Nexortest Technologies | Your Gateway to Global Market Entry

DPDP Act Regulatory and Compliance Services in India

Make your organisation compliant with India's Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 before the 13 May 2027 deadline. NexorTest is your single window data protection partner for manufacturers, importers, software providers and service providers of wireless devices, IoT products, connected healthcare solutions, Software as a Medical Device (SaMD) and medical devices. From gap analysis and consent management to data governance, DPO as a Service, breach response and audit readiness one expert team, one roadmap, one accountable programme.

Free DPDP Compliance Assessment

Find out where your data privacy gaps

The DPDP Act at a Glance

What the DPDP Act Means and Who Must Comply

The DPDP Act 2023 and DPDP Rules 2025 apply to almost every organisation processing the personal data of people in India. Understanding your role and obligations is the first step to a defensible compliance programme.

The Law
DPDP Act 2023 + Rules 2025

India’s first comprehensive data protection law, enacted in August 2023 and operationalised by the DPDP Rules notified by MeitY on 14 November 2025. Together they set enforceable, time-bound duties for how digital personal data is collected, processed, secured and deleted.

When is the deadline?Full compliance is due by 13 May 2027. The Data Protection Board has been constituted and its foundational provisions are already in force appointments to the Board are being finalised. The statutory clock is running now obligations accrue from today, not from the date the Board opens its docket.
Your Role
Fiduciary, Processor or SDF

A Data Fiduciary decides why and how data is processed and carries primary liability. A Data Processor acts on a fiduciary’s behalf under contract. A Significant Data Fiduciary (SDF) is a higher risk fiduciary notified by government with enhanced duties DPO, DPIA and annual audit.

Which one are you?Most device makers, healthtech and SaaS platforms are fiduciaries; many large or health data operators can be classified as SDFs. We map your exact role and obligation set.
Your Products
Devices, Software & Health Data

Wireless devices, IoT products, connected healthcare solutions, SaMD and medical devices continuously stream identifiable personal and health data. That data, plus the apps, cloud platforms and vendors around it, all fall within DPDP scope.

Does device data count?Yes, Data generated by connected medical devices and wearables is personal data under the Act triggering consent, security, retention and breach duties across the product lifecycle.
Why This Decision Matters

The DPDP Clock Is Ticking and Exposure Accrues Before Enforcement Does

The Board is constituted and the statutory clock has started. Enforcement machinery is still being stood up but jurisdiction is not. A breach that happens today, a consent flow that is invalid today, a retention log you are not keeping today: none of these become lawful because the Board's docket is not yet open. They simply become discoverable later. Waiting until 2027 does not reduce exposure; it accumulates it, and removes your ability to remediate quietly

Structured Programme with NexorTest

We build a phased, risk scored roadmap and drive it to completion gap analysis, consent and notices, data governance, security safeguards, breach response, vendor remediation and audit readiness so that well before 13 May 2027 you hold a documented, defensible evidence file one that stands up to your board, to a partner’s due diligence, and to a Board of India inquiry.

The Common Trap

Downloading a generic privacy policy or buying a tool without mapping your data does not make you compliant. Untested consent flows, unremediated vendor contracts and undocumented safeguards are exactly the gaps that surface in a complaint or audit and penalties are assessed per violation, so they stack fast.

Not an Option Anymore

The 18 month window is for preparation, not delay. No grace period beyond the deadline is expected, and enterprise programmes typically take 9 to 12 months to complete which means a programme started late in 2026 is already tight. The Board’s own build out is not your reprieve: obligations attach to conduct, not to the regulator’s readiness, and the first organisations to face inquiry will be those whose gaps are documented in their own systems

Our DPDP Act Services

End-to-End DPDP Act Compliance Support

From readiness assessment and data mapping through DPO as a Service, NexorTest manages every workstream your DPDP compliance programme needs.

Compliance Assessment & Readiness

We benchmark your current data handling maturity against the DPDP Act and Rules, deliver a readiness score and CRQ style risk view, and pinpoint the fastest, highest-impact route to compliance the foundation every other workstream builds on.

