DPDP Act 2023: The Practical AI Agent Compliance Checklist for Indian Businesses
India’s Digital Personal Data Protection Act, 2023, received Presidential assent on 11 August 2023 and finally became operational when MeitY notified the DPDP Rules 2025 on 13–14 November 2025. Full substantive compliance is mandatory by 13 May 2027. If your business deploys AI agents that touch personal data of Indian residents, this guide covers what you actually need to do—not legal theory, but practical steps.
The penalty framework is tiered by violation type and capped at ›250 crore per breach. There is no cure period—the Data Protection Board does not give you a grace window to fix non-compliance before penalties are imposed.
Why This Matters Specifically for AI Agents
The DPDP Act governs how “digital personal data” is processed. Every AI agent that handles customer queries, processes employee records, scores leads, or automates HR workflows is a data processing system under this law. The distinction between a traditional SaaS tool and an AI agent is irrelevant to the DPDP Act—if it touches personal data of Indian residents, it must comply.
This is especially relevant because AI agents often process data in ways that are harder to audit than traditional software: they may retain context across conversations, store interaction logs for fine-tuning, or share data with third-party LLM providers whose servers sit outside India. All of these create specific compliance obligations under the DPDP framework.
The Three-Phase Timeline You Need to Know
The DPDP Rules 2025 rolled out implementation in three phases. Understanding where you stand in this timeline is the first step to compliance.
| Phase | Effective Date | What Happens |
|---|---|---|
| Phase I | 13 November 2025 (already in effect) | Data Protection Board of India (DPBI) established and operational, with headquarters in the NCR. Penalty framework activated. Administrative provisions in force. |
| Phase II | 13 November 2026 | Consent Manager registration opens. Only India-incorporated entities with minimum ›2 crore net worth qualify. Foreign platforms like OneTrust and TrustArc cannot operate as registered Consent Managers. |
| Phase III | 13 May 2027 | Full substantive compliance mandatory. All privacy notices, consent systems, security safeguards, breach protocols, data retention policies, children’s protections, and data principal rights infrastructure must be operational. No grace period. |
Key Roles Under the DPDP Act
The Act defines two primary roles that every business deploying AI agents needs to understand. A Data Fiduciary is the organisation that determines the purpose and means of processing personal data—this is typically your company. A Data Principal is the individual whose data is being processed—your customers, employees, or users. If you use a third-party AI agent vendor, they are a Data Processor acting on your behalf, but the accountability remains with you as the Data Fiduciary.
The government will also designate certain large-scale processors as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process. SDFs face enhanced obligations: appointing a Data Protection Officer based in India, appointing an independent data auditor, and conducting Data Protection Impact Assessments. Indicative thresholds suggest companies processing data of more than 50 lakh users or with annual revenue exceeding ›250 crore are likely candidates.
The AI Agent Compliance Checklist
1. Map Every Data Flow Your AI Agents Touch
Before anything else, you need a complete inventory of what personal data your AI agents collect, process, store, and transmit. This includes conversation logs, user identifiers, email addresses, phone numbers, location data, behavioural data, and any metadata the agent captures. Map where this data flows: does it stay on your Indian servers? Does it get sent to an LLM API hosted in the US or Europe? Does your vendor retain conversation data for model improvement?
For each data flow, document the lawful basis for processing (consent or legitimate use) and verify that it matches your actual processing activities. This is not a one-time exercise. AI agents evolve, and so do their data handling patterns.
2. Implement DPDP-Compliant Consent Mechanisms
Consent under the DPDP Act is more central than under GDPR. The Act does not recognise “legitimate interests” as a standalone legal basis the way GDPR does, which means explicit consent is required for most processing activities. Your AI agent’s consent flow must meet these requirements:
- Consent must be free, specific, informed, unconditional, and unambiguous
- You cannot bundle consent—conditioning core service access on unrelated data collection is prohibited
- Privacy notices must be available in English or any of the 22 constitutional languages based on the Data Principal’s preference
- Users must be able to withdraw consent as easily as they gave it
- You must maintain auditable records of consent
For AI chatbots and voice agents, this means implementing a clear consent step before the agent begins processing personal data. A disclosure buried in a terms-of-service page that nobody reads does not meet the DPDP standard.
3. Build Data Principal Rights Infrastructure
The DPDP Act grants Data Principals several rights that directly affect how AI agents operate:
- Right to Access: Users can request a summary of all personal data being processed and the processing activities performed on it
- Right to Correction and Erasure: Users can request correction of inaccurate data or complete deletion of their data
- Right to Nominate: Users can nominate another person to exercise their rights in case of death or incapacity
- Right to Grievance Redressal: You must provide a mechanism for users to raise complaints, and you must respond within the timeframe specified in the Rules
For AI agents, the Right to Erasure is particularly challenging. If your agent’s conversation logs were used to fine-tune a model, can you actually delete that data from the model weights? You need to have a clear answer to this question, because regulators will ask.
