DPDP Act 2023 Compliance in ERPNext
The Digital Personal Data Protection Rules 2025 were notified on 13 November 2025. Indian companies have until 13 May 2027 to operationalise full compliance, with penalties up to Rs. 250 crore for security failures and Rs. 200 crore for failing to notify a breach within 72 hours. ERPNext is not a DPDP product, but it has more native capability than most teams realise. This is a practitioner's guide to building a defensible DPDP posture inside ERPNext.
Key facts at a glance
| DPDP Act 2023 notified | 11 August 2023 |
|---|---|
| DPDP Rules 2025 notified | 13 November 2025 |
| Phase 1 (effective immediately) | DPBI setup, definitions, procedural rules |
| Phase 2 (effective 13 November 2026) | Consent Manager registration framework |
| Phase 3 (effective 13 May 2027) | Full substantive compliance |
| Maximum penalty (security failure) | Rs. 250 crore |
| Penalty (failure to notify breach) | Rs. 200 crore |
| Penalty (children-related violations) | Rs. 200 crore |
| Penalty (SDF additional obligations) | Rs. 150 crore |
| Other violations | Up to Rs. 50 crore |
| Breach notification timeline | Without delay (initial) + 72 hours (detailed) |
| Data principal request response | Within 90 days |
| Access log retention (minimum) | 1 year |
1. What's New: DPDP Act + Rules and the May 2027 Deadline
The Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023, marking the end of a six-year journey to create India's first standalone data protection framework. For more than two years after, the Act sat largely dormant because the operational rules had not been notified. <strong>That changed on 13 November 2025</strong>, when the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules 2025 along with the enforcement timelines and the establishment of the Data Protection Board of India.
1.1 The three-phase enforcement timeline
| Phase | Effective date | What activates |
|---|---|---|
| Phase 1 | 13 November 2025 | Data Protection Board of India established. Procedural rules: definitions, conflicts with other laws, bar of civil court jurisdiction. |
| Phase 2 | 13 November 2026 | Consent Manager registration framework. Eligibility: Rs. 2 crore net worth, India-incorporated company, certified platform interoperability. |
| Phase 3 | 13 May 2027 | Full substantive compliance. Privacy notices, consent, security safeguards, breach notification, data principal rights, SDF obligations, children's data, cross-border transfers. |
1.2 Why companies cannot wait until 2027
The May 2027 date is the deadline for being compliant, not the starting line. Three reasons companies that wait until late 2026 will be in trouble.
<strong>First, the Data Protection Board is already operational.</strong> While most enforcement powers come into force in Phase 3, the Board can already register Consent Managers and handle complaints from Phase 2 onwards. Companies named in early complaints will be the test cases when enforcement begins. The reputational hit comes before the financial penalty.
<strong>Second, DPIA and data audit obligations for SDFs are tied to the notification date.</strong> Rule 13 requires Significant Data Fiduciaries to conduct a DPIA and data audit yearly from 13 November 2025 (or from date of designation, if later). Companies likely to be designated SDFs cannot afford to be unprepared.
<strong>Third, ERPNext consolidation projects take 12 to 18 months.</strong> Starting that work in Q3 2026 leaves no margin to fix mistakes before May 2027.
2. Who Needs to Comply, and What the Penalties Look Like
The Act does not exempt small companies. Any organisation that determines the purpose and means of processing digital personal data is a Data Fiduciary. Companies that process data on behalf of a Data Fiduciary are Data Processors. Significant Data Fiduciaries face additional obligations and are designated by the Central Government.
2.1 The penalty structure
| Maximum penalty | Section | What it covers |
|---|---|---|
| Rs. 250 crore | Section 8(5) | Failure to implement reasonable security safeguards |
| Rs. 200 crore | Section 8(6) | Failure to notify Board or data principals of a breach |
| Rs. 200 crore | Section 9 | Non-compliance with special provisions for children |
| Rs. 150 crore | Section 10 | Failure to fulfil additional SDF obligations |
| Rs. 50 crore | Catch-all | Any other violation by a Data Fiduciary |
| Rs. 10,000 | Section 15 | Failure to observe duties of a Data Principal |
Penalties are flat ceilings (not turnover-linked like the GDPR), imposed per instance of contravention, so multiple breaches stack.
2.2 Significant Data Fiduciaries
The Central Government will designate certain organisations as SDFs based on volume and sensitivity of data, risk to rights of data principals, and effects on State security. Once designated, SDFs must:
- Appoint a Data Protection Officer (DPO) based in India.
- Appoint an independent Data Auditor.
