DPDP Act Compliance for Indian SMEs: Data Protection, Privacy Rights and Implementation

|

DPDP Act — GRC RADAR

Published: 30 May 2026 · 22 min read · Category: DPDP Act

Your customer success team just received an email from a client asking, in measured but lawyer-like language, what you do with their employees’ email addresses, who has access, where the data sits, and whether you have a Data Processing Agreement on file. The same week, a candidate you did not hire sent a note asking you to delete their CV and “any other personal data you hold about me.”

If you are the person on the other end of those emails — and you did not ask to be — this guide is for you.

The Digital Personal Data Protection Act, 2023 (the DPDP Act) is India’s first comprehensive data-protection law. It changes the baseline for every organisation that processes personal data in digital form — in 2026, effectively every Indian SME with a website, a payroll system, or a customer list. The penalty schedule alone, with statutory maxima of up to ₹250 crore for the most serious contraventions, is enough to make the board pay attention.

The single most important date you need to know: 14 May 2027 — the day all substantive DPDP obligations become enforceable for data fiduciaries. The final DPDP Rules, 2025 (Gazette notification G.S.R. 846(E)) were notified by MeitY on 13 November 2025 and published in the Official Gazette on 14 November 2025, prescribing an 18-month implementation window from publication. Some rules took effect immediately on notification (the framework for the Data Protection Board, definitions, adjudication procedure); the Consent Manager framework activates at the 12-month mark; the substantive fiduciary obligations activate at 18 months. One caveat worth planning around: in January 2026 MeitY floated a proposal to compress that 18-month window to 12 months — not yet law, but it would pull the deadline forward, so build for “sooner” rather than “later”. The clock is running.

This is a practical walk-through for SME CISOs, compliance leads, and founders who need to implement DPDP — not recite it. We will cover what the Act requires, who is a “data fiduciary” and what that means for you, what rights your customers and employees now have, the phased implementation timeline you need to plan against, and a five-phase rollout plan a typical 50-to-200-person SME can start next Monday.

If you have been searching for a DPDP Act 2023 implementation checklist, or trying to figure out what DPDP Act compliance for SMEs actually looks like outside a consulting engagement, this is the starting point.

DPDP Act: the basics

The DPDP Act received Presidential assent on 11 August 2023. The final DPDP Rules, 2025 — which give the Act its operational machinery — were notified by MeitY via Gazette notification G.S.R. 846(E) (dated 13 November 2025, published in the Official Gazette on 14 November 2025), after a public consultation on the Draft Rules issued on 3 January 2025. The Act applies to the processing of digital personal data within India, and to processing outside India that relates to offering goods or services to data principals in India. If you have customers, users or employees in India and you store their data digitally, the Act reaches your operations.

One adjacent change worth noting: the DPDP Act also amended Section 8(1)(j) of the Right to Information Act, 2005 (via Section 44(3) of the DPDP Act, in force since the November 2025 notification), broadening the exemption for “personal information” from RTI disclosure. The amendment is in force but politically contested and under challenge before the Supreme Court — flag it if your organisation handles RTI requests, but treat its final scope as unsettled.

The Act regulates three roles. A data fiduciary decides why and how personal data is processed — that is your SME when you collect customer information, run payroll, or market to subscribers. A data processor processes personal data on behalf of a fiduciary under contract — typically a vendor like your CRM, payroll service, or cloud host. A data principal is the individual the data is about — your customer, your employee, your candidate.

Penalties are serious. The Schedule to the Act specifies four statutory maxima you need to know:

  • ₹250 crore — failure to take reasonable security safeguards resulting in a personal data breach
  • ₹200 crore — failure to notify the Data Protection Board or affected data principals of a breach
  • ₹200 crore — failure to fulfil obligations relating to children’s data
  • ₹150 crore — failure to fulfil the additional obligations applicable to a Significant Data Fiduciary

These are ceilings. The Data Protection Board can impose lesser penalties based on the nature and gravity of the breach, the number of data principals affected, and the steps taken by the fiduciary to mitigate. For an SME, the ₹250 crore tier is the one that should focus the board’s attention — failure to take reasonable security safeguards is the most common failure mode, and it carries the highest exposure.

Two points that often confuse SMEs. First, the Act applies to digital personal data — paper records are outside scope until digitised. Second, the Act and Rules are rolling out in three phases, not all at once. The next section breaks the phases down.