4. Secure Your AI Agent’s Data Pipeline
The Act requires Data Fiduciaries to implement “reasonable security safeguards” to prevent data breaches. For AI agents, this means:
- Encrypting data in transit between users, your agent, and any third-party APIs
- Implementing access controls so only authorised systems can reach personal data
- Conducting regular security audits of your AI agent’s infrastructure
- Having incident response plans specifically for AI-related data breaches
The average cost of a data breach in India reached ›22 crore (approximately $2.6 million) in 2025, according to IBM’s reporting. With DPDP penalties reaching up to ›250 crore on top of that, the financial exposure for an unsecured AI agent deployment is substantial.
5. Handle Children’s Data with Extra Care
The DPDP Act has specific provisions for processing children’s data (anyone under 18). If your AI agent could be used by minors—a customer support chatbot on an e-commerce site, for instance—you must implement verifiable parental consent mechanisms before processing their data. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited.
6. Set Up Breach Notification Protocols
If your AI agent suffers a personal data breach, you must notify both the Data Protection Board and affected individuals. The Rules specify the content and timing of these notifications. Do not wait until a breach happens to figure out your notification process. Have templates, escalation paths, and communication plans ready before you go live.
7. Address Cross-Border Data Transfers
Currently, personal data may be transferred outside India to any country except those the Central Government explicitly restricts. No countries have been added to this restricted list yet. However, for Significant Data Fiduciaries, the government retains the power to mandate localisation of specific data categories. If your AI agent sends data to a cloud-hosted LLM provider outside India, document this transfer and monitor any government notifications about restricted countries.
What Makes DPDP Different from GDPR
If your organisation already complies with GDPR, you’re partway there, but the DPDP Act has several important differences:
| Area | GDPR | DPDP Act 2023 |
|---|---|---|
| Legal Basis | Six legal bases including legitimate interests | Consent is the primary basis; “legitimate interests” not recognised as standalone |
| Enforcement | Decentralised across 27 national authorities | Single national body (Data Protection Board of India) |
| Penalties | Up to 4% of global turnover or €20M | Up to ›250 crore per breach (fixed cap, not turnover-based) |
| Data Scope | All personal data (digital and non-digital) | Digital personal data only |
| Language | No multilingual requirement | Privacy notices must be available in 22+ constitutional languages on demand |
| Consent Managers | No equivalent concept | Registered intermediaries with ›2 crore net worth requirement |
| Children’s Age | Varies by member state (13–16) | Uniformly 18 across India |
A Practical Timeline for Compliance
With the full compliance deadline of 13 May 2027 approximately one year away, here is a realistic action plan:
Now through June 2026: Complete your data mapping audit. Identify every AI agent, chatbot, voice bot, and automated system that processes personal data. Conduct a gap analysis against DPDP requirements. Secure executive sponsorship and budget allocation.
July through December 2026: Redesign privacy notices and implement multilingual support. Build consent management infrastructure. Harden security safeguards. Establish breach notification protocols. Build Data Subject Access Request (DSAR) systems. Begin testing.
January through April 2027: Conduct external audits. Train your team. Finalise documentation. Set up continuous monitoring. Prepare for go-live.
May 2027 onwards: Full compliance is mandatory. Monitor enforcement actions. Maintain breach readiness. Conduct annual reviews. Track any SDF notifications from the government.
Common Mistakes to Avoid
Based on what we’ve seen from organisations preparing for DPDP compliance, these are the most common pitfalls:
Assuming GDPR compliance covers you: It doesn’t. The consent model is fundamentally different, the multilingual requirements are unique, and the Consent Manager framework has no GDPR equivalent.
Ignoring your AI vendor’s data practices: If your AI agent vendor sends data to a US-based LLM provider for model improvement, that’s your compliance problem, not theirs. You are the Data Fiduciary.
Treating compliance as a one-time project: AI agents evolve. Models get updated. Data flows change. You need continuous monitoring, not a checkbox exercise.
Underestimating the multilingual requirement: Serving privacy notices in 22 languages is a genuine operational challenge. Start building this infrastructure early.
Not planning for the Right to Erasure: If you can’t delete a user’s data from your AI system on request, you have a compliance gap that needs closing before May 2027.
Bottom Line
The DPDP Act is not aspirational. It is an enforceable operational requirement with real financial penalties. For businesses deploying AI agents in India, the 13 May 2027 deadline leaves approximately one year to build compliant systems. The organisations that treat this as a strategic priority now will have a genuine competitive advantage over those scrambling to comply at the last minute.
A PwC India survey found that only 16% of Indian consumers currently understand the DPDP law, while more than half remain unaware of their data rights. As awareness grows—and it will—businesses that can demonstrate robust data protection practices will earn the trust that drives long-term customer relationships.
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your organisation. AgentVault is not a law firm.
Related reading:
AgentVault Compliance Passport — Check any AI agent’s DPDP readiness score
When AI Agents Go Rogue — 9 real incidents and what Indian businesses should learn
Best AI Agents for Indian Businesses 2026 — Honest reviews with compliance ratings