EverydayPDF Logo
DPDP Act 2023 · India

The DPDP Act for Small Businesses and Startups

Updated July 5, 2026·8 min read·EverydayPDF Research

The DPDP Act applies to a ten-person D2C brand as much as to a bank — but the workload is not the same. Most small businesses are ordinary Data Fiduciaries, which means the heavyweight obligations (Data Protection Officer, impact assessments, audits) do not apply. What remains is a manageable core.

What you must do

  • Have a lawful basis (consent or a Section 7 legitimate use) for each purpose you process personal data for.
  • Show an itemised notice when collecting data — what you collect, why, how to withdraw and complain.
  • Protect the data with reasonable safeguards: encryption, access limits, and basic logging.
  • Report every personal data breach to affected individuals and the Data Protection Board.
  • Delete personal data when its purpose is served (subject to legal retention duties).
  • Publish a grievance contact and answer access/correction/erasure requests.
  • Get verifiable parental consent before processing data of users under 18 — and never target ads at children.

What you can (probably) skip

  • A Data Protection Officer — required only for notified Significant Data Fiduciaries.
  • Data Protection Impact Assessments and annual audits — likewise SDF-only.
  • GDPR-style records of processing — not mandated for ordinary fiduciaries (though a simple data map is how you answer every other obligation, so keep one anyway).

Employee data: the quiet exemption

Section 7 lists employment purposes as a legitimate use — payroll, attendance, benefits, protecting the employer from loss — so routine HR processing does not need consent. Processing employee data beyond employment purposes (selling it, unrelated profiling) does.

The one-week starter plan

  1. Day 1–2: List your personal-data flows — signup forms, orders, support tickets, HR files, and the SaaS tools each one touches.
  2. Day 3: Rewrite your privacy notice to the itemised standard and link it at every collection point.
  3. Day 4: Kill silent data collection — pre-ticked boxes, bundled consents, marketing lists without consent.
  4. Day 5: Basic safeguards — turn on 2FA everywhere, restrict folder access, enable disk encryption on laptops that hold customer data.
  5. Day 6: Vendor pass — for each tool holding personal data, check for a processing contract (DPA) and a deletion story; replace the ones that have neither.
  6. Day 7: Write the half-page breach plan: who decides, who drafts the notice, where the Board filing happens.

Startup relaxations

The Act lets the government notify relaxed application of certain provisions for startups. Watch for notifications that name your class of entity — but do not build your plan on an exemption that has not been published.

One vendor you can strike off the list

If your team uses online tools to compress or convert documents containing customer data, switch to browser-native tools — files never leave the device, so there is no vendor to audit.

Browse zero-upload tools

Frequently asked questions

Does the DPDP Act really apply to my 5-person company?+

Yes — the Act has no size threshold. If you process digital personal data of people in India and decide the purpose, you are a Data Fiduciary. The obligations scale down in practice because the SDF-only duties (DPO, DPIAs, audits) will not apply to you.

What does DPDP compliance cost a small business?+

For most small companies the cost is mainly time: a data map, a rewritten notice, consent fixes, access controls and a breach plan. Tooling costs can be near zero — encryption, 2FA and access controls are built into the platforms you already use.

Do I need consent for my existing email marketing list?+

If subscribers gave clear consent to receive marketing, you can continue (send them the new-format notice). Lists built from purchases, scraping or bundled checkboxes need fresh, specific consent — marketing is not a Section 7 legitimate use.

What if I use foreign SaaS tools that store data abroad?+

Cross-border transfer is permitted by default unless the destination is on a government-notified restricted list. Your real obligation is the processor relationship: a contract, and confidence the tool maintains equivalent security safeguards.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.