Compliance Guide

Decoding India's DPDP Act

A Practical Guide to Endpoint-Level Compliance for Data Fiduciaries

The Digital Personal Data Protection Rules, 2025 set a hard compliance deadline of 13 May 2027 for every organisation that processes the personal data of individuals in India. This guide breaks down what the DPDP Act and Rules require at the endpoint level, and how Zecurit Endpoint Manager helps data fiduciaries get there.

Published byZecurit
CategoryCompliance & Regulation
AudienceIT Teams, DPOs, Compliance Officers

Why the DPDP Act Changes How You Manage Endpoints

At a Glance
  • Who is impacted: Every organisation, Indian or foreign, that processes the personal data of individuals in India in connection with offering goods or services to them.
  • What changed: The DPDP Rules, 2025 were notified on 13 November 2025, operationalising the DPDP Act, 2023 with an 18-month phased compliance window ending 13 May 2027.
  • Why endpoints matter now: Rule 6 mandates "reasonable security safeguards" including encryption, access control, and monitoring, while Rule 7 requires 72-hour breach detection and reporting.
  • How Zecurit helps: BitLocker encryption, device control, access management, audit logging, and monitoring and alerts from a single agent and console.

The Constitution of India guarantees the right to privacy under Articles 14, 19, and 21, a position the Supreme Court reaffirmed in its landmark 2017 Puttaswamy judgment. After a decade of drafts and consultation, Parliament passed the Digital Personal Data Protection Act on 11 August 2023. It remained largely dormant until the Ministry of Electronics and Information Technology notified the DPDP Rules, 2025 on 13 November 2025, finally operationalising the law.

Unlike sector-specific frameworks, the DPDP Act applies horizontally to almost every business that touches personal data in India: HR systems, CRM platforms, e-commerce checkouts, employee laptops, and the endpoints that store, process, and transmit that data every day.

Why This Matters for IT Teams: Personal data breaches are not abstract legal risks. They originate on real devices: an unencrypted laptop, an unpatched server, a USB drive that walked out the door. Rule 6's "reasonable security safeguards" requirement places the endpoint squarely inside the compliance perimeter, not just the data centre.

This guide translates the DPDP Act and Rules into the specific endpoint controls IT and compliance teams need, and maps each one to Zecurit Endpoint Manager capabilities.

Key Terminology Under the DPDP Act

Before mapping obligations, it helps to understand the three core roles the Act defines:

  • Data Principal

    The individual to whom the personal data relates. For example, an employee whose name, email, and phone number sit in your HR system.

  • Data Fiduciary

    The entity that determines the purpose and means of processing personal data. Most businesses collecting customer or employee data fall into this category.

  • Data Processor

    An entity that processes personal data on behalf of a Data Fiduciary, such as a payroll vendor or a cloud service provider.

A subset of Data Fiduciaries may be classified as Significant Data Fiduciaries (SDFs) by the Central Government, based on the volume and sensitivity of data processed, risk of harm to data principals, and potential impact on India's sovereignty. SDFs face enhanced obligations including mandatory Data Protection Impact Assessments (DPIAs), annual independent audits, and appointing a Data Protection Officer based in India.

Who Must Comply With the DPDP Act?

The Act's scope is broader than many businesses assume. It applies to:

  • Indian companies processing personal data of Indian residents
  • Foreign entities offering goods or services to individuals in India
  • Organisations digitising previously offline personal data
  • E-commerce platforms, fintechs, and SaaS providers handling Indian user data
  • Healthcare providers, insurers, and educational institutions
  • HR and payroll systems processing employee personal data
  • Any Data Processor engaged by a Data Fiduciary
  • Significant Data Fiduciaries notified by the Central Government
Penalty Exposure: Non-compliance can result in penalties of up to ₹250 crore per violation category, determined by the Data Protection Board of India based on the nature of the breach, number of individuals affected, and the organisation's compliance history. Failure to notify a breach carries penalties of up to ₹200 crore on its own.

The DPDP Compliance Timeline

The DPDP Rules, 2025 introduced a staggered 18-month implementation window. Organisations that treat this as a single deadline rather than a phased build will find themselves short on time.

Nov
2025
Immediate, 13 November 2025

Rules Notified, Board Operational

The DPDP Rules, 2025 were notified via Gazette G.S.R. 846(E). The Data Protection Board of India became operational, with headquarters in the National Capital Region, and the penalty framework activated.

Nov
2026
12 Months

Consent Manager Registration Opens

Indian-incorporated entities meeting net worth thresholds can register as Consent Managers, interoperable platforms through which data principals manage, review, and withdraw consent. This also marks the end of the informal "soft enforcement" phase.

May
2027
18 Months, Hard Deadline

Full Compliance Mandatory

By 13 May 2027, every obligation under the Act and Rules must be operational: standalone consent notices, data principal rights infrastructure, 72-hour breach protocols, retention and erasure automation, verifiable parental consent, and Rule 6 security safeguards across every endpoint that touches personal data.

DPDP Obligations Mapped to Zecurit Endpoint Manager

The Act's principles translate into concrete technical controls at the endpoint level. The following sections map each relevant obligation to specific Zecurit capabilities.

Obligation 01

Reasonable Security Safeguards (Rule 6)

Rule 6 requires Data Fiduciaries to implement security measures that ensure the confidentiality, integrity, and availability of personal data, including encryption, access controls, and continuous monitoring to prevent breaches. These obligations extend to any Data Processor engaged by the fiduciary.

Zecurit Endpoint Manager

BitLocker Management enforces drive encryption across every managed Windows endpoint, ensuring personal data at rest remains unreadable if a device is lost or stolen. Monitoring and Alerts continuously tracks firewall status, antivirus health, and BitLocker protection state, giving you the confidentiality and integrity safeguards Rule 6 requires.

BitLocker ManagementSecurity AlertsFirewall ConfigurationTPM Policy Management
Obligation 02

72-Hour Breach Detection and Notification (Rule 7)

Rule 7 requires Data Fiduciaries to notify affected data principals without delay and submit a detailed breach report to the Data Protection Board within 72 hours, covering the nature, date, time, and impact of the breach. Detecting a breach quickly is the precondition for meeting this clock at all.

Zecurit Endpoint Manager

Real-time Security Alerts flag disabled antivirus, disabled firewalls, and BitLocker protection being turned off the moment they happen, rather than during a periodic scan. Device Control logs every connection attempt and blocked event with a timestamp, giving incident response teams the forensic detail needed to scope a breach within the 72-hour window.

Real-Time Security AlertsAudit Device LogsHardware/Software Change Alerts
Obligation 03

Preventing Unauthorised Data Exfiltration

The Act's purpose limitation and storage limitation principles only hold if personal data cannot leave the organisation through uncontrolled channels. USB drives, unauthorised cloud sync, and unmanaged peripherals are common, and largely preventable, vectors for personal data leakage.

Zecurit Endpoint Manager

Device Control enforces allow, block, or trusted-only policies for removable storage, Bluetooth, wireless adapters, and Windows Portable Devices, including BadUSB keystroke injection prevention. Policies are enforced even when endpoints are offline, closing a gap that purely network-based DLP tools cannot cover.

Device ControlUSB/Removable Storage PoliciesOffline Policy EnforcementBadUSB Prevention
Obligation 04

Access Control and Accountability

The Act's accountability principle requires Data Fiduciaries to demonstrate that only authorised personnel can access personal data, and to maintain records of who accessed what, and when. This becomes especially important for systems holding HR records, customer databases, or healthcare information.

Zecurit Endpoint Manager

Configuration Management's User and Group Management lets IT teams create, modify, and disable local user accounts remotely and enforce password policies from a central console. Remote Access sessions require explicit session confirmation from the end user and are governed by role-based access controls, with every session fully logged for audit purposes.

