What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•3 min read

Cloud Data Storage Under DPDP: India Rules

Understand DPDP Rules for cloud data storage in India. Get expert advice on compliance, data localization, and cost from Sushant Pasumarty of MBS.

Sushant Pasumarty18 May 2026

DPDP Rules for Cloud Data Storage in India: A Practical Guide

Yes, the Digital Personal Data Protection Act, 2023 (DPDP Act) significantly impacts how Indian businesses store personal data in the cloud. It applies to any personal data processed in India, or processed outside India if it relates to offering goods or services to Data Principals within India.

Cloud service providers (CSPs) and businesses using cloud services are both subject to its provisions. Understanding these implications is critical for compliance and avoiding penalties.

Current Enforcement Reality for Cloud Data

While the DPDP Act is enacted, the specific rules and regulations governing its implementation are still being formulated and are expected to be notified by the government. This means a definite start date for penalties is not yet established.

However, the underlying principles of data protection, consent, and accountability are already in effect. Businesses should not wait for full enforcement to begin their compliance journey, as preparedness takes time.

What to Do: A Numbered Checklist for Cloud Data

Identify Data Flows: Map every instance of personal data stored in your cloud infrastructure. This includes data residing in IaaS, PaaS, SaaS, and private cloud environments. Document where the data originates, where it is processed, and where it is stored.
Review Cloud Service Provider Contracts: Ensure your contracts with CSPs clearly define their responsibilities as Data Processors and your responsibilities as Data Fiduciaries. Look for clauses related to data security, breach notification, data access, and data deletion.
Assess Data Localization Requirements: While the DPDP Act moved away from strict data localization, it still mandates certain safeguards for cross-border transfers. Understand if any specific data categories you handle might still have localization requirements under other Indian laws, or if transfer mechanisms need to be robust.
Implement Robust Security Measures: Beyond contractual obligations, ensure your cloud environments use strong encryption (at rest and in transit), access controls (least privilege), multi-factor authentication, and regular security audits. This demonstrates 'reasonable security safeguards'.
Establish Data Subject Rights Mechanisms: Be prepared to respond to Data Principal requests for access, correction, erasure, and grievances. Your cloud infrastructure must support the ability to locate and manage specific individuals' data efficiently.
Develop a Data Breach Response Plan: Outline clear procedures for identifying, containing, assessing, and notifying the Data Protection Board of India and affected Data Principals in the event of a personal data breach in the cloud.
Train Your Team: Ensure all employees who access or manage cloud-stored personal data are aware of DPDP requirements and their responsibilities. Human error is a significant cause of data breaches.

Cost of DPDP Compliance for Cloud Data Storage

Meridian Bridge Strategy (MBS) offers structured services to help businesses achieve DPDP compliance, tailored to your needs. Sushant Pasumarty, founder of MBS, has designed these tiers based on practical implementation experience.

MBS DPDP Service Tiers:
These services are designed to address the specific challenges of cloud data compliance under DPDP.

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow, including those within your cloud environments.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Comprehensive Gap Analysis against DPDP, identifying cloud-specific vulnerabilities.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Tailored Recommendations + 90-day roadmap for cloud data compliance.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation support for cloud data practices + DPO as a Service + Readiness Opinion.	₹7L – ₹12L	3-6 months

When to Start Your DPDP Cloud Compliance Journey

The best time to start was yesterday. The next best time is now. Sushant Pasumarty emphasizes that building a robust data protection framework takes time and resources. Early engagement allows for a phased approach, minimizing disruption and ensuring thoroughness before full enforcement commences.

Sushant's Tip: "Even without full enforcement rules, the principles of the DPDP Act are clear. Begin by understanding your data footprint in the cloud. Most compliance issues stem from a lack of visibility into data flows."

Next Step: Assess Your Cloud DPDP Readiness

Don't let the new regulations become a risk. Take proactive steps to secure your cloud data and ensure compliance. Start with a DPDP Readiness Audit to understand your current posture.

Frequently Asked Questions

Does the DPDP Act prohibit storing personal data in cloud servers outside India?

No, the DPDP Act does not prohibit storing personal data outside India. It outlines conditions for cross-border transfers, requiring adequate safeguards. Businesses must ensure any such transfers comply with these conditions and respect Data Principal rights.

Are SaaS providers responsible for DPDP compliance if I use their service?

Both you (the Data Fiduciary) and the SaaS provider (often a Data Processor) share responsibilities under DPDP. You are responsible for ensuring your data processing instructions to the SaaS provider are compliant, and the provider must adhere to those instructions and implement reasonable security safeguards.

What happens if my cloud data storage leads to a data breach under DPDP?

If a data breach occurs involving personal data stored in the cloud, you, as the Data Fiduciary, would be responsible for prompt notification to the Data Protection Board of India and affected Data Principals. Penalties can be substantial, emphasizing the need for robust security and breach response plans.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →