The Digital Personal Data Protection (DPDP) Act, 2023 was just a paper law for two years. That changed on 13 November 2025, when the Ministry of Electronics and Information Technology (MeitY) gazetted the long-awaited DPDP Rules 2025 along with a phased enforcement calendar. India now has a real, calendared data protection regime — and small and mid-sized Indian businesses are squarely inside it.
If you collect a customer phone number, store an employee Aadhaar copy, run a CRM, send WhatsApp marketing, or capture a website lead form — you are a Data Fiduciary under the law. The full compliance deadline is 13 May 2027, but the Data Protection Board of India (DPBI) is already operational and accepting complaints. Treat 2026 as your build year.
The Phased Enforcement Timeline
MeitY notified three enforcement dates instead of one. Each date triggers a different layer of obligation:
- 14 November 2025 — Phase 1: The Data Protection Board of India is constituted and starts functioning. Data principals (any individual whose personal data you hold) can already file complaints; the Board can already inquire into breaches.
- 14 November 2026 — Phase 2: Consent Manager provisions become enforceable. Registration of Consent Managers with the DPBI begins. Their obligations under Rule 4 take effect.
- 14 May 2027 — Phase 3: All substantive obligations are live. Notice and consent requirements, security safeguards, breach notification, data principal rights, retention limits, and the full Rs 250 crore penalty regime become enforceable.
The phasing gives you 18 months. It does not give you a free pass. Customers who complain to the DPBI today about consent abuse, spam WhatsApp messaging, or unauthorised data sharing are already getting their cases registered. The fines simply start landing from May 2027.
Are You a Data Fiduciary? (Yes — Almost Certainly)
The DPDP Act defines a Data Fiduciary as any person who alone or with others determines the purpose and means of processing personal data. There is no turnover threshold. There is no employee count carve-out. If you collect any of the following, you are in scope:
- Customer name, phone, email, address, PAN, Aadhaar, GSTIN
- Employee KYC, salary, attendance, biometric data
- Website visitor data through cookies, forms, chatbots, or analytics
- WhatsApp opt-ins, SMS subscriber lists, email marketing databases
- Vendor or contractor personal data
The Act applies even to digitised paper records. Your old admission forms, lease agreements, and HR files are in scope the moment you scan them.
The Five Compliance Pillars Every SMB Must Build
1. Notice and consent — the new rule of collection
Before collecting any personal data, you must serve a standalone privacy notice in plain language and any of the 22 official languages requested. Consent must be free, specific, informed, unconditional, and unambiguous, and demonstrated by a clear affirmative action — pre-ticked boxes and bundled consents do not qualify. Each purpose needs its own consent toggle.
2. Reasonable security safeguards
Rule 6 of the DPDP Rules 2025 requires encryption, access controls, monitoring, and periodic security review. For SMBs, the practical floor is: TLS 1.2+ on all sites and APIs, role-based access in your CRM and ERP, multi-factor authentication on admin accounts, encrypted backups, and a documented patching policy. A breach caused by skipping these basics is what attracts the Rs 250 crore upper limit.
3. Breach notification — 72 hours, no exceptions
If you discover a personal data breach, you must notify the DPBI and every affected data principal within 72 hours, with the nature, scope, and likely consequences. Unlike GDPR, the DPDP Act has no risk-based threshold — every breach is reportable, even if the impact looks minor.
4. Data principal rights
Every individual whose data you hold can demand: a copy of their data, correction or erasure, withdrawal of consent, a summary of processing activities, and grievance redressal. Build a request-handling workflow with response SLAs before May 2027 — not after the first request lands.
5. Purpose limitation and retention
You can only process data for the purposes consented to. The moment the purpose is fulfilled or consent is withdrawn, you must delete it (subject to legal retention obligations like Income Tax Act seven-year rules). Indefinite "we keep everything just in case" databases are no longer legal.
Significant Data Fiduciary — Probably Not You, But Check
The government can designate any entity as a Significant Data Fiduciary (SDF) based on volume of data, sensitivity, risk to data principals, and impact on national interest. SDFs face heavier obligations: a mandatory Data Protection Officer (DPO) reporting to the board, an annual independent data audit, an annual Data Protection Impact Assessment (DPIA), and possible data localisation directions.
Most SMBs will not be designated. But health-tech startups, consumer fintech apps, and edtech platforms holding lakhs of user records should expect designation in 2026-27. If you process minor data (under 18) or sensitive financial data at scale, treat the SDF stack as your blueprint regardless.
