How to Prepare for India’s New DPDP Rules and Safeguard Your Organization

The phased rollout of India’s Digital Personal Data Protection (DPDP) Rules officially began on November 14, 2025, marking the full operationalization of the DPDP Act, 2023. While organizations have an eighteen-month window for phased compliance, the complexity of managing digital identities means you must act now to avoid penalties that go as high as ₹250 crore.

Here is your technical roadmap for operationalizing the new mandates:

1. Implement Notice and Itemized Consent (Rule 3)
   Generic “I agree” buttons to ask for consent are no longer enough. Rule 3 of DPDP states that you must provide a notice in clear and plain language that includes an itemized description of the data being collected and the specified purpose for which it will be used.
2. Obtain Verifiable Consent (Rules 10 & 11)
   If you process data from children (under 18) or persons with disabilities, you must adopt technical measures to obtain verifiable consent from a parent or legal guardian. This involves performing due diligence to ensure the person providing consent is an identifiable adult.

3. Enforce “Reasonable Security Safeguards” (Rule 6)
   Rule 6 defines exactly what “reasonable security safeguards” look like, requiring you to protect personal data – including data handled by third-party processors – through:

   • Data Security: Implementing encryption, obfuscation, masking, or virtual tokens to shield sensitive assets.
   • Access Controls: Managing exactly who can enter computer resources and maintaining visibility through appropriate logs and monitoring to detect unauthorized entry.
4. Mandate One-Year Log Retention (Rules 6(e) & 8(3))
   Accountability is now backed by a strict storage requirement. Even if a user deletes their account, your organization must retain logs and personal data for a minimum period of one year from the date of processing to enable the investigation of potential breaches.
5. Automate the Right to Be Forgotten (Rule 8)
   Under the principle of “storage limitation,” you must erase personal data once its specified purpose is served. You must notify the user at least 48 hours before the erasure, giving them a final chance to exercise their rights. For many large entities, data must be cleared three years after the user’s last contact.

6. Meet Higher Obligations for Significant Data Fiduciaries (Rules 13 and 15)
   If your organization handles massive volumes of data and is classified as an SDF (significant data fiduciaries), you must:

   • Perform a data protection impact assessment (DPIA) and a formal audit every 12 months.
   • Ensure that specified personal data and traffic data are not transferred outside India if restricted by the government.
7. Grievance Redressal and Data Principal Rights (Rule 14)
   Rule 14(3) requires you to prominently publish a grievance redressal system that responds to user concerns within a period not exceeding 90 days. Additionally, users now have the right to nominate individuals to exercise their rights in case of death or incapacity, requiring identity systems to be flexible enough to manage these transitions.

How Akku Can Help

As a full-stack Identity and Access Management (IAM) platform, we:

1. Enforce zero-trust: Implement least privilege and just-in-time (JIT) privileges to minimize your attack surface.
2. Automate lifecycle governance: Use our identity governance (IGA) module to automate “one-click” deprovisioning. This ensures that when a user leaves, all access is comprehensively revoked.
3. Simplify consent management: Manage itemized and verifiable consent for all user groups, including children, through our Customer Identity (CIAM) solution.
4. Maintain audit readiness: Our smart analytics provide the mandatory tamper-evident logs for one-year retention, ensuring you are always ready for an investigation or audit.
5. Centralize device security and endpoint control: Beyond identities, Akku enforces consistent security policies across all endpoints via our GPO and mobile device management (MDM) modules. This allows you to block unauthorized peripherals like USBs, enforce work profile isolation on mobile devices, and prevent unauthorized data exfiltration across Windows, macOS, and Linux.

Talk to us today to find out how Akku can help your organization achieve full DPDP compliance.