Big Helpers builds and audits software for compliance with India's Digital Personal Data Protection Act 2023 and the Draft DPDP Rules 2025 — consent management, data principal rights, retention rules, breach response, DPO support — built in, not bolted on.
If your software collects personal data of Indian citizens — name, phone, email, Aadhaar, location, photographs, anything that identifies a person — it now falls under the Digital Personal Data Protection Act 2023. Big Helpers builds new software that's DPDP-compliant from line one, and audits existing software for the gaps. Typical engagement: ₹40,000 (gap audit) to ₹4,00,000 (full retrofit), 2-10 weeks.
It mentions GDPR but not DPDP. It doesn't list a Data Protection Officer. It doesn't explain how a citizen can withdraw consent. That's a notice violation under DPDP.
DPDP requires free, specific, informed, unconditional, unambiguous consent — given by clear affirmative action. A pre-ticked checkbox is not consent.
A data principal can request erasure under section 12. Your codebase has no endpoint for it, your team has no SOP, and your backups don't roll forward the deletion.
Maybe in the database. Maybe in S3. Maybe in old email exports. Maybe in a contractor's laptop. DPDP requires you to know — and to be able to produce a record on request.
DPDP requires notification to the Data Protection Board and to affected data principals. You have no defined trigger, no template, no internal escalation path.
Your stack uses US-hosted SaaS, US-hosted CDN, US-hosted email service. DPDP allows cross-border transfer except to countries the Government will notify as restricted — and the list is coming.
You collect customer name, phone, address, payment data, and behavioural data. You're a Data Fiduciary under DPDP. Compliance is non-negotiable from day one of operation.
You handle sensitive personal data — health records, exam results, legal case data. You attract higher scrutiny and the proposed Significant Data Fiduciary classification.
You're a Data Processor under DPDP. Your enterprise customers will demand a DPDP-aligned data processing agreement. Without one, you lose the deal.
DPDP applies to government too (with specific exemptions). Citizen-facing portals, scheme databases, grievance systems all need consent, retention, and DPO support.
At scale, the cost of a DPDP non-compliance penalty (up to ₹250 crore for serious breaches) dwarfs the cost of building it right.
Tell us what your application does and how many users you have. We'll give you an honest rough rating against the top-10 DPDP touchpoints — and tell you whether you need a 1-week gap audit or a full retrofit. Zero sales pressure.
Granular consent capture per processing purpose, version-controlled consent text in plain Hindi + English + regional language, full consent receipt to the data principal, withdrawal endpoint that propagates across systems.
Section 11-13 rights — access, correction, erasure, grievance — exposed as user-facing APIs and admin tools. Identity verification, response within prescribed timeframe, audit log of every request.
Catalogue every personal-data field the application collects, where it lives (DB, files, logs, backups), where it goes (third-party processors, analytics, email, SMS), and the lawful basis for each.
Per-purpose retention rules enforced by an automated job — anonymise or delete personal data when the purpose ends or the user goes inactive per your policy. Backup retention separately governed.
Trigger definitions (unauthorised access, data exfiltration, accidental disclosure), 72-hour internal escalation playbook, draft notification templates for Data Protection Board and affected data principals, log of every triggered breach for audit.
Admin dashboard for the DPO — pending data principal requests, retention engine status, breach log, consent metrics, third-party processor list — exportable for Data Protection Board enquiry.
Tag every data flow with destination country and processor name. Block flows to restricted countries when the Government notifies the list. SCC / DPA templates for processors that need them.
Plain-language privacy notice that ticks every section 5 box — purposes, processors, rights, contact, grievance officer, DPO. Versioned, with publication history and a change-log visible to data principals.
We map every personal-data field your application touches. Score against DPDP sections 4-13 and the Draft Rules 2025. Deliver a 12-15 page gap report with severity-ranked findings and a fix-plan with timeline + cost estimate.
Rewrite the privacy notice in plain Hindi + English (and regional language if relevant). Replace pre-ticked / buried consent with explicit, granular consent capture. Generate consent receipt template.
Build access, correction, erasure, and grievance endpoints — both user-facing and DPO admin. Identity verification flow. Audit log of every request.
Per-purpose retention job. Backup retention policy. Breach trigger definitions, internal escalation playbook, notification template, breach log.
DPO dashboard. Updated DPA with each third-party processor (Razorpay, AWS, Twilio, etc.). Cross-border transfer log.
Run a simulated data principal request and a simulated breach end-to-end with your team. Fix gaps. Hand over runbook + training to your DPO and IT cell.
Indicative range: ₹40,000 — ₹400,000 (excl. GST). Final estimate after a free 30-min scoping call.
Draft Rules 2025 published, consultation closed, final notification expected. We update our reference checklist every time MeitY or the Data Protection Board moves. Your build doesn't go stale.
Most DPDP advisors deliver a slide deck. We deliver code, endpoints, runbooks, and a tabletop test. The privacy team and the engineering team get the same artefacts.
We're not selling you a US-shaped GDPR retrofit. DPDP is a different statute with different definitions (data fiduciary vs controller, data principal vs data subject) and we build to it, not to GDPR with a sticker.