Phased implementation timeline: what’s in force, what’s coming

The DPDP Rules, 2025 spread implementation over 18 months. For an SME planning the next 12 months of compliance work, the dates determine sequencing more than any other input. Three phases:

Phase I — In force since 14 November 2025 (immediate on notification)

  • The legal framework for the Data Protection Board of India (DPB) is established — a digital-first body designed to sit four members. Important caveat: as of mid-2026 the Board is not yet operational. The member positions had been advertised but not filled; it cannot yet receive complaints or adjudicate. The Board exists in law, not yet in practice.
  • Rules 1, 2, and 17 through 21 are in force — covering definitions, DPB composition, conduct of meetings, and procedure for adjudication of complaints.
  • Once the Board is constituted and its portal is live, data principals will be able to file complaints against fiduciaries — but substantive obligations against fiduciaries only become enforceable in Phase III.

Phase II — In force from 14 November 2026 (12 months from notification)

  • Rule 4 takes effect — Consent Manager registration, eligibility criteria, conduct standards, and the operational framework for consent managers acting as intermediaries between data principals and data fiduciaries. Consent Managers must be companies incorporated in India that meet prescribed net-worth and fit-and-proper conditions.
  • SMEs that plan to rely on a Consent Manager rather than building consent infrastructure in-house need to identify their counterparty during this 12-month window.

Phase III — In force from 14 May 2027 (18 months from notification)

  • All other substantive obligations of data fiduciaries crystallise: notice and consent, data principal rights, breach notification, retention limits, processor contracts, security safeguards, SDF duties, children’s data obligations, and the rest of the operational machinery.
  • This is the date your DPDP programme must be operational against (earlier, if MeitY’s proposed 12-month compression is notified). Working backwards: serious implementation work should be underway by Q3 2026 at the latest for a 50-to-200-person SME, sooner for businesses processing sensitive categories at scale.

A practical read of the phasing. The Board is constituted in law but not yet functioning — so there is no regulator actively taking complaints today, and the substantive enforcement clock against fiduciaries starts in May 2027. But treating that as an excuse to do nothing is a mistake. Enterprise customers and insurers are already asking DPDP-readiness questions in vendor due diligence. The cost of being unprepared in 2026 is lost deals, not Board penalties. Once the Board is operational and the 2027 deadline lands, the cost will be both.

Key definitions under DPDP

Before implementation, some vocabulary. These definitions map cleanly onto things an Indian SME already does — the law is renaming existing activities, not inventing new ones.

Personal data. Any data about an individual who is identifiable by or in relation to such data. That includes names, email addresses, phone numbers, PAN, Aadhaar, bank details, employee IDs, customer IDs, photographs that identify a person, and device identifiers that map to a named person.

Processing. A wide definition. It covers collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, alignment, combination, restriction, erasure or destruction. In plain English: if you touch the data in any way, you are processing it.

Data fiduciary. The person — which includes a company — that, alone or jointly with others, determines the purpose and means of processing. The typical SME is a data fiduciary for its customer base and its own employees.

Data processor. A person that processes personal data on behalf of a data fiduciary. Your CRM, your payroll provider, your cloud email platform, your transactional messaging service — all processors. You remain accountable for how they handle the data.

Data principal. The individual whose data is being processed. For children (under 18, per Section 2(f)) and for persons with disabilities who have a lawful guardian, “data principal” includes the parent or lawful guardian for consent purposes. Note that verifiable parental consent is not required where processing relates to certain essential services such as healthcare, education, and real-time child-safety functions.

Significant Data Fiduciary (SDF). A category the Central Government can notify under Section 10 of the Act, based on volume and sensitivity of data processed, risk to data principals, and broader public considerations. SDF designation triggers extra obligations — a Data Protection Officer resident in India, an independent data auditor, and periodic Data Protection Impact Assessments. Most SMEs are not SDFs, but the threshold is set by notification, not by employee headcount — check it if your business handles sensitive categories at scale.

The Act has no separate “sensitive personal data” category the way GDPR does, but it imposes heightened obligations where children’s data or the data of persons with disabilities is involved.

The core principles, applied to an SME

The DPDP Act is built around a small set of principles. Read them once, then read them again as implementation checkpoints.

Lawful, fair and transparent processing. Personal data must be processed for a lawful purpose for which consent has been obtained or for specified “legitimate uses”. Consent must be free, specific, informed, unconditional, unambiguous and through a clear affirmative action. In practice: no pre-ticked checkboxes, no bundled consents buried in a long terms-of-service document, no “by using this site you consent to anything we do later”. If you cannot describe the purpose in a sentence a non-specialist would understand, the consent is probably not valid.

