 weeks. This includes participation in interviews, providing existing documentation, and reviewing initial data flow diagrams.

Can small businesses effectively follow this annual DPDP compliance calendar?

Yes, small businesses can adapt this calendar. While the scale of effort may be smaller, the principles remain the same. Focusing on Data Mapping, basic consent management, and vendor agreements are critical initial steps. MBS offers services like the Data Mapping tier (starting from <strong>₹1.5L</strong>) that are accessible for smaller organizations looking for foundational compliance.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →