DPDP Act Rules Look Imminent: An 8-Item, 3-Hour Pre-Notification Audit for Indian SaaS

Q: Does the DPDP Act apply to my pre-revenue SaaS?

Yes. The Act applies to any data fiduciary processing personal data of Indian residents. Revenue is irrelevant. Building privacy practice from day one is dramatically cheaper than retrofitting it.

Q: Do I need to appoint a Data Protection Officer if I am 5 employees?

Not as a DPO in the formal sense. You need a contact person for grievances who is named publicly. For Significant Data Fiduciaries, a DPO is mandatory.

Q: What is the penalty structure under the Act?

Up to Rs 250 crore for failure to safeguard personal data, Rs 200 crore for child-data obligations, Rs 150 crore for breach notification failures, Rs 50 crore for consent-manager obligations.

Q: When were the Rules originally expected to notify?

Various commentators expected H1 2025. The draft published January 3, 2025 with February 18 consultation close suggested April-May notification. We are now in September with no gazette.

Q: Does the Act require local data storage in India?

The current draft does not require general data localisation. It permits the Government to restrict transfers to specifically notified countries — an allowed-list, not a blocked-list approach.

DPDP Act Rules Look Imminent: An 8-Item, 3-Hour Pre-Notification Audit for Indian SaaS

The DPDP Act 2023 was passed two years ago. As of September 11, 2025, the Rules under it are still in draft — MeitY released the consultation version on January 3, 2025, and 6,915 public comments later, the final notification is still pending (MeitY draft rules page). Conversations with three legal advisors we work with peg the notification window as Q4 2025. When MeitY drops the gazette, eight specific things change for your SaaS stack overnight — and the Data Protection Board starts work immediately. This is the 3-hour audit that gets you ahead of that day.

Items in this pre-notification audit

3 hrs

Time to complete for a 20-50 person SaaS

₹250 cr

Maximum penalty under the DPDP Act

6,915

Public comments MeitY received on the draft

## The 60-second answer If your SaaS handles personal data of Indian users (it does), you need eight artefacts before the Rules notify: a data inventory, a consent record, a DPO designation, a breach-response runbook, child-data flags, a vendor list with DPAs, a deletion mechanism, and a grievance-redressal endpoint. Three hours, one Notion doc, two engineers and the founder. We have walked five Indian SaaS teams through this between July and September 2025 — the 3-hour figure is an actual measured average, not a brochure number. ## Why this matters in September 2025 The Rules have not notified yet. That window is your last cheap one. Once the gazette drops, the Data Protection Board can begin investigations and impose penalties under section 33 of the Act. Maximum penalty: ₹250 crore for failure to safeguard data, ₹150 crore for failure to notify breaches, ₹50 crore for failure to fulfil duties of consent managers (DPDP Act, full text). These are not theoretical. The CERT-In 6-hour breach reporting rule from 2022 has already produced enforcement action — DPDP gives the Board a much wider remit and a much sharper stick. A founder's calculation: doing this audit now costs you 3 hours of one person's time. Doing it after a notice from the Board costs you a lawyer, an external auditor, and an unpredictable amount of executive time. The arithmetic is not subtle.

What "imminent" means in regulator-speak. The draft consultation closed February 18, 2025. Standard MeitY practice is 90-180 days from consultation close to gazette notification. We are now 7 months past close. Three legal advisors we asked all said "before December". One said "I would not bet against November". Plan for an October surprise; do not be the firm caught flat-footed.

## The 8 items, in priority order

Personal-data inventory

A spreadsheet listing every column in every table that contains personal data, the purpose, the legal basis, and the retention period. If you cannot produce this in 30 minutes, this is item one.

Consent record per data principal

A row in your consents table showing who consented, when, to what specific purpose, and how they can withdraw. Section 6 of the Act says consent must be free, specific, informed, unconditional and unambiguous. T&C-checkbox does not pass.

DPO or contact person named publicly

A real human, named on your website, with a real email. For Significant Data Fiduciaries, this must be a DPO. For everyone else, a Data Protection Contact Person works — but the name and email must be discoverable in 2 clicks from the home page.

