All articles
Roadmap 14 min read 5 March 2026 Primitra

DPDP Act Readiness Roadmap 2026–2027

An 18-month implementation roadmap for mid-size Indian businesses — quarter-by-quarter, with realistic budgets, headcount asks, and milestone-level deliverables.

Most DPDP Act readiness plans we see are either a two-page consultancy poster or a 200-line project plan that nobody reads. Neither survives contact with a real Indian SME. This is the 18-month roadmap we actually run — quarter by quarter — for a business between 100 and 500 employees.

Assumptions

  • 100–500 person Indian SME
  • Modern SaaS-centric tech stack
  • No prior formal privacy program
  • Not yet an SDF but with real growth ambition
  • Executive sponsor at COO / General Counsel level
  • Budget: ₹12–20 lakh for external support across 18 months

Quarter 1 (Months 1–3): Foundations

Outcome: A named accountable owner, a live data inventory, a defensible consent notice on the primary product, and a working rights request intake.

Key milestones:

  • Week 2: Executive sponsor formally appointed; program charter approved by the board.
  • Week 4: Kickoff of data inventory — start from invoices, not schemas.
  • Week 6: First cut of the personal data inventory (all Tier 1 systems).
  • Week 8: New Section 5 notices live on primary product and website.
  • Week 10: Rights request intake channel published (privacy@ mailbox + form).
  • Week 12: Grievance officer named and published; first internal training rollout.

Effort: 0.4 FTE internal, ~₹4–6 lakh external (workshop + inventory support).

Common failure mode: trying to design the perfect governance structure instead of shipping visible product changes. Ship the notice by Week 8 even if it's imperfect.

Quarter 2 (Months 4–6): Consent, product, and vendors

Outcome: A working preference centre in the product, the vendor register at v1 with Tier 1 DPAs in negotiation, and a documented breach response plan.

Key milestones:

  • Week 14: Product design of the preference centre approved.
  • Week 18: Preference centre shipped; withdrawal path as easy as consent.
  • Week 20: Vendor register v1 complete; Tier 1 DPAs sent for signature.
  • Week 22: Breach response plan approved, on-call roster in place.
  • Week 24: First tabletop exercise executed; retro completed.

Effort: 0.5 FTE internal (heavy engineering week 14–18), ~₹3–5 lakh external.

Common failure mode: Legal signs off on the preference centre before engineering has wired cascade deletion. You will regret this at Quarter 3.

Quarter 3 (Months 7–9): Retention, HR, and cross-border

Outcome: Retention schedule implemented technically, HR fully in-scope, cross-border transfer register live, and Tier 2 vendor DPAs progressing.

Key milestones:

  • Week 26: Retention schedule approved and translated into deletion jobs.
  • Week 28: Deletion jobs live in production for the top three data stores.
  • Week 30: HR data map complete; new offer letter and employee notice deployed.
  • Week 32: Cross-border transfer register live; sectoral compliance mapped (RBI/IRDAI/SEBI if applicable).
  • Week 36: Tier 2 DPAs — 70% signed.

Effort: 0.4 FTE internal, ~₹2–3 lakh external.

Quarter 4 (Months 10–12): DPIA, first-year audit, and SDF readiness

Outcome: DPIA methodology deployed against the top three high-risk activities, first-year internal audit complete, board-level review of the program, and SDF readiness assessment.

Key milestones:

  • Week 40: DPIA methodology approved; first three DPIAs completed.
  • Week 44: First-year internal audit — every control tested against evidence.
  • Week 48: Board review of the program; forward budget approved.
  • Week 52: SDF readiness assessment: if triggers are close, engage a fractional DPO now.

Effort: 0.3 FTE internal, ~₹3–4 lakh external.

Quarters 5–6 (Months 13–18): Optimisation and independent audit

Outcome: The program is boring, tested, and audit-ready. External auditor engaged for a lightweight independent review, even if you are not yet an SDF.

Key milestones:

  • Month 14: Second tabletop exercise with a different scenario.
  • Month 15: Retention and deletion job coverage extended to all Tier 2 data stores.
  • Month 16: External independent audit — 3–4 weeks, ₹4–8 lakh.
  • Month 17: Findings closed.
  • Month 18: 18-month program review with the board; roadmap for Year 2.

Headcount considerations

Most SMEs run this program with a fractional external DPO plus an internal Privacy Champion at 0.3–0.5 FTE. You do not need a dedicated privacy lead in the first 18 months unless: (a) you're approaching SDF designation, (b) you've had a public incident, or (c) your product is child-facing.

If SDF designation is on the horizon, our fractional DPO service is designed to run alongside your Privacy Champion until you're ready to hire in.

Budget summary

| Quarter | External spend | Internal FTE | |---|---|---| | Q1 | ₹4–6 lakh | 0.4 | | Q2 | ₹3–5 lakh | 0.5 | | Q3 | ₹2–3 lakh | 0.4 | | Q4 | ₹3–4 lakh | 0.3 | | Q5–Q6 | ₹4–8 lakh (audit) | 0.3 | | Total | ₹16–26 lakh | ~0.4 avg |

What kills the plan

Three things, in this order:

  1. Losing the executive sponsor. If the COO leaves in Q2, the program stalls unless the CEO backfills sponsorship in the same month.
  2. Trying to boil the ocean in Q1. Shipping the notice, the inventory v1, and the rights intake is enough for Q1. Everything else waits.
  3. Skipping the tabletop. The plan is theoretical until you rehearse it.

For an engagement that runs this exact roadmap with your team, our DPDP Act compliance program is scoped to this shape.

Get help implementing this

Turn this reading into a compliance plan.

Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.

Book a free 30-minute consultation