Section 5 requires the data principal to understand. We test consent text against actual users — typically with a kirana-shop owner or rickshaw driver — and rewrite until they get it. Lawyer-speak fails the comprehension test.
For SMEs that don't yet need a full-time DPO but need one on paper, we provide a fractional DPO service — registered identity, monthly review, response support for data principal requests and Board enquiries.
CIN U72200MP2008PTC021190. We sign DPAs in our own legal name. We carry professional indemnity insurance. Your procurement team has someone real to contract with.
Note: illustrative example — not a specific client engagement.
A Mumbai-based fintech serving roughly 180,000 users had grown out of an unstructured consent flow — a single "I agree to terms" checkbox at signup that bundled marketing, KYC processing, sharing with credit bureau, and analytics. Their existing privacy policy was a 2019 GDPR template. They had no endpoint for users to request deletion, no defined breach process, and no DPO. The CISO and the legal team had been arguing about ownership for 9 months while the Draft DPDP Rules 2025 consultation closed.
Six-week DPDP retrofit. Week 1-2: gap audit, found 47 distinct issues including a logging system that stored phone numbers in clear text. Week 2-3: consent rebuild — separate granular consent for each of the 6 processing purposes, with a clear withdrawal toggle in the user dashboard, consent receipt by SMS + email. Week 3-4: data principal rights — access, correction, erasure endpoints, with OTP-based identity verification. Week 4-5: retention engine, breach playbook, DPO dashboard. Week 6: tabletop test of a simulated breach + a simulated erasure request. New privacy notice in English + Hindi + Marathi. Cross-border data flow log identified two SaaS processors needing DPA renewal.
All 47 gap-audit findings closed. Time-to-respond on a sample erasure request was 3 days (well inside the prescribed window). The CISO presented the artefacts to the board and got sign-off in one meeting (previously stalled for 9 months). Total engagement cost: about ₹3.2 lakh including the gap audit. The DPO retainer continued at ₹18,000/month for ongoing oversight.
The Digital Personal Data Protection Act 2023 is India's first comprehensive personal data protection law. It applies to any business that processes personal data of Indian residents, whether the business is in India or abroad. Key obligations: lawful basis (mostly consent, with some legitimate uses), notice, data principal rights, retention limits, security safeguards, breach notification, and a Data Protection Officer for Significant Data Fiduciaries. Penalties go up to ₹250 crore for serious breaches, decided by the Data Protection Board.
The Rules operationalise the Act — they specify timelines, formats, what counts as 'verifiable parental consent', how breach notifications must be filed, what records a data fiduciary must keep, how to handle Significant Data Fiduciary classification, and so on. Drafted by MeitY, public consultation closed in early 2025. Final notification expected through 2025-2026. Our reference checklist tracks the latest published version, and we redraft your artefacts when the final Rules are notified.
If you decide why and how the personal data is processed, you're a Data Fiduciary (similar to a controller under GDPR). If you only process on behalf of someone else under their instructions, you're a Data Processor. Most product companies are Data Fiduciaries. Most B2B SaaS companies are Data Processors for their customers and Data Fiduciaries for their own users (signups, billing). We help you figure this out in the gap audit — it changes which obligations apply.
Mandatory for Significant Data Fiduciaries (a category the Government will notify based on volume, sensitivity, risk). Recommended for everyone else handling personal data at meaningful scale. We can build the DPO module and provide a fractional DPO under our retainer (₹18,000-35,000/month depending on scope). For sensitive sectors (healthcare, fintech, children's services), a full-time in-house DPO is the right call.
DPDP allows transfer of personal data outside India except to countries the Central Government will notify on a restricted list. The list is not yet published. We tag every cross-border data flow in your stack (CDN, email service, analytics, cloud hosting, etc.) so you can react quickly when the list comes. For sensitive categories, on-shore processing is the safer default.
They are independent statutes — for an Indian user, DPDP applies; for an EU user, GDPR applies; for an Indian user living in the EU, both may apply depending on the processor's location and target market. The good news: a GDPR-compliant baseline gets you about 70% of DPDP, and a DPDP-compliant baseline gets you about 60% of GDPR. We build with both maps in front of us when relevant.
The Draft Rules 2025 require notification to the Data Protection Board and affected data principals 'as soon as possible' once breach is known, with detailed information within 72 hours. Our build includes the trigger definitions, the internal 72-hour escalation playbook, and the notification templates — and we run a tabletop test before handover so your team has done it once before the real thing.
No. Any business that processes personal data of Indian residents is in scope — your CRM, your HR system, your loyalty program, your CCTV footage with faces, your marketing list, your customer-support recordings. If it identifies a person, it counts. The compliance bar scales with sensitivity and volume, but the baseline (notice, consent, rights, retention, breach process) applies to almost everyone.
Yes. The gap audit is a stand-alone engagement — ₹40,000-80,000 depending on application size, 1-2 weeks, delivers a 12-15 page report with severity-ranked findings, a fix-plan with timelines, and a cost estimate. About 40% of our gap-audit clients then choose to do the retrofit with us; the rest take the report to their in-house team or another vendor. Either way, you walk out knowing where you stand.
Talk to a senior engineer in 24 hours — no juniors, no sales reps, no jargon. Just a clear scope, an honest estimate, and a build plan.