Data & technology

The DPDP Act applies to your 10-person company too. Here's the small-business version

If your business collects any personal data digitally — customer phone numbers, emails, addresses, employee records — the Digital Personal Data Protection Act, 2023 applies to you as a Data Fiduciary, regardless of size. The DPDP Rules were notified on 13 November 2025 with a phased schedule: core obligations (consent notices, security safeguards, breach reporting, data-principal rights) become enforceable by 13 May 2027. There is no small-business exemption from the Act itself (only certain notified startups may get relaxations from specific provisions), and penalties scale up to ₹250 crore for serious breaches. The good news: for a typical SME the actual to-do list is short and mostly procedural — and you have a runway to do it properly.

By Dhrumil Barot · Founder, Compliance Radar · Updated 11 June 2026 · Informational, not legal advice — sources cited below.

Does it really apply to a company my size?

Yes. The Act applies to processing of digital personal data within India (and to processing outside India connected to offering goods/services to people in India), with obligations attaching to the Data Fiduciary — the entity deciding why and how data is processed. That's you, the moment you run a CRM, a lead form, a WhatsApp commerce flow or payroll software.

Heavier duties (data protection officers, audits, impact assessments) attach only to Significant Data Fiduciaries, designated by notification based on volume/sensitivity — a small business is unlikely to be designated, but the base obligations apply to everyone. Certain startups may be notified for relaxations from specific provisions; don't plan on being one.

The founder-sized checklist

Most enterprise DPDP content sells tooling you don't need. The statutory core for a small fiduciary:

Timeline and why starting in 2026 is the cheap option

The Rules phase in: institutional provisions first, consent-manager registration and the bulk of operational obligations by May 2027. Eighteen months sounds long, but consent re-papering touches every form, app screen and WhatsApp flow you run — and your SaaS vendors' DPAs need renegotiating once, not in a panic. Businesses that treated GDPR's deadline as a last-quarter sprint paid consultants peak rates for commodity work; the DPDP curve will look the same.

Penalty exposure is graded but real: up to ₹250 crore for failing security safeguards, ₹200 crore for breach-notification failures, with the Data Protection Board empowered to inquire and penalise. For an SME, though, the realistic near-term risk is commercial: enterprise customers are already pushing DPDP clauses into vendor contracts — being able to answer a DPDP questionnaire is becoming a sales requirement.

Frequently asked questions

We only store customer data in Google Sheets / a CRM. Are we still a Data Fiduciary?

Yes. The tooling is irrelevant — deciding the purpose and means of processing makes you the fiduciary, and your CRM/sheet provider is your processor. Your obligations include having appropriate safeguards and processor terms with those vendors.

Is there a registration we must do now?

There's no general fiduciary registration. Consent managers register with the Data Protection Board, and Significant Data Fiduciaries get designated — both unlikely to be you. Your work is operational: notices, consent, security, deletion, grievance channel by the 2027 milestones.

Does DPDP replace the IT Act / SPDI Rules?

DPDP supersedes the SPDI Rules' regime for personal data; the IT Act otherwise continues. Sectoral rules (RBI, IRDAI, health) stack on top for regulated entities — for most SMEs, DPDP becomes the primary privacy obligation.

Check what applies to your business

Describe your business in two or three lines and Compliance Radar matches the rules and government schemes that apply — deadlines and penalties included, every claim cited to the official source. First 3 queries are free. No card.

Run this check free →

Sources

3 free queries · no cardGet my rules →