The Real Cost of Non-Compliance
Schedule 1 of the DPDP Act lists the financial penalties the DPBI can impose:
- Up to Rs 250 crore — for failure to implement reasonable security safeguards that leads to a personal data breach
- Up to Rs 200 crore — for failure to notify a breach to the Board and affected individuals
- Up to Rs 200 crore — for breach of obligations relating to children's data
- Up to Rs 150 crore — for breach of additional obligations of Significant Data Fiduciaries
- Up to Rs 50 crore — for breach of any other provision of the Act
The Board considers the nature, gravity, duration, and intentionality of the violation when fixing quantum. First-time good-faith errors with quick remediation will not draw Rs 250 crore. Wilful inaction post 14 May 2027 absolutely can.
The expensive penalty is not the fine. It is rebuilding customer trust after a breach notice goes out to every person on your database.
Your 30-Day DPDP Quick-Start Checklist
- Day 1-3 — Data inventory. List every system that holds personal data: CRM, ERP, accounting, payroll, helpdesk, WhatsApp BSP, mailing list, website forms, paper files. Map fields, sources, purposes, and retention.
- Day 4-7 — Lawful basis review. For each purpose, confirm you have valid consent or qualify under a legitimate use exception (employment, court order, public interest). Drop or re-consent everything else.
- Day 8-12 — Notice rewrite. Replace your existing privacy policy with a standalone DPDP-compliant notice that lists every purpose, retention period, transfers, and grievance contact. Translate into your top customer languages.
- Day 13-16 — Consent flow upgrade. Rebuild website forms, app onboarding, and CRM lead capture with per-purpose toggles. No bundled consent. Maintain a tamper-evident consent log with timestamp and IP.
- Day 17-20 — Security baseline. Enforce HTTPS, MFA on admin logins, encrypted backups, role-based access in your software, and a vendor data processing addendum.
- Day 21-24 — Breach response plan. Document a 72-hour breach drill: who detects, who decides, who notifies the DPBI, who notifies customers, who handles media. Run one tabletop exercise.
- Day 25-28 — Rights workflow. Publish a data principal request page. Define internal SLAs (acknowledge in 24 hours, fulfil in 30 days). Train support and HR teams.
- Day 29-30 — Appoint and publish. Name a DPDP contact person on your website and in your privacy notice. They do not need to be a DPO unless you are a Significant Data Fiduciary.
Common Implementation Pitfalls
- Treating the 18-month phase-in as a vacation. Customer complaints are already enforceable. The Board can investigate today; it just cannot fine you until May 2027.
- Bundling consent into a single tick-box. "I agree to the terms, privacy, marketing, and data sharing" is invalid. Each purpose needs a separate, opt-in toggle.
- Forgetting employee data. Payroll, attendance, biometrics, and bank details all fall under DPDP. See our HR and Payroll Compliance India guide for the labour-law overlay.
- Storing scanned KYC indefinitely. Old Aadhaar PDFs and PAN copies sitting in shared drives are the most common breach vector. Audit them. Read more in our Document Management hidden cost piece.
- Skipping the vendor angle. If your CRM, payroll provider, or marketing automation tool is the breach source, you are still liable. Update vendor contracts with DPDP processor clauses.
- Assuming WhatsApp marketing is exempt. Bulk WhatsApp on opted-out databases is now a DPDP violation, not just a Meta policy issue.
Build Compliance Once, Bake It In Forever
The businesses that handle DPDP well are not the ones with the biggest legal teams. They are the ones who build consent capture, retention rules, and breach response into the software itself — once — and stop relying on humans to remember the rules. Hard-coded toggles, automated retention purges, encrypted-by-default databases, and audit-ready consent logs cost a fraction of one Rs 50 crore penalty.
2026 is the build year. Use it. The May 2027 deadline will arrive faster than the 18-month phase-in suggests, and the first wave of fines will go to whichever Data Fiduciary is unlucky enough to suffer a publicised breach in summer 2027.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
When does DPDP Act enforcement actually begin in India?
Do small businesses need to appoint a Data Protection Officer (DPO)?
What is the breach notification timeline under the DPDP Act?
What is the maximum penalty under the DPDP Act?
Do I need fresh consent for existing customer data already in my CRM?
Make Your Software DPDP-Ready
We build CRM, ERP, HR, and customer-facing apps with consent flows, audit logs, encryption, and breach-response hooks built in — not bolted on. Get a fixed-scope assessment of your existing software stack.
Book a DPDP Readiness Review Talk to Us