What Happened
India's Digital Personal Data Protection Act (DPDPA) came into force on August 4, 2024, and the compliance deadline is now upon us. Unlike previous regulations that were vague or slow to enforce, DPDPA is teeth-and-claw legislation. It applies to every startup, every SMB, and every business handling personal data—which is basically all of us.
The law imposes strict requirements: startups must appoint a Data Protection Officer (DPO), implement consent mechanisms, honor data subject rights, and maintain audit trails. Non-compliance carries penalties up to ₹250 crores or 5% of global annual turnover—whichever is higher. For a ₹100 crore startup, that's a potential ₹5 crore fine.
What's worse? Most Indian startups have no idea what data they're actually holding, where it's stored, who can access it, or how to prove compliance. In my years building enterprise systems for Fortune 500 companies, I've reviewed countless data inventories. The pattern is always the same: startups treat data like water—abundant, flowing everywhere, impossible to track. DPDPA forces you to change that overnight.
Why This Matters for Indian Businesses
Let's be direct: DPDPA isn't a future problem. It's a present problem with enforcement teeth.
The DPDP Act fundamentally shifts burden from users to businesses. You must now:
- Obtain explicit consent before collecting any personal data (name, email, phone, IP address, device ID—all of it)
- Honor data subject rights including the right to access, correction, erasure, and portability within 30 days
- Maintain a Data Protection Impact Assessment (DPIA) for high-risk processing
- Report breaches to CERT-In within 6 hours of discovery (this overlaps with RBI cybersecurity requirements)
- Appoint a DPO if you process data at scale
- Implement data minimization—collect only what you need
- Compliance costs money. A basic DPDP implementation costs ₹2-5 lakhs for small businesses. Larger audits can run ₹10+ lakhs.
- It requires technical infrastructure. You need consent management, audit logging, encryption, and data inventory tools—most startups have none.
- It's legally ambiguous. The DPDP rules are still being clarified. Startups are operating in a gray zone.
- Enforcement is accelerating. CERT-In is already tracking breaches. Data Protection Board notices are coming.
Technical Breakdown: What Compliance Actually Means
Let's break down what DPDPA requires, technically:
graph TD
A[Data Collection] -->|Consent Required| B[Consent Management]
B -->|Store Securely| C[Encryption at Rest]
C -->|Track Access| D[Audit Logging]
D -->|Breach Detected| E[72-Hour Notification]
E -->|High Risk| F[CERT-In Alert Within 6 Hours]
A -->|User Request| G[Right to Access]
G -->|30 Days| H[Provide Data Export]
A -->|User Request| I[Right to Erasure]
I -->|30 Days| J[Delete All Records]
classDef default fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
classDef danger fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
classDef success fill:#1e3d2f,stroke:#10B981,color:#e2e8f01. Consent Management
You can't collect data without explicit, informed consent. "Informed" means users must know what data you're collecting and why.
What this looks like in practice:
<!-- WRONG: Vague consent -->
<input type="checkbox" checked>
<label>I agree to terms and conditions</label>
<!-- RIGHT: Specific, granular consent -->
<fieldset>
<legend>Data Collection Consent</legend>
<div>
<input type="checkbox" name="consent_marketing" id="consent_marketing">
<label for="consent_marketing">
I consent to receive marketing emails (Purpose: Email campaigns)
</label>
</div>
<div>
<input type="checkbox" name="consent_analytics" id="consent_analytics">
<label for="consent_analytics">
I consent to analytics tracking (Purpose: Product improvement)
</label>
</div>
<div>
<input type="checkbox" name="consent_third_party" id="consent_third_party">
<label for="consent_third_party">
I consent to share data with partners (Partners: [list])
</label>
</div>
</fieldset>2. Data Inventory & Classification
You must know what data you hold. This requires a data mapping exercise:
#!/bin/bash
# Quick data inventory audit for your infrastructure
# Find unencrypted databases
echo "=== Checking for unencrypted databases ==="
grep -r "mongodb://" . --include="*.env" --include="*.config"
grep -r "postgresql://" . --include="*.env" --include="*.config"
# Find hardcoded credentials
echo "=== Scanning for exposed secrets ==="
grep -r "password\|api_key\|secret" . --include="*.js" --include="*.py" | head -20
# Check file permissions on sensitive data
echo "=== Checking file permissions ==="
find . -name "*.csv" -o -name "*.xlsx" -o -name "*.json" | xargs ls -la | grep -v "^d"
# Identify cloud storage buckets
echo "=== AWS S3 buckets with public access ==="
aws s3api list-buckets --query 'Buckets[].Name' | xargs -I {} aws s3api get-bucket-acl --bucket {} --query 'Grants[?Grantee.Type==`Group`]'3. Audit Logging
Every access to personal data must be logged. Who accessed it, when, why, and from where.