72-hour breach-response runbook

A one-page playbook with named owners, escalation paths, and the literal email/PDF templates for the Data Protection Board notification and the affected-user notification. Tested, not aspirational.

Child-data flag on signup

If your product can be used by anyone under 18, you need verifiable parental consent. Most SaaS B2B products avoid this by contractually excluding minors — but you must say so explicitly in your terms.

Vendor list with DPAs

Every third-party processor (AWS, Postmark, Stripe, an analytics tool, a chat widget) needs a Data Processing Agreement. List them. Prioritise the three that touch the most personal data. Get DPAs signed in writing.

User-initiated deletion mechanism

A "delete my account" button in your product that actually deletes — not anonymises, not soft-deletes, not "we'll process this in 30 days". The Act gives data principals an erasure right; if your delete button does not erase, you have a gap.

Grievance-redressal endpoint

An email or form that goes to a real person who responds within a fixed window. The Rules will likely fix this at 30 days. We recommend setting a 7-day internal SLA and publishing the 30-day external one.

## The 3-hour walkthrough This is the audit we run with a founder and two engineers in a single sitting. Notion doc on screen, terminal open in another tab, calendar blocked. Each step has a verification you can demonstrate before moving on.

Minute 0-30: Build the personal-data inventory

Open your production database schema. List every column that holds: name, email, phone, address, IP, device ID, payment info, geolocation, biometric data, government ID, financial info, browsing history. For each, record: which table, what purpose, what legal basis (consent / contract / legitimate use), what retention period. Verify: a spreadsheet with at least 15 rows for a typical 3-year-old SaaS. If you have under 8 rows, you missed columns.

Minute 30-60: Audit the consent flow

Sign up for your own product as a new user. Take screenshots of every consent prompt. The Rules will require a clear notice with: the data being collected, the purpose, the right to withdraw, and the contact for the DPO/grievance officer — in English plus 1+ Indian languages of the user's choice. Verify: your signup screenshots show all four elements. Most do not on first audit. Plan a 1-week ticket to fix.

Minute 60-90: Designate and publish the DPO/contact

Pick a person — usually the founder for sub-10-person companies, head of engineering or compliance for larger. Add a /privacy-contact route or a row to /privacy. Email format: dpo@yourdomain.in or grievance@yourdomain.in. Verify: a stranger Googling "[your company] data protection contact" finds the email in the first result.

Minute 90-120: Draft the breach runbook

A one-page Notion doc. Sections: detection (who notices, monitoring tools), triage (severity classification 1-3), notification (template emails to the Board and affected users), legal review (which lawyer's number), comms (whose Twitter, what wording). Verify: a tabletop walkthrough — read the runbook out loud, simulate "we lost 4,000 user records," confirm every named person knows their step. Books say 72 hours; we recommend treating 24 as the internal target.

Minute 120-140: Vendor DPA inventory

List every SaaS your stack uses that processes personal data. For each: do you have a signed DPA? Most US vendors offer one in their dashboard (Stripe, AWS, Vercel, Postmark all do). For Indian vendors, you may need to request it. Verify: a spreadsheet with vendor name, contact, DPA-signed Y/N, last reviewed date.

Minute 140-160: Test the delete-account button

Sign up as a test user. Add some data. Hit the delete button. Wait 24 hours. Query your DB for the user's email/ID. Verify: zero rows returned across all tables — including audit logs that might still have the email. If audit-log retention is required for legal reasons (it usually is for billing), document the exception in your privacy policy.

Minute 160-180: Wire grievance-redressal endpoint

Create grievance@yourdomain.in. Route to a real human in support. Add a 7-day internal SLA, 30-day external published SLA. Add a row to your support tooling that flags grievance tickets for the DPO's review. Verify: send a test email; confirm it lands in the right inbox and the SLA timer starts.

