How-To Guide

How to Comply with India's DPDP Act as an SME — Step-by-Step Guide (2026)

The Digital Personal Data Protection (DPDP) Act 2023 is India's first comprehensive data privacy law. With rules expected to be finalised in 2025–26, Indian businesses of all sizes need to prepare now. Non-compliance can result in fines up to ₹250 crore. This guide gives Indian SMEs a practical, step-by-step compliance roadmap without the legal jargon.

Frequently Asked Questions

Do SMEs with fewer than 50 employees need to comply with DPDP Act?

The DPDP Act applies to all organisations that process personal data of Indian citizens — regardless of size. However, the government may issue different rules for Small Data Fiduciaries (smaller organisations). The core obligations (consent, security, breach notification) apply to all. Start with the basics: privacy policy, consent on forms, and basic access controls.

What is the maximum penalty for DPDP Act violations in India?

The DPDP Act sets penalties up to ₹250 crore for the most serious violations (failure to take reasonable security safeguards leading to a breach). Lower violations are penalised at ₹50–200 crore. For SMEs, the immediate risk is from: not having a privacy policy (₹50 crore), insufficient security leading to a breach (₹250 crore), and not honouring data erasure requests.

Do we need to hire a Data Protection Officer (DPO) for DPDP compliance?

The DPDP Act requires Significant Data Fiduciaries (designated by the government based on data volume and sensitivity) to appoint a DPO. Most SMEs will not fall into this category. However, assigning a Privacy Point of Contact (your IT manager or legal consultant) to handle DPDP obligations is strongly recommended for all businesses.

Need help with DPDP Act compliance? Our compliance team helps Indian SMEs implement the technical and process controls needed to comply. Get a free DPDP readiness assessment.