What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Role Guide•4 min read

DPDP Briefing for Board Members: Governance & Liability

Indian Board Members, CXOs, & HR Heads: Understand your personal liability under DPDP. Learn what your role owns, top gaps, and how MBS can help.

Sushant Pasumarty18 May 2026

What Board Members, CXOs, CTOs, and HR Heads Need to Know About DPDP

The Digital Personal Data Protection Act (DPDP Act) places significant responsibilities on organizations handling personal data. For board members, CXOs, CTOs, and HR heads, this translates into specific governance requirements, potential financial penalties, and even personal liability for non-compliance.

Understanding these obligations is not just about avoiding fines; it's about maintaining trust, protecting brand reputation, and ensuring business continuity in India's evolving digital economy. Non-compliance can lead to penalties up to ₹500 Crores per instance, making proactive governance essential.

What Your Role Owns Under the DPDP Act

Your position carries distinct duties under DPDP. Board members are responsible for overall strategic oversight and ensuring adequate resources are allocated for compliance. This includes approving data protection policies and risk management frameworks.

CXOs, including CEOs and CFOs, are accountable for operationalizing the DPDP strategy and integrating data protection into business processes. CTOs are specifically responsible for the technical implementation of data security measures and data processing architecture compliant with the Act.

HR heads hold crucial responsibilities concerning employee data. This involves managing consent for HR data processing, establishing grievance redressal mechanisms for employees, and ensuring data retention policies align with DPDP principles for all personnel records.

Tip for Board Members: Request quarterly reports on data protection compliance status, risk assessments, and incident response planning from your management team. This demonstrates due diligence.

Top 5 Common DPDP Gaps for Indian Businesses

Inadequate Data Inventories: Many organizations lack a complete, accurate record of what personal data they collect, where it's stored, and how it flows across their systems. This prevents effective risk assessment.
Weak Consent Management: Obtaining explicit, free, specific, informed, and unambiguous consent for data processing is a core DPDP requirement. Many existing consent mechanisms are not granular enough or easily auditable.
Undefined Data Retention Policies: Holding personal data for longer than necessary is a violation. Businesses often struggle to define and enforce clear data retention schedules for various data types.
Insufficient Vendor Due Diligence: Organizations remain accountable for personal data processed by their third-party vendors. Many do not adequately vet vendors for DPDP compliance or include necessary data protection clauses in contracts.
Lack of Data Principal Rights Mechanisms: DPDP grants individuals (Data Principals) rights like access, correction, and erasure of their data. Many companies lack robust, accessible mechanisms for individuals to exercise these rights within specified timelines (e.g., 30 days).

Cost to Achieve DPDP Compliance with MBS

Meridian Bridge Strategy, founded by Sushant Pasumarty, offers productized services designed to address these gaps efficiently. Our approach is practical, focused on actionable outcomes, and tailored to Indian business realities.

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow within your organization, identifying data types, locations, and processing purposes.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + a comprehensive Gap Analysis against all DPDP provisions. Identifies specific areas needing attention.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Detailed Recommendations + a pragmatic 90-day roadmap for implementing identified changes. Designed for quick wins.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Assisted Implementation + Data Protection Officer (DPO) as a Service for 3-6 months + A Readiness Opinion Letter from Sushant Pasumarty.	₹7L – ₹12L	3-6 months

Sushant Pasumarty, founder of Meridian Bridge Strategy, emphasizes: "Compliance is not a one-time event. Our services build foundational capabilities that help your organization adapt to future regulatory changes and minimize risk continuously."

Key Questions to Ask Your DPDP Vendors

When evaluating DPDP consulting partners, ask these critical questions to ensure you select a provider who offers real value and expertise:

How many DPDP-specific engagements have you completed for Indian companies?
Can you provide anonymized case studies or client references specifically for DPDP projects?
What is your methodology for data mapping and gap analysis? Is it tailored to India's regulatory nuances?
How do you handle the implementation phase? Do you just provide recommendations, or do you assist with execution?
What specific deliverables will we receive at each stage of the engagement?
What are the qualifications and experience of the team members who will be working directly on our project?
How do you ensure ongoing compliance post-engagement? Do you offer retainer services or follow-up audits?

Next Steps: Secure Your Organization and Mitigate Personal Liability

Ignoring DPDP responsibilities is not an option. Proactive engagement ensures your organization avoids significant financial penalties and protects board members and leadership from personal liability claims. The first step is understanding your current state of compliance.

Sushant Pasumarty and Meridian Bridge Strategy offer a clear, structured path to DPDP readiness. Don't wait for an incident or an audit to begin your compliance journey. Learn more about our DPDP services and how we can support your governance needs.

Frequently Asked Questions

What is the maximum penalty for DPDP non-compliance?

The Digital Personal Data Protection Act (DPDP Act) allows for penalties up to ₹500 Crores per instance of non-compliance, depending on the nature and severity of the violation.

Can board members be held personally liable under DPDP?

While the primary liability for penalties falls on the Data Fiduciary (the company), the Act includes provisions that could extend liability to key managerial personnel, including board members, if non-compliance is attributable to their negligence, connivance, or willful default. Ensuring proper governance and oversight is crucial.

How long does it take to become DPDP compliant?

The timeline varies based on your organization's current data practices and complexity. MBS offers services ranging from 1-2 weeks for Data Mapping to 3-6 months for Full DPDP Consulting, which includes implementation support.

Talk to Sushant About Your DPDP Needs

Book a 30-minute call to discuss your compliance requirements and get a clear next step.

Book a Call with Sushant →

Or estimate your cost first →