Purpose limitation. Data collected for one purpose cannot be used for a different, incompatible purpose without fresh notice and, usually, fresh consent. An SME example: consent given at checkout for order fulfilment does not automatically license a year of marketing emails. The fix is either a separate, clear marketing opt-in at the point of collection, or a fresh consent ask before the first marketing send.

Data minimisation. Collect only what you need for the stated purpose. “Just in case” fields are now a liability, not an asset. Every field on your signup form should pass a simple test — if an auditor asked you why you collect it, could you point to a specific downstream use?

Accuracy and retention. Data should be accurate and kept up to date. It should not be retained longer than necessary for the purpose. Once the purpose is fulfilled, the data must be erased — unless retention is required by other law (tax records, employment records, KYC). Every category of data in your systems should have a documented retention period.

Security and integrity. Reasonable security safeguards are mandatory, and failure to implement them is the single highest-penalty contravention under the Schedule (₹250 crore ceiling). The DPDP Rules require fiduciaries to implement appropriate technical and organisational measures — encryption, access control, logging, masking or de-identification where appropriate, and a documented incident response plan. Note one concrete requirement the Rules add: logs and the personal data relevant to detecting and investigating breaches must be retained for at least one year. The cleanest way for an SME to demonstrate “reasonable” under DPDP is to map to CERT-In’s baseline controls, with DPDP-specific add-ons (consent, notice, data-principal rights, retention).

These principles are not abstract. Every operational obligation in the rest of this article flows from one of them.

Rights of data principals

Your customers and employees now have a statutory set of rights that they can exercise against you. A data principal is entitled to:

  • The right to access information about their personal data being processed, the processing activities, and the identities of other fiduciaries and processors the data has been shared with.
  • The right to correction and erasure of inaccurate, incomplete or misleading personal data, and erasure where data is no longer necessary or consent has been withdrawn.
  • The right of grievance redressal. Data principals must first complain to the data fiduciary; only after that process is exhausted — or the fiduciary fails to respond within its published timeline — can they escalate to the Data Protection Board of India. Under Rule 14(3) of the DPDP Rules, 2025, each data fiduciary and Consent Manager must publish the period within which it will respond to grievances — and that period must not exceed 90 days. There is no separate statutory “first response in 7 days” obligation; the discipline the Rules impose is that you set a timeline, publish it, and meet it.
  • The right to nominate another individual to exercise the data principal’s rights in the event of death or incapacity.
  • The right to withdraw consent at any time, as easily as it was given. Withdrawal does not affect the lawfulness of prior processing but triggers erasure obligations going forward.

The operational implication for an SME: you need a published channel — an email address is fine, a form is better — where data principals can exercise these rights, plus a documented internal process to respond inside the statutory timeline. Most of the panic around DPDP comes from SMEs not having the second part. A “privacy@yourcompany.in” inbox with nobody monitoring it is worse than no inbox at all.

Compliance obligations for SME data fiduciaries

Here is where principles become plumbing. These are the obligations the typical SME data fiduciary needs to be able to demonstrate.

Notice and consent. At or before collection, provide a clear notice of the categories of data collected, the purposes of processing, the way data principals can exercise their rights, and the channel to complain to the Data Protection Board. Consent must be taken through a mechanism that records what was consented to and when.

Privacy notice. Publish a dedicated privacy notice on your website and customer-facing applications, in plain language, made available in English and in the languages specified in the Eighth Schedule of the Constitution (the Rules will clarify the language list). The notice should describe what you collect, why, how long you retain it, with whom you share it, and how data principals exercise their rights.

Purpose-specific consent for non-obvious uses. Anything beyond fulfilling the transaction — marketing, cross-site analytics, profiling, sharing with advertisers — needs its own clear opt-in.

Data Processing Agreements (DPAs) with processors. Every vendor processing personal data on your behalf must be under a written contract that imposes DPDP-equivalent obligations, restricts use to your specified purposes, requires assistance with data principal requests, and requires prompt breach notification. Your cloud provider’s standard terms may satisfy parts of this, but do not assume — read the DPA.

Breach notification. Rule 7 sets a two-stage obligation. On becoming aware of a personal data breach, you must intimate each affected data principal “without delay” (describing the breach, its likely consequences, your mitigation, and the safety steps they can take), and intimate the Data Protection Board “without delay” with the basic facts — followed by a detailed report to the Board within 72 hours (extendable only if the Board allows it on written request). The practical implication: your detection-to-notification path must be measured in hours, not days.

