Skip to main content
RoseleapBlog · Compliance

DPDP Act 2023: what Indian small businesses need

A clear DPDP Act 2023 guide for Indian small businesses, clinics, e-commerce and B2B firms, who it covers, what your site needs, what it costs, and the penalties.

·15 min read

India's Digital Personal Data Protection Act, 2023: the DPDP Act, is now law. The Act was passed in August 2023, parts of it have been notified, and the Data Protection Rules, 2025 have given it operational shape. The Data Protection Board of India is being constituted. Enforcement is starting to ramp.

Most Indian small business owners have heard the name and moved on. Big mistake. The DPDP Act applies to every business in India that collects any personal data from individuals: yes, including yours. A clinic taking patient phone numbers. A restaurant collecting emails for a newsletter. A web design agency keeping a CRM. A consultant emailing prospects. There is no minimum-size threshold and no startup exemption.

The good news: getting compliant is not expensive, not complicated, and mostly involves cleaning up things you should already have been doing. This guide is the practical version, what the Act actually says, what your website actually needs, what compliance costs, and what happens if you ignore it.

What the DPDP Act 2023 actually does

The DPDP Act gives Indian residents legal rights over their own personal data and imposes legal obligations on businesses that collect or use that data. Conceptually, it is the Indian cousin of the EU's GDPR, narrower in scope, simpler to comply with, but carrying real teeth.

Five concepts you need to know in plain English:

  • Personal data: any information that identifies an individual, on its own or in combination with other data. Names, emails, phone numbers, addresses, IP addresses tied to a person, photos, KYC documents, payment information. If your system can connect a piece of data to a real person, it's personal data.
  • Data Principal: the individual whose data is being collected (your customer, patient, lead, employee).
  • Data Fiduciary: the business that decides why and how personal data is processed. If you collect customer info for any business purpose, you are a Data Fiduciary. This is the role you almost certainly occupy.
  • Data Processor: a third party that processes data on a Data Fiduciary's behalf (your hosting provider, email tool, CRM, payment gateway).
  • Significant Data Fiduciary (SDF): large players the central government designates based on volume, sensitivity and risk (banks, telcos, social platforms). Most SMBs are not SDFs and don't need to worry about the heavier obligations.

Who the DPDP Act applies to

Almost certainly, you. The Act applies to:

  • Any business in India that processes personal data of individuals in India.
  • Any foreign business that processes personal data of individuals located in India in connection with offering goods or services to those individuals.

It does not apply to:

  • Personal or household activity (a private contact list on your phone).
  • Personal data made publicly available by the individual themselves, or by some legal mandate.
  • Data processed by certain government and law-enforcement functions, with carved-out exemptions.

If you run a business, take customer information of any kind, and operate in or sell into India, the Act applies. There is no size exemption. A one-doctor clinic is in the same legal category as a 10,000-employee enterprise (with proportionate obligations).

What you have to do, the seven obligations

1. Notice, tell people what you collect and why

Before or at the point of collecting personal data, you must give the Data Principal a clear, plain-English notice of:

  • What personal data you are collecting.
  • The purpose for which it's being collected.
  • How they can exercise their rights (access, correction, deletion).
  • How to contact your business or your DPO with grievances.

In practice, this is your privacy policy, but only if it's a real one. A generic template that doesn't match what your business actually collects does not satisfy this requirement.

2. Consent, get permission, properly

Personal data can only be processed for a specific purpose with free, specific, informed, unambiguous, affirmative consent. In English: you cannot pre-tick the “I agree” box. You cannot bury consent in a 30-page T&C. You cannot ask for consent to one thing and silently use the data for another.

There are limited legitimate use exceptions where consent is not required (e.g., emergency medical treatment, statutory compliance, court orders, employment context). For most marketing, customer-relationship, analytics and product use cases, you need consent.

3. Purpose limitation, use it only for what you collected it for

If you collected an email address to send a quote, you cannot silently add it to a newsletter list. If you collected a phone number for delivery, you cannot share it with a marketing partner without fresh consent. Re-purposing data requires fresh consent.

4. Data minimisation, only what you actually need

Collect the minimum personal data necessary for the stated purpose. The seventeen-field contact form is not just bad UX, it is potentially non-compliant. If you don't need the company size, GST number or industry vertical to answer a basic enquiry, don't ask for them.