Gap Analysis & Data Mapping

We discover, map and classify every store of India-linked personal data across your systems, devices, apps and vendors, then produce a prioritised, risk scored gap register with a clear remediation roadmap and effort estimate.

Privacy Policy, Notice & Consent

We draft standalone, plain language privacy notices and DPDP valid consent flows itemised data, specific purposes, easy withdrawal and Board complaint links and design verifiable parental consent for children's data, with Consent Manager integration where relevant.

Data Governance & Privacy by Design

We establish accountability structures, data lifecycle controls, retention and deletion schedules, and privacy by design patterns embedded into your products, platforms and device data flows so lawful processing is built in, not bolted on.

Documentation & Policy Drafting

We build the complete DPDP evidence set policies, procedures, records of processing, standard operating procedures, forms, registers and data processing agreements formatted for auditors and the Data Protection Board, so your compliance is provable, not just claimed.

Implementation & Remediation

We turn the roadmap into working controls: security safeguards, Data Principal rights workflows, breach response mechanisms, consent management and remediated vendor contracts deployed and tested across your organisation, products and cloud stack.

Employee Awareness & Training

We deliver role based DPDP training and awareness programmes for engineering, product, support, HR and leadership, so your people understand consent, rights, breach reporting and data handling because most privacy failures start with human error, not technology.

Compliance Audits & DPIA

We run independent DPDP compliance audits and, for Significant Data Fiduciaries, the mandatory annual Data Protection Impact Assessment and audit validating that every obligation is operational, evidenced and defensible ahead of any regulator inquiry.

Healthcare & Connected Device Privacy

We specialise in the health data edge cases competitors overlook patient records, diagnostic and genetic data, telemedicine, wearables and SaMD telemetry aligning your DPDP programme with clinical workflows, ABDM, medical device rules and existing quality systems.

Vendor & Third Party Compliance

We audit your processor and partner ecosystem, remediate data processing agreements, and build a cross border transfer register under the Rules' negative list model so the cloud hosts, labs, analytics and support partners touching your data don't become your liability.

Incident Response & Breach Planning

We build and rehearse your dual track breach response immediate notification to every affected Data Principal, and a detailed report to the Board within 72 hours. There is no materiality threshold under the Rules every personal data breach is notifiable, however small so the response has to be a tested process, not a judgement call made under pressure. We define the roles, write the playbooks, build the proof of notification records, and implement the Rules' minimum one year retention of personal data, associated traffic data and processing logs.

DPO as a Service & Ongoing Support

We provide a qualified, India based Data Protection Officer and ongoing compliance operations rights and grievance handling, breach readiness, documentation upkeep, periodic reviews and regulatory advisory keeping you continuously compliant as the regime evolves.

Why NexorTest

DPDP Compliance Built for Device, Health & Software Companies

We combine India data privacy expertise with deep medical device and connected product knowledge so your DPDP programme is designed around the same products, technical files and market entry plans your device compliance depends on.

Device & Health Data Specialists

We understand the health data edge cases and connected device telemetry that generic privacy firms miss aligning DPDP with clinical workflows, ABDM and medical-device rules.

One Integrated Regulatory Partner

Because we already run your CDSCO, BIS, WPC and TEC compliance, your DPDP programme is designed around the same products and market-entry plans no silos, no conflicting advice.

Audit Ready Evidence, Not Just Advice

We build the complete evidence set policies, records, DPIAs and proof of notification formatted for auditors and the Data Protection Board, so your compliance is provable.

DPO as a Service

A qualified, India based Data Protection Officer runs your compliance operations rights, grievances, breach readiness and regulatory liaison at a fraction of a full-time hire.

First Submission Acceptance
0 %
Countries Served
0 +
Faster Than Industry Average
0 %
Our Process

Six Steps to Audit Ready DPDP Compliance

A proven, structured approach that takes you from applicability mapping to an audit ready, continuously maintained DPDP compliance programme.