# Example: Audit logging for data access
import logging
import json
from datetime import datetime
class DataAccessAuditLogger:
def __init__(self, log_file="data_access_audit.log"):
self.logger = logging.getLogger("DataAccess")
handler = logging.FileHandler(log_file)
formatter = logging.Formatter(
'%(asctime)s - %(name)s - %(levelname)s - %(message)s'
)
handler.setFormatter(formatter)
self.logger.addHandler(handler)
self.logger.setLevel(logging.INFO)
def log_access(self, user_id, data_type, action, ip_address, reason):
"""Log when personal data is accessed"""
audit_entry = {
"timestamp": datetime.utcnow().isoformat(),
"user_id": user_id,
"data_type": data_type, # e.g., "customer_email", "payment_info"
"action": action, # e.g., "read", "delete", "export"
"ip_address": ip_address,
"reason": reason # e.g., "customer_support_request"
}
self.logger.info(json.dumps(audit_entry))
def log_breach(self, affected_records, breach_type, severity):
"""Log suspected data breach"""
breach_entry = {
"timestamp": datetime.utcnow().isoformat(),
"affected_records": affected_records,
"breach_type": breach_type, # e.g., "unauthorized_access", "sql_injection"
"severity": severity, # e.g., "critical", "high"
"action_taken": "CERT-In notification initiated"
}
self.logger.error(json.dumps(breach_entry))
# Usage
audit = DataAccessAuditLogger()
audit.log_access(
user_id="emp_12345",
data_type="customer_email",
action="read",
ip_address="192.168.1.100",
reason="customer_support_ticket_#5678"
)4. Breach Notification (72 Hours + 6 Hours for CERT-In)
If you detect a breach, you have 72 hours to notify affected users and 6 hours to notify CERT-In (per RBI guidelines).
#!/bin/bash
# DPDP Breach Response Checklist
echo "=== IMMEDIATE (Within 1 Hour) ==="
echo "[ ] Isolate affected systems"
echo "[ ] Preserve evidence/logs"
echo "[ ] Assemble incident response team"
echo "[ ] Document timeline of discovery"
echo ""
echo "=== CRITICAL (Within 6 Hours - CERT-In) ==="
echo "[ ] Submit incident report to CERT-In"
echo "[ ] Include: affected data types, volume, breach vector, impact"
echo "[ ] Contact details for follow-up"
echo "[ ] Provide evidence of containment"
echo ""
echo "=== HIGH (Within 72 Hours - Users) ==="
echo "[ ] Notify all affected data subjects"
echo "[ ] Include: what data was compromised, breach date, your response"
echo "[ ] Provide: credit monitoring (if financial data), support contact"
echo "[ ] Send via: registered email, SMS, or secure portal"
echo ""
echo "=== FOLLOW-UP (Within 30 Days) ==="
echo "[ ] Complete forensic investigation"
echo "[ ] File formal report with Data Protection Board"
echo "[ ] Implement remediation measures"
echo "[ ] Communicate fixes to affected users"Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business
| Protection Layer | Action | Timeline | Difficulty |
|---|---|---|---|
| Data Inventory | Map all personal data sources (databases, APIs, logs, backups) | Week 1-2 | Easy |
| Consent Management | Implement granular consent UI and storage | Week 2-3 | Medium |
| Encryption | Enable encryption at rest (databases, backups) and in transit (TLS) | Week 3-4 | Medium |
| Access Control | Implement role-based access control (RBAC); limit who can access personal data | Week 4-5 | Medium |
| Audit Logging | Set up centralized logging for all data access | Week 5-6 | Hard |
| DPO Appointment | Hire or designate a Data Protection Officer | Week 1 | Easy |
| Breach Response Plan | Document your incident response procedure (including CERT-In notification) | Week 6-7 | Medium |
| User Rights Portal | Build self-service portal for data access/deletion requests | Week 7-8 | Hard |
Quick Fix: Enable Database Encryption
If you're running PostgreSQL or MySQL, enable encryption immediately:
# PostgreSQL: Enable encryption at rest
# 1. Generate encryption key
openssl rand -hex 32 > /etc/postgresql/encryption.key
chmod 600 /etc/postgresql/encryption.key
# 2. Enable pgcrypto extension
sudo -u postgres psql -c "CREATE EXTENSION pgcrypto;"
# 3. Encrypt sensitive columns
alter table customers add column email_encrypted bytea;
update customers
set email_encrypted = pgp_sym_encrypt(email, 'your-encryption-key')
where email is not null;
# MySQL: Enable encryption at rest (InnoDB)
# Add to my.cnf
[mysqld]
default-table-encryption=ON
table-encryption-privilege-check=ON
# Restart MySQL
sudo systemctl restart mysqlBuild a Data Subject Rights Portal
Users will request their data. You need a way to fulfill these requests within 30 days:
# Flask example: Data subject rights API
from flask import Flask, request, jsonify
from datetime import datetime, timedelta
import json
app = Flask(__name__)
@app.route('/api/data-subject/access', methods=['POST'])
def request_data_access():
"""
User requests their personal data (Right to Access)
"""
data = request.json
user_email = data.get('email')
# Validate user identity
if not validate_user(user_email):
return jsonify({"error": "User not found"}), 404
# Create request ticket
request_id = generate_request_id()
due_date = datetime.now() + timedelta(days=30)
# Log the request
log_data_subject_request(
request_type="access",
user_email=user_email,
request_id=request_id,
due_date=due_date
)
# Queue for fulfillment
queue_fulfillment(request_id, user_email, "access")
return jsonify({
"request_id": request_id,
"status": "pending",
"due_date": due_date.isoformat(),
"message": "Your data access request has been received. We'll respond within 30 days."
