What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Checklist•4 min read

Mobile App DPDP Compliance Checklist for Indian Businesses

Ensure your mobile app complies with India's DPDP Act. This checklist covers data mapping, consent, security, and more for Indian businesses.

Sushant Pasumarty18 May 2026

The DPDP Act and Your Mobile App

The Digital Personal Data Protection Act, 2023 (DPDP Act) significantly impacts how Indian businesses develop and operate mobile applications. Non-compliance can lead to substantial penalties. This strategic guide and checklist, prepared by Sushant Pasumarty, founder of Meridian Bridge Strategy (MBS), will help founders, CXOs, CTOs, HR heads, and compliance officers ensure their mobile apps meet DPDP requirements.

Sushant Pasumarty emphasizes that a proactive approach to DPDP compliance for mobile apps is not just about avoiding fines. It's about building trust with your users and strengthening your brand's reputation in the Indian market.

Phase 1: Foundation & Data Mapping (Weeks 1-2)

Understanding your data landscape is the first critical step. MBS’s Data Mapping service can accelerate this phase.

Identify All Data Processing Activities: Document every instance where your app collects, stores, processes, or shares personal data. This includes data collected directly from users and through third-party SDKs or APIs.

Owner: CTO/Product Lead
Time: 1-2 weeks
Cost: Internal/part of MBS Data Mapping

Categorize Personal Data: Classify data into personal data, sensitive personal data, and public data as per DPDP definitions. Understand the purpose and necessity for each data point.

Owner: Compliance/Legal
Time: 0.5-1 week
Cost: Internal

Map Data Flows & Storage Locations: Visualize where data originates, where it travels, and where it is stored. Note both domestic and international transfers.

Owner: CTO/Security Lead
Time: 1-2 weeks
Cost: Internal/part of MBS Data Mapping

Phase 2: Consent & Transparency (Weeks 2-4)

Valid consent is a cornerstone of DPDP compliance. This phase often involves legal and product teams working together.

Implement Granular Consent Mechanisms: Ensure users provide clear, affirmative consent for each specific purpose of data processing. Avoid pre-ticked boxes.

Owner: Product/UX Lead
Time: 1-2 weeks
Cost: Development effort (₹50k-₹2L)

Develop Clear Privacy Policy: Create an easily accessible and understandable privacy policy that outlines data categories, processing purposes, user rights, and data principal contact details.

Owner: Legal/Compliance
Time: 1 week
Cost: Internal/Legal counsel (₹20k-₹1L)

Provide Notice to Data Principal: Inform users about the purpose of data collection at the point of collection or before. This must be concise and clear.

Owner: Product/UX Lead
Time: 0.5-1 week
Cost: Development effort (₹20k-₹50k)

Phase 3: Security & Data Principal Rights (Weeks 4-6)

Robust security measures and honoring data principal rights are non-negotiable. MBS’s DPDP Readiness Audit or DPDP Workshop can help identify and close gaps here.

Implement Robust Security Safeguards: Encrypt data at rest and in transit. Conduct regular security audits and penetration testing. Implement access controls.

Owner: Security Lead/CTO
Time: Ongoing
Cost: Varies significantly (₹1L-₹5L+ for initial setup/audit)

Establish Data Breach Notification Protocols: Define a clear process for detecting, assessing, and notifying the Data Protection Board of India and affected data principals within 72 hours.

Owner: Compliance/Security Lead
Time: 1 week
Cost: Internal/Part of MBS Workshop

Facilitate Data Principal Rights: Develop mechanisms for users to access, correct, erase, or port their data. Implement a grievance redressal mechanism.

Owner: Product/Engineering
Time: 2-4 weeks
Cost: Development effort (₹1L-₹3L)

Implement Data Retention Policies: Define and enforce clear data retention schedules. Erase data once its purpose is served or legal retention periods expire.

Owner: Compliance/Legal
Time: 1 week
Cost: Internal/Legal counsel (₹10k-₹50k)

Phase 4: Ongoing Compliance & Governance (Months 1-6+)

DPDP compliance is a continuous process requiring dedicated resources.

Appoint a Data Protection Officer (DPO): If your organization meets the criteria for a Significant Data Fiduciary, appoint a DPO. Even otherwise, consider assigning a dedicated privacy lead.

Owner: Leadership
Time: Ongoing
Cost: DPO salary or MBS DPO services

Conduct Regular Compliance Audits: Periodically review your mobile app's data processing activities and policies against DPDP requirements.

Owner: Compliance/Internal Audit
Time: Annually/Bi-annually
Cost: Internal or MBS DPDP Readiness Audit

Train Staff on DPDP Compliance: Educate all employees, especially those involved in app development, marketing, and customer support, on their DPDP responsibilities.

Owner: HR/Compliance
Time: Annually
Cost: Internal or external training (₹20k-₹1L)

Tip from Sushant Pasumarty: Don't overlook third-party SDKs and APIs. Each integration can introduce new data processing risks. Conduct thorough due diligence and ensure their DPDP compliance aligns with yours.

Your Strategic Partner for DPDP Compliance: Meridian Bridge Strategy (MBS)

At MBS, we understand the unique challenges Indian businesses face in implementing DPDP. Sushant Pasumarty and his team offer tailored services to ensure your mobile app and overall operations are fully compliant.

Total Estimated Costs for Mobile App DPDP Compliance:

Implementing the above checklist internally can incur significant costs in development, legal, and personnel time. Partnering with MBS can streamline this process and provide expert guidance.

For a comprehensive approach, consider the MBS productized services:

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow within your app and organization.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis for your app's compliance posture.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Recommendations + 90-day roadmap for app compliance.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation + DPO + Readiness Opinion for complete app and organizational compliance.	₹7L – ₹12L	3-6 months

Next Step: Secure Your Mobile App's Future

Proactive DPDP compliance protects your users, strengthens your brand, and safeguards your business from penalties. Sushant Pasumarty and MBS are ready to guide you through every step. Whether you need an initial audit or full implementation support, we have a solution for you.

Frequently Asked Questions

What is the biggest risk for mobile apps under the DPDP Act?

The biggest risk is improper handling of user consent and data security. Collecting data without explicit, granular consent or failing to protect personal data from breaches can lead to significant penalties and loss of user trust. Many mobile apps also unknowingly process data via third-party SDKs without proper due diligence, exposing them to compliance risks.

Do I need a DPO for my mobile app if I'm a small startup?

Not every organization requires a Data Protection Officer (DPO) under the DPDP Act. However, if your mobile app processes a large volume of personal data, sensitive personal data, or engages in profiling, you might qualify as a Significant Data Fiduciary, which mandates a DPO. Even if not mandated, appointing a privacy lead or engaging with a firm like MBS for DPO-as-a-service can significantly enhance compliance and mitigate risks.

How quickly can MBS help my mobile app become DPDP compliant?

MBS offers various tiers of service tailored to your needs and urgency. Our Data Mapping service can be completed in 1-2 weeks, providing immediate clarity on your data flows. A full DPDP Workshop, including recommendations and a 90-day roadmap, typically takes 4-6 weeks. For comprehensive implementation and ongoing support, our Full DPDP Consulting ranges from 3-6 months. We prioritize efficient and effective compliance solutions.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →