DPDP in 2027: what Indian manufacturers need to know before it bites

The Digital Personal Data Protection Act was passed in August 2023. The rules were notified in 2025. Full enforcement arrives in 2027. Maximum penalty per breach: ₹250 crore. Most Indian SME manufacturers we sit with have not yet internalised what DPDP actually requires of them.

This is not a finance-sector problem. The DPDP Act applies to any “data fiduciary” processing personal data of Indian residents. If you run a factory, you are a data fiduciary. The moment you store an employee’s Aadhaar copy, a vendor’s KYC folder, or a customer’s WhatsApp number, you are in scope.

Where the gaps hide in a typical factory

None of these will surprise you. All of them are DPDP gaps:

• The WhatsApp group where quality rejections get shared with a supplier. Personal data of operators, customers and vendors flowing through a consumer app with no processing agreement.
• The HR drive full of Aadhaar photocopies, PAN cards, and bank passbooks going back fifteen years. Retention limit? None. Access control? Whoever has the drive link.
• Biometric attendance. Fingerprints are personal data. Most factories have never asked whether the attendance vendor is DPDP-aligned. Most vendors are not.
• Vendor onboarding folders with proprietor photos, PAN, bank statements. Often forwarded over email to the accounts team. Retained forever.
• CCTV footage of the shop floor and office. Personal data of every worker who walked past. Retention policy? Until the hard drive fills up.
• Customer phone numbers in your CRM, your dispatch app, and the owner’s personal Gmail contacts. Three copies, no consent trail.

Each one of those is a DPDP finding waiting to happen.

What the Act actually requires

The short version, translated out of legalese:

1. Consent. For every piece of personal data you hold, you must be able to show how and when the person consented. Implied consent is not consent.
2. Purpose limitation. Data collected for one purpose cannot be used for another without fresh consent. That CRM export for a marketing campaign? Fresh consent.
3. Storage limitation. You cannot keep data longer than necessary. Fifteen-year-old Aadhaar copies are probably not necessary.
4. Security safeguards. Reasonable security measures. Access control, encryption in transit, audit logs. Not optional.
5. Breach notification. If you have a breach, you notify the Data Protection Board within a defined window. If your security is untested, you will not discover breaches in time to notify.
6. Data Protection Officer. For significant data fiduciaries, a DPO is mandatory. “Significant” is defined by volume and sensitivity. Most manufacturers with 500+ employees will qualify.
7. Processing agreements. Every vendor who touches your data (payroll, attendance, CRM, WhatsApp aggregator) must have a data processing agreement on file. Verbal assurance is not an agreement.

Why waiting is the expensive strategy

Three reasons.

First, ₹250 crore is the ceiling. The Data Protection Board can fine up to that amount per contravention. A breach that affects a thousand employees is a thousand data principals. Do the math.

Second, large customers will start asking. If you supply a Tier-1 OEM, a global brand, or any listed company, they will demand DPDP attestations before you pass their vendor audit. Some already do. In 2027 they all will.

Third, the fix is cheapest when the factory is small. Retrofitting DPDP compliance onto a 2000-employee business is painful. Doing it while you are 200 employees is a weekend of work.

How we fold DPDP into FORGE

DPDP is not a separate workstream in the FORGE framework. It is baked into Phase 2 (STRUCTURE) and finalised in Phase 6 (STRENGTHEN).

In Phase 2 we inventory where personal data lives, what consent trail exists (usually none), and which vendors need data processing agreements. We put a basic consent management system in place, establish retention rules, and lock down access. The cost is modest because we are already deploying or upgrading the ERP.

In Phase 6 we formalise. Appoint a DPO if the factory crosses the significant data fiduciary threshold. Finalise all processing agreements. Run a breach response drill. Produce the audit-ready compliance report.

By Phase 6 exit, the factory is DPDP-ready with documentation a global brand’s audit team will accept in one pass. The ZED certification Phase 6 also supports slots in naturally.

If you do nothing else this quarter

Three concrete actions, in order:

1. Map your data. Not a formal audit. A honest thirty-minute conversation across HR, accounts, sales and IT: where does personal data live, how did it get there, who touches it, how long do we keep it. The gaps will become obvious.
2. List your vendors. Every tool and service that touches employee, customer or vendor data. Mark the ones that have not signed a data processing agreement with you. That is your first outreach list.
3. Delete what you do not need. The fifteen-year-old Aadhaar photocopies. The former-employee folders from 2014. The CRM exports on someone’s personal laptop. You cannot breach data you do not hold.

If any of this sounds daunting, the FORGE Readiness Score gives you a snapshot of your DPDP exposure alongside the rest of your AI readiness. It is free and takes five minutes.

Take the free FORGE Readiness Score →