India's Digital Personal Data Protection Act is real law, and the Draft DPDP Rules published in January 2025 spelled out what compliance actually looks like. For a 30-person Indian SMB, the scary part is not the ₹250 crore maximum penalty — it is not knowing where your customer data even lives. We've run this starter with eight SMBs this year: a one-afternoon data map, a consent-capture pattern you can ship this week, and the breach-notification basics in plain English. No lawyer-speak. This post is the checklist we hand clients.
₹250 cr
Max DPDP Penalty (per instance)
1 afternoon
To Build a First Data Map
72 hrs
Breach-Notice Guidance Window
5
Data-Principal Rights to Honour
## The Answer in 60 Words
DPDP readiness for an SMB comes down to three things you can start this week. First, build a data map: list every place you store personal data, why, and for how long. Second, capture consent that is specific, informed, and withdrawable — no pre-ticked boxes. Third, write a one-page breach plan so you can notify the Data Protection Board and affected people quickly. Start with the map.
## Why This Matters Now (2025)
The DPDP Act passed in August 2023, and the Draft DPDP Rules — published for consultation in January 2025 — filled in the operational detail SMBs were waiting on: consent-manager registration, the shape of breach notifications, and verifiable parental consent for children's data. The direction of travel is clear even before final notification: regulators expect you to know your data and prove your consent. The cheapest time to get ready is now, while you can do it calmly instead of during a breach.
In DPDP language, a "Data Fiduciary" is you — the business deciding why and how personal data is processed. A "Data Principal" is the individual the data is about. A "Data Processor" is a vendor processing data on your behalf, like your email tool or CRM host.
## What DPDP Actually Requires (Plain English)
📋
Lawful, Consented Processing
You may process personal data only for a lawful purpose with consent, or under specific "legitimate uses". Consent must be free, specific, informed, unconditional, and unambiguous.
🎯
Purpose Limitation
Collect data for a stated purpose and use it only for that. Email collected for order updates cannot be quietly reused for a marketing blast without fresh consent.
🗑️
Data Minimisation & Erasure
Keep only what you need, for only as long as you need it. When the purpose ends or consent is withdrawn, delete it — and make sure your processors do too.
⚖️
Data-Principal Rights
People can access, correct, erase, and nominate someone for their data, plus raise grievances. You need a working channel to receive and act on these.
🔔
Breach Notification
On a personal-data breach, you must notify the Data Protection Board and affected Data Principals. Build the muscle before you need it.
🧒
Children's Data
Processing data of under-18s needs verifiable parental consent, and behavioural tracking or targeted ads at children are barred. Relevant to any edtech or family product.
## The DIY Walkthrough: Build Your Data Map in an Afternoon
The data map is the foundation. You cannot protect, delete, or report on data you cannot find. Here is the exact process we run with clients — it takes one focused afternoon for a typical 30-person firm.
1
List every system that touches personal data
Walk every department. Sales has a CRM. Support has a helpdesk. HR has resumes and payroll. Marketing has an email list. Finance has GST invoices with PAN and addresses. Write them all down — including the WhatsApp groups and the one Google Sheet someone keeps on their desktop.
2
For each system, record six columns
What data, whose data, why you hold it (the purpose), where it physically lives, who can access it, and how long you keep it. Six columns. A spreadsheet is genuinely fine for a first pass — the goal is honesty, not a fancy tool.
3
Flag the third parties (your Data Processors)
Every cloud tool that holds your customers' data is a processor: your CRM host, email provider, analytics, payment gateway, cloud storage. List them. You need a data-processing agreement with each, and you are accountable for what they do with the data.
4
Mark the risky rows
Highlight anything that is: data you no longer need, data with no stated purpose, data on a personal device, or data held longer than the law or your retention rule allows. These are your first cleanup targets.
Here is the data-map template we hand out. Copy these headers into a sheet and fill one row per system:
System | Data held | Whose | Purpose | Location | Access | Retention
---------------|------------------------|------------|--------------------|---------------|-------------|----------
Zoho CRM | name, phone, email | leads | sales follow-up | Zoho (EU DC) | sales team | 24 months
Freshdesk | name, email, tickets | customers | support | Freshdesk | support | 36 months
Payroll sheet | name, PAN, salary, a/c | employees | salary processing | Google Drive | HR + owner | 8 years*
Email list | email, name | subscribers| newsletters | Mailchimp | marketing | until opt-out
The asterisk on payroll is deliberate — some data has a statutory retention period (tax records, for instance) that overrides "delete when done." Note those exceptions in the row so you do not accidentally delete records you are legally required to keep.
## How to Capture Consent That Holds Up
Consent under DPDP must be free, specific, informed, unconditional, unambiguous, and as easy to withdraw as it was to give. In practice, for a website or app, that means:
- No pre-ticked boxes — the user must take a clear affirmative action
- Separate consent for separate purposes — one tick for "order updates", a different tick for "marketing"
- A plain-language notice next to the tick saying what you collect and why
- A withdrawal path that is as easy as the sign-up — a one-click unsubscribe and a working "delete my data" request channel
- A consent log: store what they agreed to, when, and the version of the notice they saw
- For under-18s, a verifiable parental-consent step before any processing
The consent log is the part SMBs forget. If a Data Principal later disputes that they opted in, your defence is the timestamped record of their consent and the exact notice text they saw. Store it. Our
web development team wires this into the signup flow as a small consent-events table — user id, purpose, notice version, timestamp, and the withdrawal timestamp if they later opt out.