5. Reasonable security safeguards

You must take “reasonable security safeguards” to prevent personal data breaches. The Act doesn't define exactly what is reasonable, but the implied baseline is:

  • HTTPS everywhere on the website.
  • Hardened response headers (CSP, HSTS, X-Frame-Options).
  • No admin login on the public web (or strong auth if there is).
  • Encrypted storage and transmission of sensitive data.
  • Access controls, least-privilege access to internal tools and databases.
  • Logging and monitoring for unauthorised access.
  • A documented breach-response process.

If you suffer a breach, you must notify the Data Protection Board and the affected Data Principals, promptly. The window is not formally defined but timeframes will tighten in the Rules.

6. Honour Data Subject Rights (DSARs)

Data Principals have the right to:

  • Access, know what personal data of theirs you hold and how you use it.
  • Correction, request correction or update of inaccurate data.
  • Erasure, request deletion (subject to your legal record-keeping obligations).
  • Grievance redressal, a published mechanism to raise complaints.
  • Nominate, designate a person to exercise rights on their behalf in case of death or incapacity.
  • Withdraw consent, at any time, with as little friction as giving it.

You need a documented workflow to receive and respond to these requests within a reasonable timeframe (most jurisdictions converge on 30 days; the DPDP Rules will likely confirm).

7. Special obligations toward children and persons with disability

For users under 18, you must obtain verifiable parental consent. You cannot do targeted advertising to children. You cannot “track” them or monitor their behaviour. Same protections apply when collecting data of persons with disabilities through their lawful guardians.

Penalties, what happens if you ignore the Act

The DPDP Act has serious teeth. Maximum penalties:

  • ₹250 crore: failure to take reasonable security safeguards leading to a data breach.
  • ₹200 crore: failure to notify the Data Protection Board or Data Principals of a breach.
  • ₹150 crore: failure to fulfil obligations toward children.
  • ₹50 crore: failure to fulfil duties as a Significant Data Fiduciary.
  • ₹10,000: for the individual Data Principal who breaches their own duties.
  • ₹50 crore (residual), breach of any other DPDP Act provisions.

These are maximum penalties. In practice, fines are proportionate to the severity of the breach, the size of the business, and intent. But even at 5% of the maximum, say ₹12.5 crore for a serious breach, the number dwarfs the cost of being compliant in the first place.

The Data Protection Board is still ramping enforcement, and the first wave of penalties will likely target large, deliberate offenders. But once the Board is fully operational (expected to scale through 2026–2027), routine compliance becomes table-stakes, especially as international clients, govt-tender buyers and partners begin to require proof of DPDP compliance during due diligence.

What your website actually needs to be DPDP-compliant

For 90% of Indian small businesses, the website is the primary place personal data is collected. Getting the website right is most of the battle. The minimum technical and content list:

1. A real privacy policy

Not a template from a 2018 blog. A privacy policy actually drafted to your data flows, what you collect, why, where it goes, how long you keep it, who else touches it. Linked from the footer of every page. Updated when your data flows change. Ours is at /privacy if you want to see a real-world example.

2. Named sub-processor disclosure

Every third-party service that touches personal data on your behalf, named publicly in your privacy policy. Hosting (Vercel? Hostinger? AWS?). Analytics (GA4? Vercel? Plausible? Mixpanel?). Email tool. CRM. Payment processor. The DPDP Rules specifically require disclosure of who processes data on your behalf, and vague phrasing like “our trusted technology partners” does not satisfy the requirement.

3. Lawful consent capture on forms

Every form that collects personal data needs a consent mechanism that is:

  • Explicit (not pre-checked).
  • Specific (says what data is being collected and why).
  • Granular if applicable (separate opt-ins for newsletter vs marketing vs partner sharing).
  • Easy to withdraw, link to a contact email or self-service unsubscribe.

4. Cookie / tracking consent, if applicable

If your website uses cookies for non-essential purposes (analytics, marketing pixels, third-party widgets), you need a cookie consent mechanism. A passive banner saying “we use cookies” isn't enough, visitors must be able to accept, reject, or selectively manage cookie categories. Many simple business websites that use only first-party cookieless analytics (Vercel Web Analytics, Plausible) avoid this entirely.

5. DSAR contact mechanism

A visible email address (or contact form) that Data Principals can use to exercise their rights, access, correction, erasure, consent withdrawal. Most businesses put this in the privacy policy with a simple “Write to [email protected], and crucially, an internal workflow to actually respond within 30 days.

