Data & technology
The DPDP Act applies to your 10-person company too. Here's the small-business version
If your business collects any personal data digitally — customer phone numbers, emails, addresses, employee records — the Digital Personal Data Protection Act, 2023 applies to you as a Data Fiduciary, regardless of size. The DPDP Rules were notified on 13 November 2025 with a phased schedule: core obligations (consent notices, security safeguards, breach reporting, data-principal rights) become enforceable by 13 May 2027. There is no small-business exemption from the Act itself (only certain notified startups may get relaxations from specific provisions), and penalties scale up to ₹250 crore for serious breaches. The good news: for a typical SME the actual to-do list is short and mostly procedural — and you have a runway to do it properly.
Does it really apply to a company my size?
Yes. The Act applies to processing of digital personal data within India (and to processing outside India connected to offering goods/services to people in India), with obligations attaching to the Data Fiduciary — the entity deciding why and how data is processed. That's you, the moment you run a CRM, a lead form, a WhatsApp commerce flow or payroll software.
Heavier duties (data protection officers, audits, impact assessments) attach only to Significant Data Fiduciaries, designated by notification based on volume/sensitivity — a small business is unlikely to be designated, but the base obligations apply to everyone. Certain startups may be notified for relaxations from specific provisions; don't plan on being one.
The founder-sized checklist
Most enterprise DPDP content sells tooling you don't need. The statutory core for a small fiduciary:
- Map what personal data you actually collect, where it lives, and who it's shared with (one honest spreadsheet).
- Consent: collect it with a clear, itemised notice — in English or any Eighth-Schedule language the user chooses — and make withdrawal as easy as giving it.
- Purpose limitation: use data only for the stated purpose; delete when the purpose is served or consent is withdrawn.
- Security safeguards: encryption/access control appropriate to your scale; vendor (data processor) contracts that bind your tools.
- Breach response: a written plan to notify the Data Protection Board and affected users in the prescribed manner.
- Rights handling: a working channel for access, correction and erasure requests, and a named grievance contact.
- Children's data (if relevant): verifiable parental consent; no tracking/behavioural ads targeting children.
Timeline and why starting in 2026 is the cheap option
The Rules phase in: institutional provisions first, consent-manager registration and the bulk of operational obligations by May 2027. Eighteen months sounds long, but consent re-papering touches every form, app screen and WhatsApp flow you run — and your SaaS vendors' DPAs need renegotiating once, not in a panic. Businesses that treated GDPR's deadline as a last-quarter sprint paid consultants peak rates for commodity work; the DPDP curve will look the same.
Penalty exposure is graded but real: up to ₹250 crore for failing security safeguards, ₹200 crore for breach-notification failures, with the Data Protection Board empowered to inquire and penalise. For an SME, though, the realistic near-term risk is commercial: enterprise customers are already pushing DPDP clauses into vendor contracts — being able to answer a DPDP questionnaire is becoming a sales requirement.
Frequently asked questions
We only store customer data in Google Sheets / a CRM. Are we still a Data Fiduciary?
Yes. The tooling is irrelevant — deciding the purpose and means of processing makes you the fiduciary, and your CRM/sheet provider is your processor. Your obligations include having appropriate safeguards and processor terms with those vendors.
Is there a registration we must do now?
There's no general fiduciary registration. Consent managers register with the Data Protection Board, and Significant Data Fiduciaries get designated — both unlikely to be you. Your work is operational: notices, consent, security, deletion, grievance channel by the 2027 milestones.
Does DPDP replace the IT Act / SPDI Rules?
DPDP supersedes the SPDI Rules' regime for personal data; the IT Act otherwise continues. Sectoral rules (RBI, IRDAI, health) stack on top for regulated entities — for most SMEs, DPDP becomes the primary privacy obligation.
Check what applies to your business
Describe your business in two or three lines and Compliance Radar matches the rules and government schemes that apply — deadlines and penalties included, every claim cited to the official source. First 3 queries are free. No card.
Run this check free →