Reasonable security safeguards. Encryption, access controls, logging, secure deletion, and a documented incident response plan. The Act does not prescribe specific technical measures, which means your “reasonable” must be defensible against what a competent industry peer would do. Aligning with CERT-In’s 15 baseline controls is the cleanest way for an SME to demonstrate reasonable security under DPDP.

Data Protection Officer. Only required for Significant Data Fiduciaries. If you are not an SDF, you still need a named contact person for data principal requests and grievances, but the statutory DPO role does not attach.

Record-keeping. You should be able to show, on reasonable request, the inventory of personal data you process, the purposes, the categories of data principals, retention periods, the list of processors, and the record of consents taken. Most SMEs underestimate this on the first pass.

DPDP for common SME operations

DPDP lands differently depending on what your SME actually does. The big categories:

Customer lists and CRM. Fresh data collected after the Act’s effective date needs a clean consent trail. For historical data predating the effective date, the Act requires a fresh notice and the option to withdraw consent; ongoing retention without that step is a risk. Your CRM is the system where most SMEs have the biggest gap.

Employee and HR data. Payroll, attendance, provident fund, performance records, background checks — all within scope. Consent is typically not the lawful basis here (employment creates an imbalance that makes “free” consent problematic); you rely on “legitimate uses” tied to employment. Document the purposes clearly. Employees remain data principals and retain rights of access, correction, and grievance.

Candidates and recruitment data. Harder than employee data, because the employment relationship does not yet exist. Treat candidate CVs as consent-based processing for a specific role with a short retention period — 6 to 12 months is a defensible default, unless the candidate consents to longer retention for future roles.

Vendor and supplier data. Most B2B vendor data is not personal data, but the individual contacts you hold — names, personal mobile numbers, personal emails — are. Minimise these, store them with the same care as customer data, and put DPAs in place where vendors process your customers’ or employees’ data on your behalf.

Marketing and email lists. Direct marketing requires consent that is specific to marketing. “By signing up you agree to receive marketing” buried in the terms of service is not valid consent. Use a clear, separate tick-box; keep the record; honour withdrawals immediately.

Website visitors, cookies and analytics. Cookies that process personal data need consent. The gap between a proper cookie banner and what most Indian websites currently display is wide; expect this to tighten under the DPDP Rules.

Cloud storage and third-party integrations. Every time data leaves your direct control, the DPA becomes a live artefact. Audit your cloud and SaaS stack. Identify where data sits physically, which processors have access, and whether the standard terms give you the rights you need under DPDP.

Implementation roadmap for SMEs

You cannot do DPDP compliance in a week. Here is a five-phase rollout that a typical 50-to-200-person SME can realistically complete without a dedicated privacy team.

Phase 1 (Month 1). Audit. Map every system holding personal data. For each, record what data, whose data, purpose, retention, access, and whether consent was captured. This produces your data inventory — the foundational document every other phase depends on. Include employee data, customer data, website analytics, and every SaaS vendor in scope.

Phase 2 (Month 2). Notices and consent. Update the privacy notice on your website. Build or upgrade consent capture on every customer-facing form. Decide lawful basis (consent vs. legitimate uses) for each category of processing. Refresh consent language in customer contracts and employee onboarding packs. Where historical consent is weak, plan a “fresh notice” campaign with clear withdrawal options.

Phase 3 (Month 3). Technical measures. Put reasonable security safeguards in place: encryption in transit and at rest, role-based access control, logging, secure deletion, and an incident response plan. This overlaps with CERT-In Controls 12 and 13; run the workstreams together. Aim for documented, defensible, and measurable — not “perfect”.

Phase 4 (Months 4 to 6). Processes and staff. Stand up the data-principal-request workflow (intake inbox, routing, response templates, tracking). Put DPAs in place with every processor. Train staff on handling personal data, recognising a breach, and escalating requests. Build a breach response runbook with Board notification and data principal communication templates.

Phase 5 (Ongoing). Monitor, audit, update. Quarterly access reviews. Annual privacy-notice refresh. Regular retention-schedule runs. Yearly internal audit with findings captured and remediated. Watch for SDF notification criteria if your business handles sensitive categories at scale.

Budget pragmatically. For a 50-to-200-person SME, most of the cost is in process design and internal time, not tooling. Tools you already have — CRM, email platform, HR system, cloud provider — can handle most of what DPDP requires once configured correctly. Add tooling only where the gaps are obvious: a consent-management platform for a consumer-facing website, a ticketing workflow for data-principal requests, a retention-automation job for systems that do not handle it natively.

Common DPDP mistakes (and how to avoid them)

Seven patterns come up repeatedly in Indian SME DPDP assessments. At least two will sound familiar.