1
Applicability & Role Mapping

We confirm how the DPDP Act applies to you Data Fiduciary, Processor or SDF and scope every product, device, system and data flow that processes India linked personal data.

2
Gap Analysis & Data Mapping

We discover, map and classify personal data across systems, devices and vendors, then measure current practice against the Act and Rules to produce a prioritised, risk scored gap register.

3
Design Policies, Notices & Consent

We draft compliant policies, standalone notices and consent flows, design governance, retention and deletion schedules, and embed privacy by design into products and platforms.

4
Implement Controls & Remediation

We deploy security safeguards, rights workflows, breach response and remediated vendor contracts, and integrate consent management and DPO functions across the organisation.

5
Train, Audit & Validate

We deliver employee training, run a compliance audit and for SDFs a DPIA and independent audit, then validate that every obligation is evidenced and operational.

6
Ongoing Compliance & DPO Support

We maintain continuous compliance through monitoring, rights and grievance handling, breach readiness and periodic reviews, with DPO as a Service and regulatory advisory.

DPDP Act Explained

The Complete Guide to DPDP Act Compliance

The Digital Personal Data Protection Act, 2023 is India's first comprehensive, standalone data protection law. It received Presidential assent in August 2023, and on 14 November 2025 the Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules, 2025, converting the Act's high-level principles into detailed, measurable, enforceable obligations. Together, the Act and Rules govern how any organisation collects, stores, processes, shares and deletes the digital personal data of individuals called Data Principals in India, and they establish a consent first regime inspired by global frameworks such as the GDPR but tailored to India's digital first economy.

Who the DPDP Act applies to

The Act applies to every entity that processes digital personal data connected to India, whether that data was collected online or digitised from offline records. Crucially, it also applies extraterritorially a company based outside India that offers goods or services to individuals in India, or that profiles them, must comply. For manufacturers, importers, software providers and service providers of wireless devices, IoT products, connected healthcare solutions, Software as a Medical Device and medical devices, this scope is broad. Device telemetry, companion apps, cloud dashboards, customer accounts, support systems, analytics logs and even basic website tracking can all involve personal data that falls within the Act.

Your obligations depend on your role. A Data Fiduciary decides the purpose and means of processing and carries primary legal responsibility. A Data Processor processes data on a fiduciary's behalf under a contract. A Significant Data Fiduciary (SDF) is a fiduciary the Central Government designates as higher risk based on the volume and sensitivity of the data it handles and the potential for harm; SDFs face enhanced duties including appointing a Data Protection Officer based in India, conducting annual Data Protection Impact Assessments, undergoing an independent annual data audit, and meeting algorithmic-transparency and data localisation requirements for notified categories.

The core obligations under the DPDP Rules 2025

The Rules translate the Act's duties into concrete requirements. Every Data Fiduciary must issue a standalone, plain language consent notice that lists the exact personal data collected, states the specific purpose of each processing activity, and provides a direct mechanism to withdraw consent and to complain to the Data Protection Board. Consent must be free, informed, specific and as easy to withdraw as to give blanket or bundled consent is invalid. Organisations must implement reasonable security safeguards, described in the Rules to include measures such as encryption, masking or tokenisation, role based access control, and logging and monitoring, with security and access logs retained for a minimum of one year to support breach investigation.

Data Principals gain enforceable rights to access a summary of their data and processing, to correction and completion, to erasure, to grievance redressal, and to nominate another person to exercise their rights. Fiduciaries must build workflows to fulfil these rights and resolve grievances within the prescribed timeline. Personal data must be erased once its purpose is served, subject to sector specific retention periods set out in the Rules. Cross border transfers follow a negative list model data may flow outside India unless the government restricts a specific country or territory.