## The cost ladder (what you need at each stage)

Stage	Annual revenue	What you actually need	Estimated annual cost
Pre-seed / seed	< ₹2 cr	This 8-item audit + a privacy policy template + founder as DPO	₹0 to ₹40k (one-off legal review)
Series A	₹2-20 cr	Above + named privacy lead (0.2 FTE) + annual external audit + DPA tracker tool	₹2-4 lakh (incl. external counsel)
Series B+	> ₹20 cr	Above + dedicated DPO + ISO 27701 certification + automated DSAR tooling	₹15-30 lakh (DPO salary + tooling + audits)
Significant Data Fiduciary	(designated by Govt)	Mandatory DPO based in India, annual DPIA, annual audit, mandatory data-protection impact assessments	₹50 lakh+ (regulatory overhead)

## When NOT to do the full version If your product is purely B2B, sells only to enterprises with their own DPAs, and you never collect personal data of an end-user (only of buyer-employees through enterprise contracts), the bar is lower. Steps 1, 4, 6, 7, 8 still apply. Step 2 (consent) is mostly handled by the enterprise DPA. Step 5 (child data) is moot. Steps 3 (DPO) is recommended but not strictly required at small scale. If your product handles only data of users outside India (no Indian users at all), you are out of scope of the DPDP Act — but your enterprise customers will still ask, so it pays to be ready. If you genuinely have under 100 users and revenue under ₹50k/year, the regulator will not be your first problem. Spend the time on revenue. Come back when the funnel turns.

The trap. "We are pre-revenue, the Rules do not apply yet" is wrong twice. The Act applies whether or not you have revenue — it depends on whether you process personal data. And starting a privacy practice at year 3 is harder than starting at year 0. The audit cost grows roughly with the square of company size. Now is cheap.

## The pre-notification checklist (print this)

Personal-data inventory spreadsheet — minimum 12 rows for a 2-year-old SaaS
Consent prompt screenshots showing notice in English + 1 Indian language option
DPO/grievance email published on website, discoverable in 2 clicks
72-hour breach response runbook tabletop-tested with named owners
Child-data exclusion clause in T&C, OR verifiable-parental-consent flow if minors are users
Vendor list with DPA-signed Y/N column, top 3 priority vendors confirmed signed
Account-deletion button tested end-to-end; zero rows after 24 hours
Grievance-redressal SLA published (30 days external, 7 days internal)
Privacy policy reviewed by counsel within last 12 months
One named board member or co-founder briefed on DPDP exposure

