Compliance Guide

How to Comply with India's DPDP Act 2023 — Practical SME Guide

India's Digital Personal Data Protection Act 2023 (DPDP) is enforceable as of 2026. Indian businesses (any size) handling personal data must comply with consent, retention, breach notification, and Data Principal rights. Below is the seven-step practical compliance roadmap for Indian SMEs — what to do, in what order, with realistic timelines.

Frequently Asked Questions

Does DPDP Act apply to small Indian businesses?

Yes — DPDP applies to any Indian business processing personal data, regardless of size. Some compliance obligations (mandatory DPO, breach impact assessments) apply only to Significant Data Fiduciaries (likely defined as larger entities by Government notification). But baseline obligations — consent, retention, Data Principal rights — apply to all.

What are the penalties for DPDP non-compliance in India?

Up to ₹250 crore per instance for serious violations. For SMEs, more relevant tiers: ₹50 crore for failure to handle Data Principal rights, ₹200 crore for breach notification failures. Actual enforcement against SMEs is likely to start with warnings and small fines, but the legal exposure is significant.

How long does DPDP compliance take for an Indian SMB?

Initial setup: 4-8 weeks. Phase 1 (week 1-2): data inventory + privacy policy update. Phase 2 (week 3-4): consent mechanism + Data Principal rights process. Phase 3 (week 5-6): retention policies + vendor DPAs. Phase 4 (week 7-8): breach response setup + training. Ongoing: monthly review + new data flow assessment.

Do I need a Data Protection Officer (DPO) for my Indian SMB?

Per DPDP Act, only Significant Data Fiduciaries must appoint a formal DPO. For most SMEs, designating a senior person (CTO, CFO, COO, or founder) as the privacy lead is sufficient. The role: monitor compliance, respond to Data Principal requests, liaise with Data Protection Board, lead breach response.

How does DPDP interact with international data transfer (e.g., to AWS US)?

DPDP allows cross-border data transfer to countries notified by Government. Until notifications, transfer to most major jurisdictions (US, EU, Singapore, Japan) is permitted with proper safeguards: Standard Contractual Clauses, vendor DPAs, and adequate security. For sensitive data, consider Indian data residency: AWS Mumbai, Microsoft 365 India regions, Zoho Indian DC, or Yotta sovereign cloud.

Free DPDP Act 2023 compliance consultation for Indian businesses — practical roadmap.