Mistake 1 — Vague or bundled consent. “By clicking Sign Up you agree to the terms of service and privacy policy” is not DPDP-grade consent for marketing, analytics, or profiling. Separate the purposes, take separate consents, keep the record.

Mistake 2 — Outdated privacy notice. The policy copy-pasted from another website in 2019 does not meet DPDP’s notice requirements. Rewrite it in plain language with the specific categories and purposes your SME actually uses.

Mistake 3 — Over-retention. Keeping data “just in case” is now a penalty exposure. Build a retention schedule, enforce it with automation where possible, and document the exceptions (tax, employment, KYC) with the specific legal basis.

Mistake 4 — Vendors without DPAs. Every processor needs a written DPA. The quickest wins are your CRM, your payroll provider, your email platform, and any marketing or analytics vendor.

Mistake 5 — No staff training. The team handling customer data day-to-day is where most breaches originate. A 45-minute session at onboarding plus an annual refresh is the minimum defensible baseline.

Mistake 6 — No breach response plan. The breach-notification obligation under Rule 7 is unforgiving and measured in hours (intimation to data principals and the Board “without delay”; detailed report to the Board within 72 hours). Pre-written templates for Board notification and data-principal communication, plus a named decision-maker for the “is this reportable?” call, are non-negotiable. The substantive provisions — including breach notification — become enforceable on 14 May 2027, but the work to be ready takes months, so build the runbook now.

Mistake 7 — Ignoring data principal requests. Every unlogged request becomes a potential complaint to the Data Protection Board. Set up the inbox, monitor it, and respond inside the statutory timeline even when the answer is “we do not hold data about you”.

DPDP alongside CERT-In and ISO 27001

SMEs often ask whether DPDP replaces CERT-In or ISO 27001. It does not. The three frameworks answer different questions.

CERT-In defines the technical and operational security baseline — what “reasonable security” looks like at a controls level, and when to report cyber incidents to the national CERT. DPDP answers a different question: what are your obligations to the people whose personal data you hold? ISO 27001 provides the management-system scaffolding that turns ad-hoc controls into a programme you can certify against.

The overlap is real and useful. Encryption, access control, logging, and incident response appear in all three. Run them as one programme, not three. A single Information Security and Privacy Committee can own CERT-In baseline compliance, DPDP obligations, and (if needed) ISO certification scope. The artefacts stack — a single access-review document can be evidence under all three frameworks.

Sequence it like this. Start with CERT-In baseline controls because they are the operational foundation. Layer DPDP-specific obligations — consent, notices, data-principal rights, DPAs — on top. Consider ISO 27001 only once the first two are working, and only if a customer or commercial requirement justifies the cost.

Key takeaways and next steps

Three things to take away from this guide.

First, DPDP is not optional and not GDPR-lite. India’s data-protection regime has its own architecture, its own penalty schedule, and its own operational rhythm. If your SME processes digital personal data — and in 2026 that is essentially every SME — the Act reaches you.

Second, compliance is a programme, not an artefact. The privacy policy is the easy part. The hard parts — the data inventory, the consent trail, the DPA stack, the data-principal-request workflow, the breach response — take a quarter to build and a culture to maintain. Nobody gets there in a weekend. Every SME that succeeds does it in phases.

Third, the mistakes that cost SMEs the most are not legal subtleties. They are process mistakes — a vendor processing customer data without a DPA, an employee who kept a copy of the customer list on a personal Google Drive, a request from a data principal that sat unanswered in a shared inbox, a breach that the team recognised on Tuesday and reported on Friday. Fix the process and the law follows.

Start this week. Pull three items from Phase 1: appoint a named contact for data-principal requests, start the data inventory, and audit your top five vendor DPAs. Put them on the next leadership meeting agenda. That is the beginning of a DPDP implementation plan that carries you through the 14 May 2027 deadline — and through the hard questions your enterprise customers and insurers are already asking, well before the Data Protection Board is operational and enforcing.

GRC RADAR will be publishing a privacy notice template, a Data Processing Agreement checklist, a data-principal-request workflow, and a breach-notification playbook over the next sprint — bookmark the GRC RADAR hub to find them when they are live. If you have a specific question about how DPDP applies to your SME, reply on the Contact page; we use real questions to shape the next set of cluster posts.

GRC RADAR is India’s GRC and cybersecurity knowledge hub for SMEs — practical compliance content, no fluff, no jargon. This pillar post will be accompanied by three cluster posts (Consent Management, Data Deletion & Retention, Breach Notification) and five mini-blog posts later in Sprint 2.