What Is the DPDP Act?
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data privacy law. If you run a business in India that collects, stores, or processes digital personal data — this law applies to you.
Who Does It Apply To?
The short answer: almost every business.
| If your business does this... | You are a... | DPDP applies? |
|---|---|---|
| Collects customer names & emails | Data Fiduciary | ✅ Yes |
| Runs an e-commerce store | Data Fiduciary | ✅ Yes |
| Has employee HR records | Data Fiduciary | ✅ Yes |
| Processes payments | Data Fiduciary | ✅ Yes |
| Uses analytics (Google Analytics etc.) | Data Fiduciary | ✅ Yes |
| Only handles anonymized data | — | ❌ No |
The 7 Core Obligations
graph TD
A[🏢 Your Business
Data Fiduciary] --> B[📋 1. Lawful Purpose]
A --> C[✅ 2. Explicit Consent]
A --> D[🔒 3. Security Safeguards]
A --> E[🗑️ 4. Data Deletion]
A --> F[📢 5. Breach Notification]
A --> G[👤 6. Data Principal Rights]
A --> H[📝 7. Grievance Redressal]
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style D fill:#1e5f3a,stroke:#10B981,color:#e2e8f0
style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f01. Lawful Purpose
You can only collect data for a clear, specific, legitimate purpose. "We might use it later" is not a valid reason.
2. Explicit Consent
Users must give free, specific, informed, and unambiguous consent. Pre-ticked checkboxes don't count. Consent buried in terms and conditions doesn't count.
3. Reasonable Security Safeguards
This is deliberately broad — the Act doesn't prescribe specific technologies. But regulators will look at whether you've done due diligence: encryption, access controls, vulnerability assessments, employee training.
4. Data Deletion
Once the purpose for collecting data is fulfilled, you must delete it. Keeping customer data "just in case" is now illegal.
5. Breach Notification
If a breach occurs, you must notify the Data Protection Board without delay. CERT-In additionally mandates notification within 6 hours.
6. Data Principal Rights
Users (called "Data Principals") have the right to:
- Access their data
- Correct inaccurate data
- Erase their data
- Nominate someone to act on their behalf
7. Grievance Redressal
You must appoint a Data Protection Officer (or a designated contact for smaller businesses) and provide a working grievance mechanism.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanThe Penalty Structure
The Board considers the size and nature of the business when determining penalty amounts — but relying on leniency is not a compliance strategy.
Practical Compliance Roadmap
Here's a 4-step plan any SMB can follow:
Step 1: Data Audit
Map every piece of personal data your business collects. Most SMBs are surprised to find data scattered across:
- Spreadsheets (customer lists, sales reports)
- Email inboxes (customer correspondence)
- Third-party tools (CRM, analytics, marketing platforms)
- Databases (application data, user accounts)
- Cloud storage (Google Drive, Dropbox backups)
graph LR
A[📊 Spreadsheets] --> E[📋 Data Inventory]
B[📧 Email Inboxes] --> E
C[🔧 Third-party SaaS] --> E
D[🗄️ Databases] --> E
E --> F[🔍 Classify by Sensitivity]
F --> G[📝 Compliance Map]
style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style G fill:#1e5f3a,stroke:#10B981,color:#e2e8f0Step 2: Fix Your Consent Mechanism
Update your privacy policy and consent forms. Here's what good consent looks like in code:
<!-- ❌ BAD: Pre-ticked, bundled consent -->
<label>
<input type="checkbox" checked />
I agree to the terms, privacy policy, and marketing emails
</label>
<!-- ✅ GOOD: Separate, unticked, specific consent -->
<label>
<input type="checkbox" required />
I consent to Acme Corp collecting my name and email to process my order.
<a href="/privacy-policy">Read our privacy policy</a>
</label>
<label>
<input type="checkbox" />
I'd also like to receive product updates via email (optional).
</label>Step 3: Run a Security Assessment
Identify vulnerabilities that could lead to a data breach — because the fastest path to a DPDP penalty is a breach you could have prevented.
# Quick security headers check
curl -sI https://yourdomain.com | grep -iE "strict-transport|content-security|x-frame|x-content-type"
# If you see nothing, your headers are missing — that's a finding.Step 4: Set Up Breach Response
Have a plan before you need one:
| Timeline | Action |
|---|---|
| 0–1 hours | Detect breach (requires monitoring!) |
| 1–4 hours | Contain & assess scope |
| 4–6 hours | Notify CERT-In (mandatory) |
| 6–24 hours | Notify Data Protection Board |
| 24–72 hours | Notify affected Data Principals |
| 1–2 weeks | Publish incident report & remediation |
How Bachao.AI Helps
Our platform maps directly to DPDP compliance requirements:
| DPDP Requirement | Bachao.AI Product | What It Does |
|---|---|---|
| Reasonable security safeguards | VAPT Scan (Free) | Identifies all vulnerabilities in your web presence |
| Breach notification readiness | Dark Web Monitoring | Alerts you if credentials or data appear on the dark web |
| Data audit & classification | DPDP Compliance Score | Maps your data handling against DPDP requirements |
| Employee awareness | Security Training | Phishing simulation + compliance training |
| Incident response | Incident Response | 24/7 breach response with CERT-In notification |
Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.
