DPDPA Compliance for SMEs: A Practical Guide to Key Obligations

The Digital Personal Data Protection Act, 2023, has introduced a uniform data protection framework for India. For most commercial Small and Medium Enterprises (SMEs), the Act does not provide a dedicated scaled-down compliance framework, creating a significant compliance burden for smaller businesses that may lack dedicated legal teams or resources.

It is worth noting that Section 17 of the Act does provide certain exemptions — for example, personal or domestic use, state processing for subsidies, journalistic or research purposes, and national security — though these are unlikely to apply to most commercial SMEs. Importantly, Section 17(3) also empowers the central government to exempt specific classes of Data Fiduciaries from select provisions by notification. As of the date of this post, no such notification has been issued to provide SME-specific relief, meaning that the full compliance obligations of the Act apply to the vast majority of smaller businesses. This raises practical concerns about whether the cost and complexity of compliance could hinder the digital adoption of smaller enterprises.

The DPDPA imposes several core obligations on all Data Fiduciaries, irrespective of their size. Key requirements include:

• ✓Applicability (Section 2(t)): The Act applies to the processing of digital personal data. This includes non-digital data that is subsequently digitized.
• ✓Notice and Consent (Section 6): Data Fiduciaries must provide a clear, itemised notice to Data Principals before or at the time of collecting personal data. Consent must be free, specific, informed, unconditional, and unambiguous.
• ✓Lawful Bases for Processing (Sections 4, 6, and 7): Personal data may be processed only on a lawful basis. The two primary bases under the Act are: (a) Consent (Section 6) — where the Data Principal gives free, specific, informed, unconditional, and unambiguous consent; and (b) Specified Legitimate Uses (Section 7) — which permits processing in defined circumstances without consent, such as for the performance of a function of the State, compliance with a legal obligation, or other purposes enumerated under Section 7.
• ✓Purpose Limitation (Section 4(1)(b) read with Section 6): Personal data must be processed only for the specific purpose for which the Data Principal provided consent, or for a Specified Legitimate Use under Section 7.
• ✓Collection Limited to What is Necessary for the Specified Purpose (Section 6(2) read with Section 4): Data Fiduciaries must only collect as much personal data as is necessary to fulfill the specified purpose.

SMEs should take immediate, practical steps to build a foundation for DPDPA compliance:

• ✓Review Data Collection: Audit all points of data collection (e.g., customer forms, WhatsApp chats, loyalty programs). Ask: 'Is every piece of information we collect strictly necessary for the service we provide?'
• ✓Create Simple Consent Notices: Draft clear, easy-to-understand consent notices in local languages. Explain what data you are collecting and exactly why you need it. Avoid legal jargon.
• ✓Establish a Grievance Channel: Designate a simple, accessible channel, such as a dedicated email address (e.g., privacy@yourbusiness.com), to handle user requests for data correction, deletion, or consent withdrawal. Maintain a log of these requests and their resolution.
• ✓Implement Basic Security: Enforce fundamental security measures like using strong passwords, enabling two-factor authentication, keeping software updated, and providing basic data handling training to employees.
• ✓Vet Technology Vendors: If using third-party software (like a US-based CRM or marketing tool), inquire about their data storage locations and their capabilities to help you fulfill data deletion and correction requests from your customers.

While the DPDPA is in force and the DPDP Rules 2025 have been notified, several critical operational aspects for SMEs remain unclear pending further guidance from the Data Protection Board and the Central Government:

• ✓Tiered Compliance: It is uncertain whether the Central Government or the Data Protection Board will issue guidance introducing a risk-based or tiered compliance framework that differentiates obligations based on an entity's size, volume, and sensitivity of data processed. No such framework has been established under the DPDPA Act 2023 or the DPDP Rules 2025 to date.
• ✓SME-Specific Exemptions: The possibility of a 'Micro Fiduciary' or similar category with simplified compliance requirements for small businesses has been informally discussed but forms no part of the DPDPA Act 2023 or the DPDP Rules 2025. Any such category would require a formal amendment or notification.
• ✓Definition of 'Reasonable Security Safeguards': The Act does not define what constitutes 'reasonable' safeguards for an SME with limited financial and technical resources. While the DPDP Rules 2025 address certain safeguard requirements, sector- or scale-specific clarification from the Data Protection Board has not yet been issued.
• ✓Compliance Toolkits: There is no current provision under the DPDPA Act 2023 or the DPDP Rules 2025 confirming that the Central Government will provide standardised templates, DIY guides, or sector-specific compliance toolkits to assist SMEs.
• ✓Phased Implementation: It remains unclear whether SMEs will be granted a longer grace period for compliance, as the Data Protection Board has not yet been fully operationalised and no enforcement timeline specific to SMEs has been notified under the DPDPA Act 2023 or the DPDP Rules 2025.

SMEs must avoid these common misconceptions and errors when approaching DPDPA compliance:

• ✓Assuming Exemption: Believing that being a small business grants an automatic exemption. The DPDPA applies to any entity processing digital personal data in India, regardless of size. Note that the Central Government may, by notification, exempt certain classes of Data Fiduciaries from specific provisions (Section 17(3), DPDPA 2023); however, no such blanket exemption for small businesses has been notified to date.
• ✓Over-Collecting Data: Continuing to collect data 'just in case' (e.g., asking for a customer's family details for a simple retail transaction). This directly violates the principle of data minimisation under the Act.
• ✓Ignoring User Rights: Failing to establish a process for users to withdraw their consent or request data deletion. An inability to fulfil these rights is a direct violation of the obligations set out under DPDPA 2023.
• ✓Using Foreign Software Blindly: Adopting international SaaS platforms without verifying whether the platform provides tools to comply with Data Principal rights requests under Indian law. SMEs should note that the DPDPA 2023, as enacted, does not impose a blanket data localisation mandate — storing data on foreign servers is not per se non-compliant — but Data Fiduciaries remain responsible for ensuring that any Data Processor they engage, including overseas SaaS providers, meets the obligations of the Act (Section 8(2), DPDPA 2023).
• ✓No Plan for Data Breaches: Lacking a basic response plan for a personal data breach, however small. The Act mandates notifying the Data Protection Board and affected Data Principals in the event of a breach (Section 8(6), DPDPA 2023), and ignorance is not a valid defence. Penalties under the Schedule to the Act are imposed by the Data Protection Board following adjudication — they are not automatic upon the occurrence of a breach — and are capped by category of violation. For reference, the Schedule specifies a cap of ₹250 crore for failure to implement reasonable security safeguards (Schedule Item 1, DPDPA 2023) and ₹200 crore for breach of obligations relating to children's personal data (Schedule Item 2, DPDPA 2023), among other tiers. SMEs should assess their specific obligations to understand which penalty cap applies to their circumstances and should not assume that any single breach will automatically result in maximum penalties.