Breach notification and children's data

On becoming aware of a personal data breach, a Data Fiduciary must notify each affected individual without undue delay, in plain language describing the breach, the data involved, the likely consequences, the mitigation underway and the steps the individual can take, and must furnish a detailed report to the Data Protection Board within the prescribed window a demanding, dual track obligation that requires a tested incident response plan. For children under 18 and persons with disabilities who have a lawful guardian, verifiable parental or guardian consent is mandatory before processing, and behavioural tracking, monitoring and targeted advertising directed at children are prohibited. The Rules recognise verification methods including integration with government backed digital identity and document services.

Why healthcare and connected devices face the highest bar

Health data medical records, diagnostic and genetic data, prescription history, insurance details and the continuous streams generated by connected medical devices, wearables and SaMD is among the most sensitive personal data an organisation can hold, and the DPDP Act's risk based approach means the potential for harm drives the rigour expected. Hospitals, diagnostic centres, telemedicine and healthtech platforms typically act as fiduciaries, while EHR vendors, cloud hosts, laboratories and billing processors act as processors, though liability stays primarily with the fiduciary. The challenge is compounded by the tension between clinical and legal retention needs and the Act's deletion mandate, by cross-organisational data sharing, and by the need to harmonise DPDP with India's medical device and digital health frameworks. This is precisely the intersection NexorTest is built for.

Penalties and the cost of non-compliance

The Schedule to the Act sets tiered penalties imposed by the Data Protection Board per instance of violation:

  • Up to Rs. 250 crore: Failure to take reasonable security safeguards to prevent a personal data breach (Section 8(5)).
  • Up to Rs. 200 crore: Failure to notify the Board and affected Data Principals of a personal data breach (Section 8(6)).
  • Up to Rs. 200 crore: Breach of additional obligations relating to children's personal data (Section 9).
  • Up to Rs. 150 crore: Significant Data Fiduciary (SDF) failure to meet additional obligations, including appointing a Data Protection Officer (DPO), conducting a Data Protection Impact Assessment (DPIA), and carrying out audits (Section 10).
  • Up to Rs. 50 crore: Residual penalty for any other contravention under the Act.
These are ceilings, not defaults: the Board determines quantum under s.33(2) having regard to the nature, gravity and duration of the contravention, the data affected, whether it was repetitive, whether the person gained financially, and what mitigation was taken. But because the tiers attach to DISTINCT failures, they stack.

The 18 Month DPDP Clock

Phased Compliance Timeline & Obligations

The DPDP Rules roll out in phases from the 14 November 2025 notification. Knowing what activates when lets you sequence your programme correctly and avoid a last minute scramble.

PhaseWhenWhat ActivatesWhat You Should Be Doing
Phase 1 FoundationalImmediate (from Nov 2025)Data Protection Board of India constituted; foundational and Board establishment provisions in forceForm a DPDP task force, secure budget, begin gap analysis and data mapping
Phase 2 Consent Managers14 November 2026Consent Manager registration takes effect one year from notification. A named date is what the client plans against; a relative one is not.Finalise consent architecture, notices, governance and core security controls
Phase 3 Full Obligations18 months by 13 May 2027Consent, notices, rights, grievance redressal, breach reporting, safeguards, SDF dutiesComplete implementation, training, audit and DPIA; validate audit readiness
OngoingContinuousActive monitoring, audits, breach investigations and complaint redressal by the BoardOperate DPO function, fulfil rights, maintain evidence, run periodic reviews
Who We Serve

DPDP Compliance Across Regulated & Data Intensive Sectors

From connected medical devices and SaMD to industrial IoT and B2B software, our specialists deliver DPDP compliance tailored to how each sector actually processes personal data.

FAQ's

Frequently Asked Questios for DPDP Act Compliance

The Digital Personal Data Protection Act, 2023, operationalised by the DPDP Rules notified on 14 November 2025, is India’s first comprehensive data protection law. It governs how any organisation collects, stores, processes, shares and deletes the digital personal data of individuals in India, and applies to every Data Fiduciary and Data Processor including makers, importers, software and service providers of wireless, IoT, connected healthcare, SaMD and medical devices. It also applies to companies outside India that offer goods or services to, or profile, people in India. NexorTest helps you determine your exact role and obligations and build an audit-ready programme.