- Conduct yearly DPIA and data audit from 13 November 2025 or date of designation.
- Adopt privacy-enhancing techniques.
2.3 The CERT-In overlap
CERT-In directives of April 2022 already require organisations to report cyber incidents within 6 hours. The DPDP framework requires breach notification to the Board within 72 hours. <strong>For personal data breaches that are also cyber incidents (which is most breaches), both timelines apply.</strong>
3. The Eight DPDP Obligations Mapped to ERPNext
The DPDP Act and Rules together impose eight categories of obligation on Data Fiduciaries. Some are native in ERPNext, some need configuration, and some need a thin custom Frappe app.
| DPDP obligation | Section / Rule | ERPNext capability |
|---|---|---|
| Privacy notice | Section 5, Rule 3 | Custom doctype Privacy Notice with versioning, language, purpose |
| Consent capture and management | Section 6, Rule 4 | Custom doctype Consent Record; integration with Consent Manager (Phase 2) |
| Lawful basis (legitimate use) | Section 7 | Configure Customer Group / Employment Type to flag the legitimate use category |
| Data principal rights | Sections 11-14, Rules 13-14 | Native Personal Data Download Request + Personal Data Deletion Request |
| Reasonable security safeguards | Section 8(5), Rule 6 | Role Permissions, 2FA, encrypted DB, India region hosting |
| Breach notification | Section 8(6), Rule 7 | Custom Incident Response Workflow with 6-hour CERT-In and 72-hour DPBI escalation |
| Children's data | Section 9, Rule 10 | Age verification flag; verifiable parental consent via DigiLocker |
| Cross-border data transfer | Section 16 | System Settings: India region hosting; document data residency |
4. Personal Data Inventory: Where the Data Actually Lives in ERPNext
4.1 Doctypes that hold personal data
| Doctype | Personal data fields | Sensitivity |
|---|---|---|
| Customer | Name, email, phone, address, GSTIN, PAN, billing | Medium |
| Lead | Name, email, phone, company, source | Low |
| Supplier | Vendor contact, GSTIN, PAN, bank account | Medium |
| Employee | Full HR record: name, DOB, family, salary, PAN, Aadhaar, bank, medical | High |
| Salary Slip | Salary, deductions, taxes, bank account | High |
| Patient (Healthcare) | DOB, gender, medical history, allergies, ABHA ID | Very high (sensitive) |
| User | Username, email, full name, login history | Medium |
| Communication | Email content, attachments | Medium to high |
| File | Uploaded files (KYC docs, contracts, ID proofs) | High |
| Activity Log / Access Log | User actions, IP, timestamps | Medium |
4.2 The data inventory exercise
- List every active doctype that contains personal data.
- Identify the data fields that constitute personal data; annotate sensitivity.
- Identify the source (collected directly, derived, third-party).
- Document the lawful basis (consent, legitimate use, statutory mandate).
- Document the purpose, retention period, and erasure trigger.
- List internal recipients (which roles) and external recipients (vendors, statutory bodies).
- Produce a Record of Processing Activities (ROPA). This is your DPDP audit evidence.
4.3 The role of the Role Permissions Manager
DPDP requires that personal data is accessible only to those who need it for the documented purpose. ERPNext's Role Permissions Manager is the system-level enforcement of this principle.
Example: a payroll executive's permissions under DPDP
- Employee doctype: Read + Write on basic fields; no access to Salary or Family Members fields (Field Level Permission).
- Salary Slip: Read + Write + Print, but only for assigned employees (User Permission filter on Department).
- Salary Component: Read only.
- Activity Log, Personal Data Download Request, Personal Data Deletion Request: no access. Only the DPO role.
5. Consent Capture and the Consent Register
Consent is the dominant lawful basis under DPDP. Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. <strong>Generic terms-and-conditions acceptance does not satisfy this.</strong> Withdrawal of consent must be as easy as giving it.
5.1 The privacy notice requirement
Rule 3 requires every Data Fiduciary to issue a privacy notice in clear and plain language at the point of personal data collection. The notice must specify what data is collected, the purpose, the methods to exercise data principal rights, and the process for filing complaints with the DPBI. Available in English and any of the 22 scheduled languages.
5.2 The Consent Record doctype
| Field | Type | Purpose |
|---|---|---|
| data_principal | Dynamic Link | Customer / Lead / Patient / Employee |
| privacy_notice_version | Link | Which version was shown |
| purpose | Select (multiple) | Order fulfilment, marketing, payroll, etc. |
| consent_status | Select | Given / Withdrawn / Expired |
| consent_method | Select | Web form / Portal / Email / Paper |
| consent_evidence | Attach | Screenshot, signed form, log entry |
| ip_address | Data | Where digitally captured |
| language | Select | Which language was used |
| withdrawal_date | Datetime | When consent was withdrawn |
5.3 Consent withdrawal channels
- Customer Portal: Manage My Consent page with Withdraw button.
- Email: one-click unsubscribe link in marketing emails.
- DPO email channel: data principals can email withdrawal requests.
- On withdrawal: Notification to DPO and Workflow triggers data minimisation check.
5.4 Phase 2: Consent Manager integration
From 13 November 2026, registered Consent Managers will operate as intermediaries with Rs. 2 crore minimum net worth and platform interoperability certification. They give data principals a single dashboard to manage consents across all Data Fiduciaries. ERPNext implementations will integrate via a thin Frappe app exposing consent grant, withdraw, and verify endpoints. For mid-market companies, this is a Q1 2027 implementation activity.
6. Data Principal Rights: Access, Correction, Erasure, Portability
Sections 11 to 14 grant four core rights: access, correction and erasure, grievance redressal, nomination. Rule 13 sets the response timeline at <strong>90 days</strong>.
6.1 Right to access (Section 11)
ERPNext's native Personal Data Download Request workflow handles this elegantly. The data principal logs in, requests their data, verifies via email, and receives a JSON download.
- Data principal navigates to {host}/request-data and submits with their email.
- ERPNext sends an email with a verification link.
- On verification, the request is recorded in the Personal Data Download Request doctype.
- ERPNext compiles personal data from User, Customer, Contact, Address, Communication, Lead into JSON.
- Time-limited download link is emailed to the data principal.
<strong>Configuration to make this DPDP-ready:</strong> Extend the JSON export to include data from custom doctypes (Patient, customer-specific records). Set 90-day SLA via Website Settings. Build a notification rule that escalates at day 75.
6.2 Right to correction (Section 12)
Build a Correction Request doctype: <code>data_principal</code> (Dynamic Link), <code>field_to_correct</code>, <code>current_value</code>, <code>requested_value</code>, <code>supporting_evidence</code> (Attach), <code>status</code>. Workflow: Pending Verification → Pending Approval → Approved (apply correction) → Completed.
6.3 Right to erasure (Section 12)
ERPNext's native Personal Data Deletion Request workflow handles this with status states: Pending Verification → Pending Approval → On Hold / Deleted.
6.4 Right to portability and grievance redressal
The JSON export from Personal Data Download is portable: structured, machine-readable, transferable to another Data Fiduciary. For grievance redressal (Section 13), use ERPNext's Issue / Helpdesk doctype as the data privacy channel with auto-assignment to the DPO role and a 90-day SLA.
6.5 Data Principal Request Register
DPDP audits will ask: how many access, correction, and erasure requests did you receive last quarter? How many were closed within SLA? Build a Data Principal Request Register custom doctype that consolidates all requests into one auditable view.
7. Breach Detection and the 72-Hour Notification Runbook
Breach notification is the highest-stakes DPDP capability. Section 8(6) penalises failure to notify at up to <strong>Rs. 200 crore</strong>. Critically, the Rules contain <strong>no de minimis threshold</strong>: every personal data breach is reportable, regardless of severity.
7.1 The dual notification timeline
| Recipient | Timeline | What is reported |
|---|---|---|
| CERT-In (under IT Act) | Within 6 hours of becoming aware | Cyber incident details: nature, vector, systems, IOCs |
| Affected Data Principals | Without delay (initial) | Plain language: nature, data exposed, protective steps, contact |
| Data Protection Board | Without delay (initial) | Nature, extent, timing, location, likely impact |
| Data Protection Board | Within 72 hours (detailed) | Facts and causes, mitigation, parties responsible, prevention, summary of notifications |
7.2 Incident Response Record doctype
- incident_id, discovery_datetime, incident_type, severity
- data_categories_affected, data_principals_count
- is_personal_data_breach, is_cyber_incident (trigger respective workflows)
- cert_in_notification_sent, dpbi_initial_notification_sent
- dpbi_detailed_report_sent (72-hour deadline auto-tracked)
- data_principals_notified, root_cause, remediation_actions
7.3 The drill matters more than the doctype
Building the doctype is the easy part. The hard part is muscle memory. <strong>Run a tabletop exercise quarterly:</strong> simulate a breach scenario, walk the team through the runbook, time the response, identify gaps. Most companies find that their first real breach happens at 11 pm on a Friday, and the runbook only works if people know it cold.
8. Security Baseline: Access, Encryption, Logging, Backup
Section 8(5) requires Data Fiduciaries to implement reasonable security safeguards. Rule 6 makes this concrete: encryption and masking, access control, access logging and monitoring, data backup, detection of unauthorised access. Access logs must be retained for at least 1 year.
8.1 The Rule 6 minimum security baseline
| Rule 6 requirement | ERPNext implementation |
|---|---|
| Encryption and masking | Frappe Cloud encrypts data at rest by default (AES-256). Field Level Permission masks sensitive fields. |
| Access control | Role Permissions Manager: granular per role per doctype, with Field Level and User Permission overlays. |
| Access logging and monitoring | Activity Log records every read and edit. Access Log records every login. Both retained for minimum 1 year. |
| Data backup | Frappe Cloud daily backup with 30-day retention. Self-hosted: configurable cron-based backup to S3 or Dropbox. |
| Detection of unauthorised access | 2FA mandatory for high-privilege roles. Failed login lockout. Notification rules for anomalous access. |
| Recovery from breach | Database restore from backup. Frappe Cloud RTO typically under 4 hours for India region. |
8.2 India region hosting and cross-border transfers
Section 16 allows the Central Government to restrict cross-border transfer of personal data. Document the basis for any cross-border transfer. The simplest compliance posture is to host ERPNext in India region.
8.3 Hosting options for DPDP-compliant data residency
- Frappe Cloud Mumbai region: official managed hosting, India region, daily backup, 2FA available.
- AWS Mumbai (ap-south-1) or Azure India South: self-hosted on Indian cloud regions.
- On-premise: full control but full responsibility for security, backup, DR, and patching.
- Avoid: hosting in non-India regions for Indian operations.
8.4 The vendor and Data Processor obligation
Under Section 8(1), the Data Fiduciary remains liable for compliance even when processing is undertaken by a Data Processor. Rule 6(f) requires that contracts with Data Processors include appropriate security safeguard provisions.
9. 12-Month Implementation Roadmap to 13 May 2027
Phase 1, Months 1-3: Diagnostic and Baseline
- Constitute DPDP Steering Committee with CEO, CFO, IT Head, HR Head, Legal.
- Appoint a DPO or DPDP Lead.
- Conduct personal data inventory across all ERPNext doctypes.
- Document the Record of Processing Activities (ROPA).
- Audit Role Permissions; reduce over-broad assignments.
- Mandate 2FA for high-privilege roles.
Phase 2, Months 4-6: Security and Breach Response
- Implement Rule 6 minimum security baseline.
- Build the Incident Response Record doctype with Workflow.
- Document the breach response runbook with CERT-In 6-hour and DPBI 72-hour timelines.
- Run the first tabletop exercise.
- Update Data Processor contracts with Rule 6(f) clauses.
Phase 3, Months 7-9: Consent and Data Principal Rights
- Build the Privacy Notice doctype; publish on Customer Portal, web forms, Patient Portal, Employee onboarding.
- Build the Consent Record doctype.
- Configure Personal Data Download/Deletion Request with 90-day SLA.
- Build Correction Request doctype and Workflow.
- Build Data Principal Request Register.
Phase 4, Months 10-12: Stabilisation and Audit
- Run a mock DPDP audit; close gaps.
- Run second tabletop breach exercise.
- Begin Consent Manager API integration once Phase 2 stabilises.
- For SDFs: complete first formal DPIA and data audit.
- Brief the board on DPDP posture before 13 May 2027.
10. Frequently Asked Questions
When does the DPDP Act actually take effect?
The DPDP Rules 2025 were notified on 13 November 2025. Phase 1 took effect immediately (Data Protection Board, definitions). Phase 2 takes effect 13 November 2026 (Consent Manager registration). Phase 3 takes effect 13 May 2027 (full substantive obligations). The 13 May 2027 date is the deadline for being compliant, not the start date for caring about it.
Does the DPDP Act apply to small companies?
Yes. The Act applies to every Data Fiduciary processing digital personal data of individuals in India, regardless of company size. There is no small-business exemption. A 50-person startup is subject to the same substantive obligations as a 5,000-person company. Some additional obligations apply only to designated Significant Data Fiduciaries.
What are the penalties under DPDP?
Up to Rs. 250 crore for failure to implement reasonable security safeguards. Rs. 200 crore for failure to notify a breach. Rs. 200 crore for children-related violations. Rs. 150 crore for SDF additional obligations. Rs. 50 crore for any other violation. Penalties apply per instance of contravention.
Is consent the only lawful basis for processing under DPDP?