## A real example — a 22-person Bangalore B2B SaaS A productivity SaaS (analytics for sales teams, ~2,500 paying users mostly in India) ran this audit with us in July 2025. Going in: founder believed they were "mostly compliant." Outcome: they had 4 of the 8 items in working shape, 3 partial, 1 missing. The four they had: privacy policy, basic consent on signup, founder as named contact, AWS DPA on file. The three partial: data inventory was outdated by 14 months, vendor list was 8 vendors but only 2 had DPAs, breach runbook existed but had never been tested. The one missing: account deletion was a soft-delete that left the user's email in their billing table for 7 years for tax-compliance reasons — which is fine, but the privacy policy did not disclose it. Total fix time: 8 working days, 1 engineer + the founder at 0.4 FTE, plus 2 hours of legal review at ₹6,000/hour. Total cost: ₹2.4 lakh including the engineering time. They are now in a position where the day the Rules notify, they will not be scrambling. For background on the prior version of this argument, see our 2025 piece on DPDP Rules 2025 — A 7-Day Action Plan for SaaS Founders in India, written for the day the Rules actually notified. This September post is the "before" companion to that "after" one. ## A founder note from our team Our founder Vivek Singh has written about DPDP exposure repeatedly through 2025 — the founder beat is partly cybersec and partly regulatory, and the two have collapsed into one in the last 24 months. The shortest version of his argument: privacy practice is the cheapest reputational moat an Indian SaaS can build, because most of your competitors will skip it until they get a notice. Build it now and you have a 12-month head start. We have run this same 8-item audit for clients in Pune, Hyderabad, and a remote team headquartered in Goa. The pattern is consistent — founders who ran the audit pre-notification spent 3-8 hours of internal time. Founders who waited until they got an enquiry from a customer's legal team spent 40-80 hours and had to engage external counsel at ₹8-15k/hour. For a deeper technical view of what changed when the Rules did notify (in November), the team also covered the 7-day post-notification scramble and a founder essay on data rights on Constitution Day. ## Reddit pulse — what Indian founders are saying r/india threads in February-March 2025 (right after the draft Rules dropped) show Indian founders mostly worried about three things: the cost of a DPO, the consent-manager registration model, and the practical mechanics of cross-border data transfer. The cross-border transfer concern has been narrowed in the final draft — the Government can now restrict transfers only to specifically notified countries (allowed-list approach). The consent manager model is voluntary at the moment and unlikely to become a hard requirement until the Board has been operational for 12+ months. What you do not see in those threads: anyone who has actually been fined yet. The Board does not exist. Once it does, expect the first 5-10 enforcement actions to be very public and very specific — the regulator will want to set tone. ## A common question we get about timing "When exactly do the Rules notify?" Nobody outside MeitY knows for certain. But the pattern is: 90-180 days from end of consultation. Consultation closed Feb 18, 2025. We are at +205 days as of this post. Plan for the gazette to drop in October or November. Build to a "ready by Oct 1" deadline and you have a buffer regardless of what happens. "What if the Rules look very different from the draft?" The draft is detailed enough that the eight items above are stable predictions. Consent, breach notification, DPO/contact, deletion right, child data, grievance redressal, vendor processing — these are core obligations under the Act itself, not the Rules. The Rules add specifics (timelines, formats, language requirements) but cannot remove these obligations. Building to the draft prepares you for 90% of what the final Rules will require. ## FAQ ### Does the DPDP Act apply to my pre-revenue SaaS? Yes. The Act applies to any "data fiduciary" processing personal data of Indian residents. Revenue is irrelevant. The size of penalties scales with severity, not your revenue — but the Board will consider proportionality. Building privacy practice from day one is dramatically cheaper than retrofitting it. ### Do I need to appoint a Data Protection Officer if I am 5 employees? Not as a DPO in the formal sense. You need a "contact person" for grievances who is named publicly. For Significant Data Fiduciaries (a designation MeitY makes), a DPO is mandatory. For everyone else, the founder or a named co-founder is fine — for now. ### What is the penalty structure under the Act? Section 33 specifies penalties: up to ₹250 cr for failure to safeguard personal data, ₹200 cr for failure to fulfil child-data obligations, ₹150 cr for breach notification failures, ₹50 cr for consent-manager obligations, ₹10 cr for other Act/Rules contraventions. The Board considers nature, gravity, duration of contravention. ### When were the Rules originally expected to notify? Various commentators expected H1 2025. The draft published on January 3, 2025 with a Feb 18 consultation close suggested an April-May notification. We are now in September with no gazette. The pattern of MeitY's recent notifications suggests October-November. Build to October 1 and you are safe with buffer. ### Does the Act require local data storage in India? The current draft does NOT require general data localisation. It permits the Government to restrict transfers to specifically notified countries (an allowed-list, not a blocked-list). For most SaaS using AWS or GCP regions in Singapore/Mumbai, this is not a restriction unless your data subjects' data ends up in a country the Government later restricts. ### What is a "consent manager" and do I need one? A Consent Manager is a registered intermediary who manages consents on behalf of data principals across multiple data fiduciaries. The model is voluntary at present. You do not need to register as one and you do not need to use one. Watch for evolution after the Board is constituted. ### Is grievance redressal required even for free users? Yes. The Act does not distinguish between paid and free users in its application. If a free user is a data principal whose personal data you process, you owe them the same grievance redressal, deletion right, and access right as a paying customer. ### What about cookies and analytics? Cookies that set a tracking identifier and analytics that capture user behaviour are processing personal data. You need consent before setting non-essential cookies. The "essential cookies only on first visit, request consent for tracking" pattern is the standard approach. Most cookie-banner libraries (CookieYes, Cookiebot, Osano) handle the mechanics — but you still need to map your cookies to purposes.

Need a DPDP-readiness pre-notification audit?

We run this 3-hour audit with founders for ₹35,000 fixed price. You leave with a filled-in 8-item checklist, a written gap analysis, the data-inventory spreadsheet, the breach runbook, and a 30-day remediation plan. First call is with the engineer who would lead the audit. Suitable for SaaS teams under 100 employees.

Book a 20-min Call