By the Enterprise Dreamin Editorial Team · Published 2026-07-01 · Last updated 2026-07-01
Disclosure: Enterprise Dreamin is a community publication affiliated with Cloud Compliance / PlumCloud. Every tool here — including Cloud Compliance — is held to the same honest standard, and no vendor paid for placement.
Answer capsule: India's Digital Personal Data Protection (DPDP) Act imposes penalties up to Rs 250 crore (about USD 26 million at mid-2026 rates) for failing to implement reasonable security safeguards. The DPDP Rules 2025 were notified on 14 November 2025, with hard enforcement expected around 14 May 2027. It reaches any company — including US and EU firms — processing the data of people in India. In Salesforce, the controls that matter most are consent capture, DSAR/erasure automation, retention, and sandbox masking.
The number everyone is quoting, and where it actually comes from
The "Rs 250 crore" headline is real, but it applies to one specific failure. Under the Schedule to the DPDP Act, 2023, the maximum penalty of "up to two hundred and fifty crore rupees" attaches to a Data Fiduciary that fails to take reasonable security safeguards to prevent a personal data breach (Section 8(5)). At roughly USD 26 million (Rs 250 crore at the July 2026 exchange rate of about 94.7 rupees to the dollar), it is one of the steepest data-protection caps in the world in absolute terms.
But the Schedule is graduated, and the other tiers matter just as much for a typical Salesforce shop:
- Up to Rs 250 crore — failure to take reasonable security safeguards to prevent a breach.
- Up to Rs 200 crore — failure to notify the Data Protection Board and affected individuals of a breach, and, separately, violations of obligations relating to children's data.
- Up to Rs 150 crore — a Significant Data Fiduciary's breach of its additional obligations (DPIA, audit, algorithmic due diligence).
- Up to Rs 50 crore — any other breach of the Act or Rules (the catch-all that captures most consent, notice, and rights-handling failures).
- Up to Rs 10,000 — breach of a Data Principal's own duties.
These figures are per the Act's Schedule as summarized in dpdpa.com's Schedule breakdown and legal commentary from Shardul Amarchand Mangaldas. Note the asymmetry: the security-safeguards failure and the breach-notification failure are the two most expensive things you can get wrong — and because penalties are assessed per contravention, a single incident that fails both tests can stack. Both are squarely a Salesforce data-security problem.
Why this is not "just an India problem"
The DPDP Act applies extraterritorially. It covers processing of digital personal data outside India if that processing is connected with offering goods or services to individuals in India, per Section 3(b) and the Association of Corporate Counsel's analysis. A foreign entity that offers goods or services to people in India must comply even with no physical presence in the country.
If your Salesforce org holds Contacts, Leads, or Person Accounts for people in India — a common reality for any SaaS company, e-commerce brand, or global enterprise — you are likely a Data Fiduciary under this law, regardless of where your headquarters sits.
The timeline: how much runway you actually have
On 14 November 2025, India's Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules 2025 and brought the Act and the Data Protection Board into force. Enforcement is phased across three notified dates — 14 November 2025, 14 November 2026, and 14 May 2027 — per Shardul Amarchand Mangaldas and India Briefing.
- 14 November 2025 — Rules notified; Board established; primarily procedural provisions (definitions, effective dates, administrative setup) take effect.
- 14 November 2026 — the Consent Manager registration framework becomes operational.
- 14 May 2027 — the end of the roughly 18-month transition. This is the date on which the substantive obligations come into force, including grounds for processing, notice and consent, general obligations of Data Fiduciaries (reasonable security safeguards), Data Principal rights, and breach intimation — and after which the Board can impose the full Schedule penalties, including the Rs 250 crore cap.
That is not a lot of runway for a change that touches consent capture, data retention, breach response, and non-production environments across an org. If you are reading this in mid-2026, you have roughly a year.
The operational obligations that hit Salesforce hardest
Strip away the headline and DPDP compliance becomes a set of concrete, testable controls. Four of them live and die in your Salesforce org.
1. Consent and notice you can prove
Consent under DPDP must be free, specific, informed, unconditional, and unambiguous — and critically, the Data Fiduciary bears the burden of proof. If a Data Principal disputes consent in a proceeding, you must demonstrate that a compliant notice was given and consent was recorded. Withdrawal must be as easy as granting it.
In Salesforce terms, that means an auditable consent record tied to the individual, with timestamps, purpose, and channel — not a boolean checkbox on a Contact that nobody can reconstruct six months later.
2. Data Principal rights, including erasure, on a 90-day clock
Data Principals can access a summary of their data and processing, correct it, erase it, withdraw consent, nominate a representative, and file grievances. Access, correction, and erasure requests, along with grievances, must be addressed within a maximum of 90 days, per the DPDP Rules 2025 guidance from Seclore. Crucially, the Fiduciary must also ensure data held by its Data Processors is erased — which, in a Salesforce estate, includes sandboxes, backups, and connected systems.
This is the DSAR / Right-to-be-Forgotten (RTBF) workflow. We cover the Salesforce mechanics in depth in our guide to Salesforce DSAR and RTBF automation.
3. Breach notification within 72 hours
DPDP Rules 2025 require notifying the Board and affected individuals of a personal data breach: an initial intimation without delay, followed by a detailed report to the Board within 72 hours of awareness (or a longer period if the Board permits), per MediaNama's breakdown. Failure to notify carries the Rs 200 crore tier. Meeting a 72-hour clock requires knowing, quickly, what personal data existed, where, and who was affected — which is a data-discovery and audit-trail problem more than a legal one.
4. Reasonable security safeguards — including non-production data
This is the Rs 250 crore tier, and it is the one most Salesforce teams underestimate. Rule 6 of the DPDP Rules 2025 spells out a baseline of "reasonable" safeguards — encryption, access controls, data masking or anonymisation, access and processing logs retained for a year, incident-response processes, and equivalent contractual safeguards for processors, per the Seclore compliance guide. Those safeguards apply to all copies of personal data, not just production. A refreshed sandbox full of real customer PII, accessible to contractors and offshore developers, is exactly the kind of unguarded copy that turns a minor incident into a Schedule event. With masking named explicitly in Rule 6, masking non-production data is no longer a nice-to-have — it is arguably part of "reasonable safeguards." See our deep dive on sandbox masking on refresh.
Significant Data Fiduciaries (a class the government designates based on data volume and risk) carry extra load: annual DPIAs, annual audits, algorithmic due diligence, and — for data the Central Government specifies — a restriction on transferring it outside India. Note too that under the Rules, only an India-incorporated entity meeting conditions including a minimum net worth of Rs 2 crore can register as a Consent Manager — so the interoperable "Consent Manager" role is not something a foreign vendor can fill for you.
Mapping DPDP controls to your Salesforce toolchain
There is no single "DPDP button" in Salesforce. Compliance is assembled from native platform features plus AppExchange and enterprise tooling. Here is how the realistic options stack up.
Comparison at a glance
- Salesforce Data Mask — native sandbox masking; coarse but included with Shield/Data Mask licensing; the default starting point for non-production PII.
- Salesforce Shield — production-side platform encryption, event monitoring, and field audit trail; strong for "reasonable safeguards" and audit-trail evidence, but it is not masking and not DSAR.
- Salesforce Privacy Center — native DSAR, de-identification, retention, and RTBF policies across CRM and Data Cloud; deepest native fit but a separate paid product.
- Cloud Compliance (PlumCloud) — 100% Salesforce-native managed packages covering masking, retention, DSAR/RTBF, consent, and discovery; strongest when the requirement is "compliance that never leaves the org."
- OneTrust — broadest cross-system privacy/GRC platform with a dedicated India DPDPA module; best for enterprises governing far beyond Salesforce.
- DataGrail — focused, well-regarded DSAR and consent orchestration across your SaaS stack; lighter and more privacy-specific than OneTrust.
- Odaseva — enterprise Salesforce data platform (backup/DR, privacy, masking) for the largest, most regulated orgs; powerful but data leaves the org and pricing runs high.
1. Salesforce Data Mask + Shield (native)
Pros: No third-party vendor to onboard; Data Mask anonymizes sandbox PII on refresh; Shield adds production platform encryption, event monitoring, and Field Audit Trail — directly relevant to the "reasonable safeguards" and breach-evidence tests.
Cons: Shield is encryption, not masking — a common and expensive confusion (we untangle it in Salesforce Shield vs data masking vs retention). Data Mask's transformations are relatively coarse. Neither does DSAR, consent, or retention. Shield is typically priced as a percentage of net Salesforce spend — commonly around 20% for Platform Encryption standalone and up to roughly 30% for the full bundle, per Salesforce Ben — which scales uncomfortably for large orgs.
Verdict: The right baseline for encryption and sandbox masking, but not a complete DPDP answer on its own.