6. Reasonable security baseline

HTTPS, modern hosting, hardened response headers, no public admin panels with weak passwords, encrypted backups, access controls on internal tools, monitoring for unauthorised access. Most modern Next.js-on-Vercel sites tick most of these by default. Most old WordPress sites on cheap shared hosting tick almost none.

7. Breach response playbook

A written, internal document that says: If we suspect a breach, here is what we do within 24 hours, here is who we notify and how, here is what we say to affected users.Doesn't need to be long. Needs to exist before you need it.

What it costs to become compliant

For most Indian SMBs, DPDP compliance is dramatically cheaper than people fear:

  • Tier 1, small businesses (single website, basic CRM, 1–2 email tools): ₹40,000 to ₹1.5 lakh, one-time.Audit + real privacy policy + consent flows + DSAR workflow + documentation. RoseLeap's fixed-fee starter package sits here.
  • Tier 2, growing businesses with multiple systems: ₹1.5 lakh to ₹4 lakh. Same plus deeper data-flow mapping across systems, vendor risk reviews, and template breach-response materials.
  • Tier 3, businesses heading toward SDF status (or pharma, healthcare, fintech that hold sensitive data): ₹4 lakh+ plus a DPO-as-a-Service retainer (₹15,000 to ₹40,000/month).

Compare to the penalty ceiling (₹250 crore) and the cost is rounding error. Compare to the cost of a reputational disaster after a breach, emails leaked, customer details stolen, news coverage, and it's a no-brainer.

The five worst things you can do right now

  • Use a Generated/Template Privacy Policy from a free site.Almost certainly doesn't match your data flows, doesn't name your real sub-processors, doesn't specify your real retention. Not compliant.
  • Ignore consent and just collect data anyway. Maximum penalty exposure. The Data Protection Board will inevitably make an example of someone in this category.
  • Run an old WordPress site with weak admin passwords on shared hosting. Will be breached. Will then fail the “reasonable security safeguards” test. Penalty cap: ₹250 crore.
  • Pretend the DPDP Act “doesn't apply to small businesses”. It applies to every business, no size exemption.
  • Hire a generic “compliance consultant” for ₹2,000/month. You get what you pay for. Real DPDP compliance requires legal-grade documentation coupled with technical implementation. Cheap bundles deliver neither.

What RoseLeap does on DPDP

We design, build and run websites for a living, which means we already implement most of the DPDP technical requirements as a matter of course, HTTPS, hardened headers, no public admin, secure deploys, privacy-preserving analytics. Our DPDP Compliance service wraps that with the missing 30%: a real audit of your data flows, a real privacy policy drafted to your data, consent flows that actually work, a DSAR workflow your team can run, and an internal compliance binder.

We offer the full stack:

  • One-time package (₹40K – ₹3L): Audit, fix, document. Six to eight weeks.
  • Retainer (₹15K – ₹40K/month): Ongoing DPO-as-a-Service, quarterly reviews, query desk, breach response.

Where to start

Three things you can do this week without spending a rupee:

  • Map your data flows. List every place personal data lives in your business, website forms, CRM, email tools, analytics, hosting, third-party integrations. For each, write: what data, why, how long, who else touches it. That single document is the foundation of your compliance.
  • Look at your current privacy policy.If it doesn't name your real sub-processors, doesn't specify retention periods, doesn't describe DSAR rights, or is suspiciously similar to a template you found online, it's not DPDP-compliant. Treat it as a placeholder until you have a real one.
  • Audit every form on your website. Are they collecting more data than you actually need? Are they capturing explicit consent? Is consent withdrawal easy?

Those three exercises alone will surface 80% of what needs fixing. The remaining 20% is what a real audit and implementation closes.

DPDP compliance is not optional, not someone else's problem, and not as expensive as people fear. It is, however, the kind of thing that quietly becomes a competitive advantage, clients, partners and procurement teams now ask “are you DPDP-compliant?” before signing. Being able to answer yes, and prove it, opens doors that stay closed for vendors who can't.

Want help?

We package DPDP compliance for Indian small businesses, clinics, e-commerce stores, pharma exporters and B2B firms. Fixed-fee scope, six to eight weeks, with a defensible compliance binder at the end. Read the service overview at /services/dpdp-compliance or tell us about your business directly at the contact page, one-business-day reply, fixed plan back.

RoseLeap.

Rooted in Data · Built to Bloom

Need help with your own?

Tell us about your project. We come back with a clear, honest plan.

Start a Project