Consent is the dominant basis, but Section 7 provides legitimate uses where consent is not required: employer processing for HR, performance of contract, compliance with legal obligation, medical emergency, State services. Marketing and most commercial purposes still require explicit consent.
What is a Significant Data Fiduciary?
An SDF is a Data Fiduciary designated by the Central Government based on volume and sensitivity of data, risk to data principals, effects on electoral democracy, and State security. SDFs face additional obligations: DPO based in India, independent Data Auditor, yearly DPIA and data audit.
Does ERPNext have native DPDP capabilities?
Several. Personal Data Download Request and Personal Data Deletion Request are native doctypes for the right to access and right to erasure. Role Permissions Manager handles data minimisation. Two-Factor Authentication, Activity Log, Access Log, encrypted database at rest, and Frappe Cloud India region hosting cover the security baseline. The remaining 30 percent (privacy notice, consent record, correction request, breach incident workflow) requires a small custom Frappe app.
What is the breach notification timeline?
Notification to the DPBI must be without delay (initial intimation) with a detailed report within 72 hours of becoming aware. Affected data principals must be notified without delay. CERT-In separately requires notification within 6 hours of discovery for cyber incidents. Both timelines apply to most personal data breaches.
Is there a threshold below which breaches don't need to be reported?
No. The DPDP Rules contain no de minimis threshold. Every personal data breach is reportable, regardless of severity, scale, or harm. This is stricter than the GDPR.
How quickly must we respond to data principal requests?
Rule 13 sets the response timeline at 90 days. ERPNext's native Personal Data Download Request and Personal Data Deletion Request workflows can be configured with the 90-day SLA via Website Settings.
Do we need a Data Protection Officer?
Only Significant Data Fiduciaries must appoint a DPO based in India. All other Data Fiduciaries must publish a contact point but this contact does not need to be a formal DPO. For mid-market companies the contact is typically the IT Head or CFO with a documented backup.
How does DPDP interact with sector-specific laws like RBI, IRDAI?
DPDP applies in addition to, not in place of, sector-specific laws. RBI's data localisation for payment data, IRDAI's data protection for insurance, and SEBI's requirements for capital markets continue to apply. Where a sector-specific law is stricter, it prevails. Where DPDP is stricter, DPDP prevails.
What about data we collected before DPDP came into force?
Data collected before 13 November 2025 is also subject to DPDP from Phase 3 onwards. The Rules require Data Fiduciaries to issue retrospective privacy notices. Build this into your privacy notice rollout: existing customers get the notice on their next portal login or transaction.
11. Governance Checklist
For CFOs
- DPDP Steering Committee constituted and meeting quarterly.
- Personal data inventory completed; ROPA documented.
- Penalty exposure modelled (records, categories, Section 8(5) and 8(6) exposure).
- Cyber liability insurance reviewed for DPDP penalty coverage.
- Data Processor contracts updated with Rule 6(f) clauses.
For IT Heads
- Role Permissions audited; over-broad System Manager assignments reduced.
- 2FA mandatory for high-privilege roles.
- Activity Log and Access Log retention configured for minimum 1 year.
- Frappe Cloud India region or self-hosted India region; data residency documented.
- Backup tested with quarterly restore drill.
- Incident Response Record doctype built and tested via tabletop.
For DPOs and DPDP Leads
- Privacy Notice published across all collection points.
- Consent Record doctype operational with capture and withdrawal.
- Personal Data Download/Deletion Request configured with 90-day SLA.
- Correction Request doctype and Workflow operational.
- Data Principal Request Register live with quarterly Steering Committee reporting.
- First mock DPDP audit completed; gaps closed.
Need help with DPDP Act compliance in ERPNext?
Finstein Advizory Service LLP is a Chennai-based DPDP advisory and ERPNext implementation partner. We run a 6-week structured DPDP Readiness Assessment for mid-market Indian companies on ERPNext.
About the Author
Praveen Kumar is the Founder and Managing Director of Finstein Advizory Service LLP, a Chennai-based consulting firm specialising in ERPNext implementation, GST compliance advisory, internal audit, cybersecurity, and AI advisory.
About Finstein
Finstein Advizory Service LLP is an Indian consulting firm offering ERPNext implementation, SAP S/4HANA advisory, HRMS deployment, GST compliance, internal audit, VAPT cybersecurity assessments, and AI advisory.
Image and Source Credits
Images used in this guide are sourced from Frappe documentation and are used under fair-use educational citation.
Disclaimer
This guide reflects ERPNext functionality and DPDP Act regulations as of 2026. It does not substitute for professional legal advice. Last updated: 9 May 2026.