2. Salesforce Privacy Center (native)
Pros: Native DSAR, RTBF, de-identification, and retention policies across CRM and Data Cloud, per Salesforce's Privacy Center page. Deep platform integration and Salesforce-supported.
Cons: A separate paid product on top of your core licenses; strongest inside the Salesforce/Data Cloud boundary and less suited to orchestrating rights requests across a wider SaaS estate.
Verdict: A strong native choice for Salesforce-centric orgs that want first-party rights and retention tooling.
3. Cloud Compliance (PlumCloud)
Pros: 100% Salesforce-native managed packages spanning Sandbox DataMasker, Data Retention Manager, Privacy Rights Automation (DSAR/RTBF), Consent Management, and Personal Data Discovery — all Apex, no external endpoints, so no personal data leaves the org. AppExchange Security Review certified. Pricing is public and caps in five figures: products start from about USD 6.99/user/month, with annual minimums of roughly USD 14,999 (RTBF), USD 19,999 (Data Retention and DataMasker), and USD 29,999 (Consent Management), per its pricing page — versus enterprise privacy platforms whose all-in cost can exceed USD 300,000. For DPDP specifically, the "no data leaves Salesforce" posture also sidesteps a cross-border-transfer question for SDF-designated data.
Cons: Salesforce-only — it does no multi-cloud or cross-system masking the way Odaseva, K2View, or Delphix do (those handle Oracle, Snowflake, SAP, mainframe, and more). It is not a backup/DR platform (that is Own or Odaseva territory). Third-party social proof is thin — low G2 review volume and case studies anonymized by industry. And it does not win generic "best privacy platform" head-term searches against the incumbents.
Verdict: The best fit when the estate is Salesforce-centric and the priority is a native, in-org control set covering masking + DSAR + consent + retention at predictable cost. A poor fit if you need one tool to govern many non-Salesforce systems.
4. OneTrust
Pros: The broadest privacy/GRC platform, with a dedicated India DPDPA compliance module covering consent notices, breach workflows, DPIA automation, and rights requests — across your whole enterprise, not just Salesforce.
Cons: Heavier to implement and price — enterprise deployments commonly run into six figures annually, and quotes are sales-gated (OneTrust pricing overview); overkill if Salesforce is your only material data store; governance happens outside the org.
Verdict: The enterprise choice when DPDP compliance must span dozens of systems and you want a single GRC pane of glass.
5. DataGrail
Pros: Focused, well-regarded DSAR and consent orchestration across a SaaS stack, with a large library of pre-built integrations; lighter and more privacy-native than OneTrust, with strong automation for rights requests.
Cons: Less breadth than OneTrust on GRC/risk; like all external platforms, it operates on data outside Salesforce.
Verdict: A clean fit for privacy teams orchestrating rights and consent across many apps without a full GRC suite.
6. Odaseva
Pros: Enterprise-grade Salesforce data platform combining backup/DR, data privacy, and masking for the largest regulated orgs; deep Salesforce expertise and scale, with 40+ masking patterns.
Cons: Data leaves the org for backup and processing; pricing targets large enterprises (sales-quoted) and runs well above native or AppExchange options.
Verdict: The right call for the biggest, most regulated Salesforce estates that also need backup/DR — and can absorb the cost and the cross-system data flow.
A pragmatic starting checklist
If you own a Salesforce org with any Indian Data Principals, here is a sane order of operations before May 2027:
- Discover the data. Map where personal data of Indian individuals lives — objects, fields, sandboxes, and connected systems.
- Mask non-production. Ensure every sandbox refresh strips or masks real PII. This is the cheapest way to shrink your Rs 250 crore exposure.
- Fix consent and notice. Make consent auditable and withdrawal one-click; keep provable notice records.
- Automate rights and retention. Stand up DSAR/RTBF fulfillment and retention/deletion policies that also reach processors and sandboxes, on the 90-day clock.
- Rehearse breach notification. Build the 72-hour muscle: who is affected, what data, notify Board and individuals.
DPDP does not require a specific vendor. It requires demonstrable, auditable controls — and in a Salesforce-centric estate, most of those controls are configuration and tooling decisions you can make now.
For adjacent reading on keeping AI and data secure inside the platform, see securing AI in Salesforce and our roundup of the best Salesforce data-masking tools.
This article is editorial guidance, not legal advice. Penalty figures and dates are drawn from the DPDP Act 2023, the DPDP Rules 2025, and the sources linked above, current as of July 2026; the USD conversion reflects the July 2026 exchange rate and will drift. Confirm your specific obligations with qualified counsel.