DPDPA compliance requirements for Indian small businesses

Before the DPDPA, most Indian small businesses treated personal data casually. Customer lists sat in Excel. Old CVs lived in folders for years. Client PAN and Aadhaar copies moved over WhatsApp. Privacy was one generic policy copied from another website.

The Digital Personal Data Protection Act, 2023 changes that. It makes personal data handling an accountable business function. It does not only ask whether you have a privacy policy — it asks whether your actual practices are defensible: what you collect, why, whether you informed the person, whether you got valid consent, where it is stored, who can access it, which vendor receives it, how long you keep it, and what happens if it leaks.

For most SMBs the problem is rarely deliberate misuse. It is that data is scattered across laptops, shared drives, WhatsApp groups, CRMs and agency dashboards. So readiness starts with visibility: you cannot protect what you cannot find, and you cannot delete what you never mapped. And "we are small" is no defence — the first pressure usually comes not from the regulator but from an enterprise buyer's vendor audit or a customer complaint.

Under the DPDPA your business is a Data Fiduciary for the data it decides how and why to process, and must meet 11 core requirements:

1. ✓Lawful, fair and transparent processing.
2. ✓Purpose limitation — use data only for the purpose you stated. A delivery number is not a marketing list.
3. ✓Data minimisation — collect only what you need.
4. ✓Notice — tell people what you collect, why, who you share it with, and how to withdraw consent or complain.
5. ✓Consent — free, specific, informed, unambiguous, and easy to withdraw. No pre-ticked boxes, no bundling marketing into service.
6. ✓Storage limitation — keep data only as long as the purpose lasts, then delete securely.
7. ✓Data principal rights — be ready to handle access, correction, erasure, withdrawal and grievances.
8. ✓Accountability — the responsibility is yours; you cannot pass it to a vendor.
9. ✓Security safeguards — access control, MFA, encryption where appropriate, audit logs.

Map your personal data in a 10-column inventory: category, source, purpose, system, owner, access group, vendor, retention period, risk, action. Fix consent: unbundle marketing from service, untick pre-ticked opt-ins, surface buried checkboxes, drop forever-consent. Rewrite your privacy notice in plain English, specific to your business — not a copied template. Control access: remove ex-employees, interns and agencies; lock high-risk folders; stop forwarding PAN, Aadhaar and reports over WhatsApp. Set retention rules per category, starting with PAN, Aadhaar, bank, health, children's data and CVs. Review vendors: list everyone who touches personal data and update contracts for purpose, security, breach support and deletion. Set up rights handling: one email or form, one owner, a tracker and a defined timeline. Prepare a breach runbook and run one internal drill. Train the teams that actually touch data: sales, HR, finance, ops, support and marketing.

DPDPA implementation is still settling. The Data Protection Board's enforcement posture will become clear only as complaints and orders build precedent. Significant Data Fiduciary classification, verifiable parental-consent expectations for children's data, the consent-manager ecosystem, and cross-border transfer notifications are all still evolving. None of this is a reason to wait — consent, notice, access control, retention and breach readiness are common-sense controls that hold up regardless of how the fine print lands.

Copying a privacy policy and calling it readiness — the policy then becomes evidence of the gap. Treating consent as a decorative checkbox instead of a purpose-specific, withdrawable choice. Ignoring WhatsApp data flows, where most PAN, Aadhaar, CVs and reports actually move. Keeping data forever — default retention is the most expensive retention policy in India. Forgetting vendors — your processor's failure becomes your customer-trust problem. No owner for privacy — if everyone owns it, nobody does. Leaving access open after people exit. Assuming small businesses are safe — exposure comes through audits, disputes and leaks, not just regulators. Buying tools before mapping data. Waiting for a notice or complaint to act.