The "bundled consent" trap. Forcing a user to accept marketing emails in order to complete a purchase is not valid consent under DPDP — consent must be unconditional. Keep the service consent and the marketing consent as separate, independently-revocable ticks.
## Breach Notification: The One-Page Plan
You do not need a 40-page incident-response manual to start. You need a one-page plan that answers four questions before a breach forces you to invent answers under pressure:
| Question | What to decide in advance |
|---|---|
| Who is in charge? | A named breach lead and a backup. Phone numbers on the page. |
| How do we detect it? | The signals — failed-login spikes, a vendor notice, a customer report — and who watches them. |
| Who do we notify, and when? | The Data Protection Board and affected Data Principals, per the Rules' timelines. Draft the templates now. |
| What do we tell people? | A plain-language template: what happened, what data, what they should do, what you are doing. |
Draft the two notification templates today — one for the Board, one for affected people — with blanks for the specifics. During a real breach, filling blanks is far faster and calmer than writing from scratch. For the security side of this, see our companion piece, the
DPDP Rules 2025 seven-day action plan, which goes deeper on technical controls.
## Common Mistakes (When SMBs Get DPDP Wrong)
Symptom: "We have a privacy policy, so we're covered." A policy is not a program. Without a data map and a consent log, the policy is a promise you cannot prove you keep. Build the map first.
Symptom: "Consent is bundled into one Accept-All button." Bundled consent is not valid under DPDP. Separate the purposes and let users say yes to one and no to another.
Symptom: "Old customer data sitting in five tools nobody uses." Every system you forgot is a breach you cannot contain. The data map's job is to surface exactly these. Delete what has no purpose.
Symptom: "We have no way to action a 'delete my data' request." Data-Principal rights are not optional. You need a channel that receives the request and a process that deletes the data across every system in your map — including your processors.
## When the Full Program Can Wait
If you are a two-person firm processing a handful of customer records, do not build a consent-manager integration and a breach-response committee this quarter. Build the data map and a simple consent log, delete what you do not need, and revisit when you scale or take on sensitive data. The law is risk-based in spirit — the controls should be proportionate to the data you hold. Over-engineering compliance for a tiny dataset is its own kind of waste. That said, never skip the data map; it is cheap and it is the thing you most regret not having.
## Real Example: A 30-Person Coaching Institute
A Pune coaching institute held data on roughly 4,000 students and parents across a CRM, a WhatsApp Business account, a payment gateway, and two staff laptops. They had a privacy policy and no idea what was actually stored where. Because they process children's data, the parental-consent requirement applied directly.
We ran the afternoon data-map exercise. It surfaced 11 systems — four more than the founder expected, including an ex-employee's personal Google Sheet with 1,200 student phone numbers. We built a consent-events table into their enrolment form, separated marketing consent from enrolment consent, set a 24-month retention rule on inactive leads, and wrote the one-page breach plan. The biggest single win was deletion: 1,200 records on a personal device that should never have existed.
Because edtech sits squarely in DPDP's children's-data provisions, this is a beat we know well — our in-house edtech product
PenLeap builds verifiable parental consent and strict data-minimisation into its onboarding by design, and we apply the same patterns to client work like
ExamReady, an 11+ exam-prep platform where student and parent data demanded the same care. For the founder's first-person take on data rights in India, see
Vivek Singh's writing on the topic.
## FAQ
### Does DPDP apply to my small Indian business?
Yes. DPDP applies to any business processing the digital personal data of individuals in India, regardless of size. There is no small-business exemption from the core duties — though the controls you build should be proportionate to the volume and sensitivity of the data you hold.
### What is the very first thing I should do for DPDP?
Build a data map. Spend one afternoon listing every system that holds personal data, what it holds, why, where, who can access it, and how long you keep it. You cannot protect, delete, or report on data you cannot find, so the inventory comes before everything else.
### Is a pre-ticked consent checkbox allowed under DPDP?
No. Consent must be a clear affirmative action that is free, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and "accept all to continue" patterns do not meet that bar. Use separate, independently-revocable ticks for separate purposes.
### How quickly must I report a data breach?
The Draft DPDP Rules set out notification to the Data Protection Board and affected individuals on becoming aware of a breach. Treat speed as the goal: have a named breach lead and pre-drafted templates ready so you can notify quickly rather than scrambling to write from scratch.
### What rights do my customers have over their data?
Data Principals can access a summary of their data and how it is processed, correct or complete it, request erasure, nominate another person to exercise their rights, and raise grievances. You need a working channel to receive these requests and a process to action them across every system.
### Do I need a Data Protection Officer?
A dedicated DPO is required for entities classified as Significant Data Fiduciaries, which most SMBs are not. But every business needs a contactable person responsible for answering data-principal queries and grievances. Name that person and publish their contact, even if it is the founder.
### How is DPDP different from GDPR?
DPDP is India's own framework with similar principles — consent, purpose limitation, data-principal rights, breach notification — but its own definitions, penalties, and a children's-data regime. If you already comply with GDPR you have a strong head start, but you still need to map your obligations specifically to DPDP's text.
Want a DPDP Readiness Consult for Your SMB?
We run a 90-minute DPDP readiness session for Indian SMBs: we build your first data map live, audit your consent capture, and hand you a one-page breach plan. Typical follow-on build: ₹40k–₹90k. Suitable if you hold customer or employee data and want to get ahead of the Rules. No legalese — just your systems and a clear next step.
Book a 20-min Call