India's Digital Personal Data Protection Act 2023 is the most significant privacy law the country has ever passed — and most small businesses are not ready for it. DPDP Act compliance is no longer a future concern. The Act received Presidential assent in August 2023, rules are actively being rolled out, and the government has made clear that enforcement will follow. If your startup or SMB collects, stores, or processes personal data of Indian citizens — even just an email address or phone number — you are already within scope.
This guide cuts through the legal jargon. You will understand what the Act requires, who it applies to, what the penalties look like, and what concrete steps you can take today.
Who Does the DPDP Act Apply To?
The short answer: almost every Indian business with a digital presence.
The Act introduces two key roles. A Data Fiduciary is any entity — company, startup, app, website — that determines the purpose and means of processing personal data. A Data Principal is the individual whose data is being processed (your customer, user, or employee).
If you run an e-commerce store and collect shipping addresses, you are a Data Fiduciary. If you operate a SaaS product and store user emails for login, you are a Data Fiduciary. If you run a healthcare app and store patient information, you are a Data Fiduciary. The threshold is low by design.
The Act also applies to processing personal data outside India if it involves offering goods or services to individuals within India — which pulls in Indian-origin startups operating globally.
There is a carve-out for individuals processing data for personal or domestic purposes, but there is no meaningful exemption for small business size. Volume-based tiering will likely come through subsidiary rules, but the baseline obligations apply broadly.
What the DPDP Act Actually Requires
Consent — the Core Obligation
The Act mandates that personal data can only be processed after obtaining free, specific, informed, and unambiguous consent from the Data Principal. Consent must be obtained through a clear, plain-language notice. Pre-ticked checkboxes, bundled consent, and vague "I agree to terms" language no longer cut it.
Every consent notice must tell the user:
- What personal data is being collected
- The purpose of processing
- How to withdraw consent
- How to raise a grievance
There are limited grounds for processing without consent, called legitimate uses: employment-related processing, medical emergencies, public health, court orders, and a few others. But these are narrow and cannot be stretched to cover routine marketing.
Rights of the Data Principal
Under the DPDP Act, every individual whose data you process has enforceable rights:
- Right to access: Know what data you hold about them
- Right to correction: Fix inaccurate or incomplete data
- Right to erasure: Delete their data if the purpose is fulfilled or they withdraw consent
- Right to grievance redressal: Raise complaints with your company and, if unresolved, with the Data Protection Board of India
- Right to nominate: Appoint someone to exercise their rights in case of death or incapacity
Security and Breach Notification
The Act requires Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches. What counts as "reasonable" will be detailed in rules, but expect this to include encryption at rest and in transit, access controls, audit logs, and periodic security assessments.
If a breach occurs, you must notify the Data Protection Board of India (DPBI) and affected Data Principals promptly. The notification must include the nature of the breach, the data affected, and the remedial steps taken. The rules will specify exact timelines, but waiting weeks is not an option — the expectation is rapid disclosure.
Significant Data Fiduciaries — Higher Bar
The government can designate certain entities as Significant Data Fiduciaries (SDFs) based on the volume or sensitivity of data processed, the risk to Data Principals, or national security considerations. SDFs face additional obligations: mandatory Data Protection Impact Assessments (DPIAs), appointment of a Data Protection Officer (DPO), periodic audits, and enhanced accountability requirements.
If your startup processes health data, financial data, or serves a very large user base, watch for SDF designation criteria in the rules.
The Penalty Structure: Why This Is Serious
The DPDP Act's penalty framework is designed to sting even large companies. For Indian SMBs, the numbers are particularly striking.
pie title DPDP Act Maximum Penalties by Violation Type "Failure to implement security safeguards (Section 8(5))" : 250 "Failure to notify breach to DPB / Data Principals" : 200 "Non-fulfilment of SDF obligations" : 150 "Violation of data processing obligations" : 100 "Frivolous complaints by Data Principal" : 0.1
The Data Protection Board of India has the power to investigate complaints, conduct inquiries, and impose these penalties. Appeals go to a dedicated Appellate Tribunal. This is not a toothless regulator — the structure mirrors SEBI's enforcement model, which Indian businesses are already familiar with.
Critically, penalties can be imposed per instance. A single breach affecting 10,000 customers is not automatically treated as one violation — the Board has discretion. For startups with thin balance sheets, even a moderate penalty can be existential.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanA Practical DPDP Compliance Checklist
Most Indian SMBs can reach a defensible baseline of DPDP Act compliance with structured effort. Here is a step-by-step path.
graph TD
A[Start: Data Mapping] --> B[Identify all personal data collected]
B --> C[Map data flows: collection → storage → processing → deletion]
C --> D[Consent Audit]
D --> E{Consent mechanisms compliant?}
E -- No --> F[Redesign consent notices and flows]
E -- Yes --> G[Rights Management Setup]
F --> G
G --> H[Build access/correction/erasure request workflow]
H --> I[Security Assessment]
I --> J{Safeguards adequate?}
J -- No --> K[Fix gaps: encryption, access controls, logging]
J -- Yes --> L[Breach Response Plan]
K --> L
L --> M[Draft DPBI notification template]
M --> N[Grievance Officer Appointment]
N --> O[Publish name and contact on website]
O --> P[Staff Training]
P --> Q[Compliant Baseline Achieved]
Q --> R{Designated Significant Data Fiduciary?}
R -- Yes --> S[DPIA + DPO + Audit Program]
R -- No --> T[Monitor rules and maintain posture]Step 1 — Data Mapping List every category of personal data your business collects. Include names, emails, phone numbers, device IDs, location data, payment details, health information, and behavioral data. For each category, document: where it is collected, where it is stored, who can access it, how long it is retained, and whether it is shared with third parties (Data Processors).
Step 2 — Consent Audit Review every point where you collect personal data. Check that a proper consent notice exists in plain language. Ensure users can withdraw consent easily, and that withdrawal triggers actual data deletion or processing cessation — not just an unsubscribe from marketing emails.
Step 3 — Build a Rights Fulfillment Workflow Define how a user can request access to their data, correct it, or ask for deletion. Set internal timelines. Assign ownership. Test the process with a dummy request. Document it.
Step 4 — Security Assessment Audit your technical stack for personal data exposure risks. At minimum: Is data encrypted at rest and in transit? Are access controls role-based? Do you have audit logs? When did you last do a security test? An automated VAPT scan (DPDP compliance page) can surface gaps in hours, not weeks.
Step 5 — Breach Response Plan Draft a breach notification template for the DPBI. Define who in your team triggers the response, who signs the notification, and what the internal escalation chain looks like. Practice it before you need it.
Step 6 — Appoint a Grievance Officer The Act requires you to publish the name and contact details of a Grievance Officer on your website. This person handles Data Principal complaints. For small teams, this is often the founder — but it must be a named, reachable individual.
Step 7 — Train Your Team Every person who touches personal data needs to understand the basics: what they can and cannot do with customer data, how to handle a data request, and who to escalate a potential breach to. A one-hour session once a year is a starting point.
Common Mistakes Indian SMBs Make
Treating it as a legal-only problem. DPDP compliance is 70% an engineering and operations problem. Your privacy policy is not the product — your data handling system is.
Copying foreign privacy policies. GDPR templates do not map cleanly onto the DPDP Act. The terminology is different, the rights differ in detail, and the consent standards have India-specific requirements. Get advice grounded in the actual Act.
Ignoring Data Processors. If you use third-party services (cloud storage, CRM, analytics tools, payment gateways), you are responsible for ensuring they process data only as instructed. Your vendor contracts need data processing clauses.
No breach plan. Most SMBs discover a breach and then figure out what to do. The DPBI will want to see that you had a plan — and that you executed it promptly.
Waiting for rules to finalize. The Act is law. Core obligations — consent, rights, security, grievance — are already in force in principle. Rules add detail but do not change the direction. Acting now reduces your surface area for penalties.
Frequently Asked Questions
Has the DPDP Act been passed or is it still a bill?
Does the DPDP Act apply to my startup if we have fewer than 10 employees?
What is the difference between a Data Fiduciary and a Data Processor?
What should I do if a user asks me to delete their data?
What is the Data Protection Board of India?
Can I use a foreign privacy policy (like a GDPR policy) to comply with the DPDP Act?
The enforcement window is opening. Whether you are a SaaS startup, an e-commerce business, or a professional services firm with a client database, the cost of getting this wrong — financially and reputationally — outweighs the cost of getting it right. Start with your data map, fix your consent flows, and run a security assessment to close technical gaps. If you want a fast read on where your systems stand from a security and data exposure perspective, Bachao.AI's DPDP compliance tools can help you identify gaps before a regulator does.