The Rules started an 18 month phased clock with a hard deadline of 13 May 2027. The Data Protection Board of India is already established and can accept complaints, Consent Manager registration switches on around 12 months, and the core obligations become fully enforceable at 18 months. Because the Board is live, enforcement is not a future event. Most enterprise programmes take 9 to 12 months to reach audit readiness, so starting early is essential. NexorTest builds a phased roadmap that has you compliant well before the deadline.

The Schedule to the Act sets tiered penalties per violation: up to ₹250 crore for failing to implement reasonable security safeguards; up to ₹200 crore each for breach notification failures and children’s data violations; up to ₹150 crore for SDF obligation failures; and up to ₹50 crore for any other contravention. Because penalties are assessed per instance, a single incident can produce cumulative exposure well above the headline figure, plus reputational damage and operational disruption. NexorTest reduces this exposure by closing the specific gaps regulators focus on first.

Health data is among the most sensitive personal data, and the Act covers patient records, diagnostic and genetic data, prescription and insurance details, and the data generated by connected devices and wearables. Hospitals, diagnostic centres and healthtech platforms are usually fiduciaries; EHR, cloud, lab and billing vendors are processors, though liability stays with the fiduciary. Connected medical devices, IoT health monitors and SaMD continuously stream identifiable health data, triggering consent, purpose limitation, security, retention and breach duties. NexorTest specialises in this intersection, aligning your DPDP programme with clinical workflows, ABDM, medical-device rules and existing quality systems.

A Data Fiduciary decides why and how data is processed and carries primary liability. A Data Processor processes data on a fiduciary’s behalf under contract, such as a cloud host or analytics vendor. A Significant Data Fiduciary (SDF) is a fiduciary the government notifies as higher-risk based on data volume, sensitivity and potential harm; SDFs must appoint a DPO based in India, run annual DPIAs and independent audits, and meet algorithmic transparency and localisation duties for notified data. Many healthtech, fintech and large SaaS operators can fall into the SDF bracket. NexorTest determines your classification and builds the exact obligation set you need.

A gap analysis measures your current data practices against the Act and Rules and produces a prioritised remediation plan. It starts with data discovery and mapping every system, app, device, vendor and workflow that touches India linked personal data and classifies that data. It then evaluates consent, notices, lawful grounds, security safeguards, retention and deletion, Data Principal rights workflows, breach readiness, and vendor and cross border arrangements. The output is a risk scored gap register, a roadmap and an effort estimate. NexorTest delivers this as an audit ready report your leadership, auditors and the Board can rely on.

Every fiduciary must issue a standalone, plain language consent notice, independent of other documents, that itemises the personal data collected, states the specific purpose of each processing activity, and provides a direct way to withdraw consent and complain to the Board. Consent must be free, informed, specific and easy to withdraw blanket or implied consent is invalid. For children under 18 and persons with disabilities with a lawful guardian, verifiable parental or guardian consent is mandatory, and tracking or targeted advertising to children is prohibited. NexorTest designs compliant notices, consent flows and Consent Manager integration.

On becoming aware of a breach, a fiduciary must notify each affected individual without undue delay in plain language describing the breach, the data involved, likely consequences, mitigation and safety steps, with contact details and furnish a detailed report to the Data Protection Board, with follow up within the prescribed timeline. You must keep proof of notification and be able to justify any delay, which requires a tested incident response plan, defined roles and at least one year of log retention. NexorTest builds and rehearses your breach response so you can meet these deadlines under pressure.

Start Your DPDP Compliance Journey Today

The 13 May 2027 deadline is closer than it looks, and the compliance clock started in November 2025. Get a free DPDP assessment and a clear roadmap to compliance from a team that understands your products.

Related Compliance Services

Complete Your India & Global Regulatory Coverage

Scroll to Top