}), 202
@app.route('/api/data-subject/erasure', methods=['POST'])
def request_data_erasure():
"""
User requests deletion of their personal data (Right to Erasure)
"""
data = request.json
user_email = data.get('email')
reason = data.get('reason', 'Not specified')
# Validate user identity
if not validate_user(user_email):
return jsonify({"error": "User not found"}), 404
# Check for legal holds
if has_legal_hold(user_email):
return jsonify({
"error": "Erasure request cannot be fulfilled due to legal hold"
}), 403
# Create erasure request
request_id = generate_request_id()
due_date = datetime.now() + timedelta(days=30)
log_data_subject_request(
request_type="erasure",
user_email=user_email,
request_id=request_id,
reason=reason,
due_date=due_date
)
# Queue for fulfillment
queue_fulfillment(request_id, user_email, "erasure")
return jsonify({
"request_id": request_id,
"status": "pending",
"due_date": due_date.isoformat(),
"message": "Your data erasure request has been received. We'll process it within 30 days."
}), 202
if __name__ == '__main__':
app.run(ssl_context='adhoc')How Bachao.AI Detects and Prevents This
Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.
As someone who's reviewed hundreds of Indian SMB security postures, I can tell you: most startups are 6-12 months behind on DPDPA compliance. The good news? It's fixable. The bad news? The window is closing.
Start with a free DPDP readiness assessment from Bachao.AI. It takes 30 minutes and will show you exactly where you stand.
Key Takeaways
- DPDPA is law, not guidance. Penalties are ₹250 crores or 5% of global turnover. Enforcement is accelerating.
- Compliance has a timeline. You have 30 days to respond to user data access/erasure requests. 72 hours to notify users of breaches. 6 hours to notify CERT-In.
- Start with data inventory. You can't protect data you don't know you have.
- Encryption is non-negotiable. Enable it at rest and in transit immediately.
- Audit logging proves compliance. Without logs, you can't prove you followed the law.
- Breach response must be automated. Manual notification processes will miss the 6-hour CERT-In window.
Originally reported by Inc42
Written by Shouvik Mukherjee, Founder of Bachao.AI. I help Indian startups and SMBs navigate cybersecurity and compliance without breaking the bank. Follow me on LinkedIn for daily insights on cybersecurity, compliance, and building secure products in India.
Frequently Asked Questions
Q: What is the DPDPA and which businesses must comply? A: The Digital Personal Data Protection Act (DPDPA) applies to any business that collects, processes, or stores personal data of Indian residents — regardless of company size. This includes startups, SMBs, and even solo-founder companies if they handle customer data.
Q: What are the penalties for DPDPA non-compliance? A: Penalties range from ₹50 crores for minor violations to ₹250 crores (or 5% of global annual turnover, whichever is higher) for significant breaches. For a ₹100 crore startup, that's a potential ₹5 crore fine for a single incident.
Q: What is the 72-hour breach notification rule? A: Under DPDPA, businesses must notify the Data Protection Board and affected users within 72 hours of discovering a data breach. CERT-In additionally mandates a 6-hour initial report for critical incidents.
Q: What's the minimum a startup must do to be DPDPA compliant? A: At minimum: implement a consent management system, encrypt personal data at rest and in transit, maintain audit logs of data access, establish a breach response procedure, and conduct an annual data inventory. Most startups are missing at least two of these.
Q: How can Bachao.AI help startups achieve DPDPA compliance? A: Bachao.AI's automated security assessment identifies gaps in your data protection posture — unencrypted data stores, missing audit logging, misconfigured cloud permissions — and provides a remediation roadmap. Visit Bachao.AI to start your compliance assessment.
Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.