DPDP / SME Roadmap

90-Day DPDP Readiness Plan

CA Nikhil Gupta·June 2026·3 min readDPDP / SME Roadmap

Implement DPDP readiness in ninety days through legal commencement mapping, data inventory, notices, consent, vendors, access, retention, incidents and governance.

A small business does not need a hundred-page privacy programme before it can fix its biggest risks.

Quick View

Decision

Use ninety days to create evidence-backed controls and a longer roadmap for phased legal dates.

First action

Appoint executive owner.

Core evidence

Ninety-day plan.

Main warning

Starting with policy copy.

Why It Matters

The final Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025 with phased commencement. As of 25 June 2026, organisations should distinguish provisions already commenced from operational duties scheduled for later dates, while continuing to comply with the IT Act, CERT-In directions and sectoral rules already in force.

The plan should not claim every DPDP obligation is currently enforceable. It should build controls against the final framework while closing existing CERT-In, security and sectoral gaps.

Prioritise data that can cause financial, identity, health, employment or child harm.

Control Framework

AreaWhat to establishOperating rule
Days 1–30Scope, owners, data map and incidents.Find reality.
Days 31–60Notices, consent, vendors and access.Build controls.
Days 61–90Rights, deletion, testing and board pack.Prove operation.
BeyondPhased dates and mature assurance.Fund roadmap.

Action Checklist

  1. Appoint executive owner.
  2. Map critical data and vendors.
  3. Fix open access and logging.
  4. Draft actual notices.
  5. Create incident and request workflows.
  6. Run tabletop and board review.

Practical Example

An SME begins by buying privacy software but has no data map, no system owners and no authority to change vendor contracts.

Evidence to Keep

  • Ninety-day plan.
  • Data inventory.
  • Risk register.
  • Notice and consent versions.
  • Vendor and access records.
  • Exercise and board minutes.

Warning Signs

  • Starting with policy copy.
  • Treating software as compliance.
  • No executive owner.
  • Ignoring shadow spreadsheets.
  • Claiming completion without tests.

Detailed Review

Privacy governance should connect the personal data, individual, purpose, collection point, system, owner, recipient, access role, retention trigger and incident dependency. A policy that cannot be traced to this chain is difficult to operate.

Create a dated legal matrix rather than one status label. Record the DPDP provision, commencement date, present readiness action, current IT or sectoral obligation and the evidence owner.

Design controls in the product and system. A written rule cannot stop an SDK from firing, a shared folder from exposing payroll, or a vendor from retaining deleted users unless technology and operations enforce it.

Evidence should be generated during normal work: versioned notices, event logs, access approvals, request tickets, deletion reports, vendor registers, incident chronologies and management decisions.

Use proportionate identity and security checks. Excess verification creates more personal data, while weak verification can expose another person’s records or permit account takeover.

Every product release should trigger a privacy change review covering new fields, vendors, permissions, purposes, regions and retention.

Management reporting should show overdue evidence and control failures, not only the existence of policies.

Control Test

Test the control using a real user journey from collection to deletion. Capture the notice shown, data stored, vendors called, employees with access, retention period and response if the user withdraws or complains.

Run a negative scenario: the vendor is breached, the user is a child, the employee exits, the phone is stolen, the data was inaccurate or the regulator asks for proof. Record which control fails.

Check that system records and public wording agree. Product forms, privacy notice, CRM fields, SDK behaviour, vendor contracts and support scripts should describe the same processing.

Assign a named owner and internal deadline for every gap. A risk register without funded action and closure evidence becomes an archive of known failures.

Retain the rejected alternatives and decision basis. This is especially important where the law is in phased commencement or a proportionate technical method is selected.

Escalation Route

Start with the system owner, privacy or security owner and the documented data flow. Preserve records before making changes, and separate current statutory reporting from future DPDP readiness.

For a breach, financial fraud, rights dispute, children’s-data issue or regulated-sector event, involve qualified legal, cyber, forensic and sector specialists and use the applicable official reporting or grievance channel.

Frequently Asked Questions

Can an SME finish all privacy work in ninety days? â–¼
It can establish a strong foundation and prioritised roadmap.
What is day-one priority? â–¼
Identify owners, critical data, current incidents and legal timing.
Should vendors be reviewed immediately? â–¼
Start with vendors holding high-risk or large-volume data.
How is progress proven? â–¼
Through maps, logs, tickets, tests, contracts and management decisions.