What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Role Guide•4 min read

DPDP Compliance for Government & PSUs: Safeguarding Data

Indian government and PSU leaders: Understand your DPDP Act obligations. Protect citizen data & public trust. MBS offers structured compliance services.

Sushant Pasumarty18 May 2026

DPDP Compliance for Government & PSUs: Safeguarding Citizen Data & Public Trust

The Digital Personal Data Protection Act, 2023 (DPDP Act) applies to all entities processing personal data in India, including government bodies and Public Sector Undertakings (PSUs). Your organization handles vast amounts of citizen data, making DPDP compliance a critical mandate. Non-compliance risks significant penalties and erodes public trust.

Sushant Pasumarty, founder of Meridian Bridge Strategy (MBS), has helped numerous organizations understand their data protection obligations. His structured approach simplifies compliance for complex environments like government and PSUs.

What Does DPDP Compliance Mean for Government & PSU Officials?

Your role involves ensuring citizen data is processed lawfully, transparently, and securely. This includes establishing clear data retention policies and mechanisms for data principals to exercise their rights. Government entities often handle sensitive personal data, increasing the responsibility under DPDP.

You are responsible for implementing appropriate technical and organizational measures to prevent data breaches. This includes training staff and maintaining accurate records of data processing activities. The Act emphasizes accountability for every stage of the data lifecycle.

Key Responsibilities for Founders, CXOs, CTOs, & HR Heads in Government/PSUs

Founders & CXOs: Drive the strategic imperative for DPDP compliance. Allocate necessary budgets and resources, ensuring a culture of data protection across the organization. You are ultimately accountable for overall compliance.
CTOs: Implement robust technical safeguards for data security. This includes encryption, access controls, and incident response plans. Ensure all IT systems and data infrastructure comply with the Act's requirements.
HR Heads: Manage employee personal data in compliance with DPDP. This involves obtaining consent, establishing clear policies for data access, and training staff on data protection best practices. Employee data also falls under the Act's purview.
Compliance Officers: Develop and monitor DPDP policies and procedures. Conduct regular audits and ensure adherence to all legal obligations. You act as the primary point of contact for compliance-related inquiries.

Top 5 DPDP Compliance Gaps in Government & PSUs

Based on experience, MBS identifies common gaps in public sector organizations:

Lack of Comprehensive Data Mapping: Many entities struggle to identify and map all personal data flows across departments and systems. Without a clear inventory, compliance efforts are incomplete.
Inadequate Consent Mechanisms: Obtaining explicit, informed consent for processing citizen data is often overlooked or poorly implemented. Generic consent forms are insufficient under the DPDP Act.
Weak Data Principal Rights Framework: Mechanisms for citizens to access, correct, or erase their data are often absent or inefficient. The Act mandates clear processes for data principals to exercise their rights.
Insufficient Data Security Measures: While security is a priority, specific DPDP requirements like breach notification protocols or data protection impact assessments (DPIAs) may be missing. Technical and organizational measures need regular review.
Absence of a Designated Data Protection Officer (DPO): Many organizations have not appointed a DPO or equivalent, a crucial role for overseeing compliance and acting as a liaison with the Data Protection Board.

Tip for HR Heads: Remember, your internal employee data is also personal data. Ensure your HR policies for recruitment, payroll, and employee records are DPDP compliant.

Cost to Fix: MBS DPDP Services for Government & PSUs

Meridian Bridge Strategy (MBS) offers structured, productized services tailored for your organization's needs. Sushant Pasumarty and his team provide clear deliverables and fixed price ranges.

Tier	Includes	Price	Duration
Data Mapping	Map every personal data flow	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Recommendations + 90-day roadmap	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation + DPO + Readiness Opinion	₹7L – ₹12L	3-6 months

Why Choose MBS? Sushant Pasumarty brings a practical, no-nonsense approach to DPDP. His services focus on actionable steps, not just theoretical advice, ensuring your organization achieves compliance efficiently.

Questions to Ask Potential DPDP Vendors

Before engaging a vendor, ask these specific questions:

Can you provide case studies of DPDP projects with government or PSU clients?
What is your methodology for data mapping in large, distributed organizations?
How do you handle coordination across multiple government departments or PSU branches?
Do you offer DPO as a service, or help in training our internal DPO?
What specific deliverables will we receive at each stage of the engagement?

Next Step: Secure Your Public Trust and Citizen Data

Proactive DPDP compliance protects your organization from penalties and upholds the public's trust. Begin by understanding your current data landscape and identifying critical gaps. MBS can guide you through this process.

Learn more about specific compliance steps by visiting What is the DPDP Act?

Frequently Asked Questions

Is the DPDP Act applicable to all government departments and PSUs?

Yes, the Digital Personal Data Protection Act, 2023, applies to all entities processing personal data within India, including all government departments and Public Sector Undertakings (PSUs). There are no general exemptions for government bodies.

What is the role of a Data Protection Officer (DPO) in a government organization?

A DPO in a government organization oversees DPDP compliance, acts as a point of contact for the Data Protection Board and data principals, and advises on data protection impact assessments. They are crucial for maintaining accountability and transparency.

How can MBS help with DPDP compliance for a large PSU?

MBS, led by Sushant Pasumarty, offers structured services ranging from Data Mapping to Full DPDP Consulting. We help large PSUs identify data flows, conduct gap analyses, develop compliance roadmaps, and even assist with DPO services and implementation.

Talk to Sushant About Your DPDP Needs

Book a 30-minute call to discuss your compliance requirements and get a clear next step.

Book a Call with Sushant →

Or estimate your cost first →