User and Group ManagementRole-Based AccessSession Confirmation and AuditUser Logon Reports
Obligation 05

Data Minimisation and Retention Limits

Rule 8 and the Third Schedule require Data Fiduciaries to define purpose-specific retention periods and erase personal data once its purpose is fulfilled. Individuals must be notified at least 48 hours before scheduled erasure. Knowing exactly what software, and therefore what data-handling applications, exist on each endpoint is foundational to enforcing this.

Zecurit Endpoint Manager

Software Inventory tracks every installed application with real-time version data, helping compliance teams identify which endpoints run systems that store or process personal data. Remote Script Execution can automate scheduled data cleanup tasks across thousands of endpoints simultaneously, supporting retention and erasure workflows at scale.

Software InventoryRemote Script ExecutionSoftware Alerts
Obligation 06

Continuous Monitoring for Significant Data Fiduciaries

Rule 13 requires Significant Data Fiduciaries to conduct annual Data Protection Impact Assessments and independent compliance audits. These exercises depend on accurate, continuously updated visibility into the organisation's device and data landscape, not a one-time snapshot.

Zecurit Endpoint Manager

The Monitoring and Alerts module provides real-time notifications across security, hardware, software, and certificate events, feeding a continuous compliance posture rather than a periodic audit scramble. Hardware Inventory and geo-location tracking maintain the asset visibility that DPIAs and independent audits require as supporting evidence.

Real-Time Monitoring and AlertsHardware InventoryGeo Location TrackingCertificate Alerts
Obligation 07

Audit Trail Retention and Evidence

Rule 6 requires detailed activity logs to be retained for at least one year to support breach investigation and the Data Protection Board's review process. Producing this evidence manually under audit pressure is precisely the failure mode regulators are designed to catch.

Zecurit Endpoint Manager

Compliance and Reporting provides 100+ built-in report templates, including security reports that surface BitLocker gaps, firewall status, and antivirus health across the fleet. Scheduled Report Delivery emails these reports to stakeholders automatically on a recurring basis in PDF, CSV, or XLS format, building the continuous audit trail Rule 6 expects without manual extraction.

100+ Compliance ReportsScheduled Report DeliverySecurity Reports

DPDP Obligations and Zecurit Endpoint Manager Capabilities

A consolidated reference mapping each DPDP endpoint-relevant obligation to the relevant Zecurit features, useful for DPIA preparation and internal compliance reviews.

DPDP ObligationZecurit Endpoint Manager Capability
Reasonable Security Safeguards (Rule 6)BitLocker ManagementSecurity AlertsFirewall ConfigurationTPM Policy Management
72-Hour Breach Detection (Rule 7)Real-Time Security AlertsAudit Device LogsHardware/Software Change Alerts
Preventing Unauthorised ExfiltrationDevice ControlUSB/Removable Storage PoliciesOffline Policy Enforcement
Access Control and AccountabilityUser and Group ManagementRole-Based AccessSession Confirmation and Audit
Data Minimisation and Retention (Rule 8)Software InventoryRemote Script ExecutionSoftware Alerts
Continuous Monitoring (SDF, Rule 13)Real-Time Monitoring and AlertsHardware InventoryGeo Location Tracking
Audit Trail Retention (Rule 6)100+ Compliance ReportsScheduled Report DeliverySecurity Reports

DPDP Compliance Starts at the Endpoint

The DPDP Act and its 2025 Rules give Indian data protection law real teeth: a 72-hour breach clock, penalties up to ₹250 crore, and an 18-month runway that is already running. Most personal data breaches do not begin with a sophisticated attack on a data centre. They begin with an unencrypted laptop, an unmonitored USB port, or a local account nobody remembered to disable.

Building the endpoint controls Rule 6 demands now, rather than in the final months before 13 May 2027, gives your organisation a defensible compliance posture and the audit evidence to prove it.

Zecurit Endpoint Manager addresses the core endpoint-level obligations of the DPDP Act from a single lightweight agent and a unified management console, without separate tools to reconcile when the Data Protection Board comes asking for evidence.

About Zecurit

Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.

To learn more about Zecurit Endpoint Manager and how it supports your DPDP compliance programme, start a free 14-day trial or contact the Zecurit team.

Contact Zecurit