How to Comply with India's DPDP Act as an SME — Step-by-Step Guide (2026)
The Digital Personal Data Protection (DPDP) Act 2023 is India's first comprehensive data privacy law. With rules expected to be finalised in 2025–26, Indian businesses of all sizes need to prepare now. Non-compliance can result in fines up to ₹250 crore. This guide gives Indian SMEs a practical, step-by-step compliance roadmap without the legal jargon.
Understand What Data You Collect and Process: Start with a Data Inventory (also called a Data Map). Document: what personal data you collect (name, mobile, email, Aadhaar, PAN, biometrics, location), where you store it (CRM, HR system, accounting software, WhatsApp, Google Sheets), who has access to it, how long you keep it, and whether you share it with third parties (cloud vendors, payment gateways, marketing agencies). This inventory is the foundation of all DPDP compliance.
Include Google Sheets and WhatsApp groups — informal data storage counts
Document data of employees as well as customers and vendors
Don't forget call recordings, CCTV footage, and attendance data
Include third-party processors like Razorpay, Zoho, AWS in your inventory
Get Valid Consent from Data Subjects: DPDP Act requires "free, specific, informed, unconditional, and unambiguous" consent for processing personal data. Review all your consent points: website contact forms (add explicit consent checkbox), app signup (updated Terms of Service and Privacy Policy), lead generation (IndiaMart, JustDial — add consent clause), employee onboarding (update employment contracts), and customer KYC (update your onboarding forms). Consent must be in plain language, available in scheduled Indian languages, and easily withdrawable.
Update your website privacy policy — do it now, not after rules are notified
Add explicit opt-in checkboxes to contact and lead forms
Keep a record of when and how consent was obtained
Make consent withdrawal as easy as consent — provide a simple unsubscribe or "request deletion" mechanism
Implement Data Minimisation and Purpose Limitation: Collect only the data you actually need for a specific purpose. If you're collecting someone's mobile number for sending invoices, you don't need their date of birth. Audit each data collection point and remove unnecessary fields. Don't use data collected for one purpose for a different purpose without new consent. Example: don't use customer emails collected during checkout for marketing without explicit marketing consent.
Remove unnecessary fields from web forms
Don't make Aadhaar or PAN mandatory unless required by law
Separate marketing consent from service-related communications
Document the business purpose for each type of data collected
Set Up Data Breach Response Procedures: DPDP Act requires notifying the Data Protection Board (DPB) of significant breaches. Implement: an incident response plan (who to call, what to do in the first 72 hours), a breach detection system (endpoint security + SIEM), and a breach notification template. Keep contact details of your cloud vendors' data breach hotlines. Run a tabletop exercise annually simulating a ransomware attack and the DPDP notification process.
Create a one-page breach response flowchart for your team
Enable breach detection alerts in your cloud platforms (AWS GuardDuty, Azure Defender)
Pre-draft your notification template — when a breach happens, you're under time pressure
Know your cloud vendors' incident timelines — their breach alerts trigger your obligations
Implement Technical Controls: Technical controls that directly support DPDP compliance: access control (only authorised people access personal data), encryption at rest and in transit, audit logs of who accessed what data and when, data retention policies (delete data after the purpose is served), and vendor data processing agreements (DPAs) with your cloud providers and SaaS vendors. Most major cloud providers (AWS, Google, Microsoft, Zoho) already provide DPAs — request them through your account manager.
Enable encryption at rest on all databases and cloud storage
Keep access logs for at least 180 days (CERT-In also requires this)
Get signed DPAs from all SaaS vendors who process your customer data
Implement a data deletion schedule — unused data is a liability
Frequently Asked Questions
Do SMEs with fewer than 50 employees need to comply with DPDP Act?
The DPDP Act applies to all organisations that process personal data of Indian citizens — regardless of size. However, the government may issue different rules for Small Data Fiduciaries (smaller organisations). The core obligations (consent, security, breach notification) apply to all. Start with the basics: privacy policy, consent on forms, and basic access controls.
What is the maximum penalty for DPDP Act violations in India?
The DPDP Act sets penalties up to ₹250 crore for the most serious violations (failure to take reasonable security safeguards leading to a breach). Lower violations are penalised at ₹50–200 crore. For SMEs, the immediate risk is from: not having a privacy policy (₹50 crore), insufficient security leading to a breach (₹250 crore), and not honouring data erasure requests.
Do we need to hire a Data Protection Officer (DPO) for DPDP compliance?
The DPDP Act requires Significant Data Fiduciaries (designated by the government based on data volume and sensitivity) to appoint a DPO. Most SMEs will not fall into this category. However, assigning a Privacy Point of Contact (your IT manager or legal consultant) to handle DPDP obligations is strongly recommended for all businesses.
Need help with DPDP Act compliance? Our compliance team helps Indian SMEs implement the technical and process controls needed to comply. Get a free DPDP readiness assessment.