On January 3, 2025, India's Ministry of Electronics and Information Technology published the long-awaited draft Digital Personal Data Protection Rules and opened them for public consultation. That draft is the operating manual for the Digital Personal Data Protection Act, 2023—the law that finally gives the Act teeth, spelling out how consent notices must read, what a breach report contains, and what "reasonable security safeguards" actually mean in practice. For most small and mid-sized businesses I talk to, the reaction was a mix of relief that the rules finally exist and quiet panic about what they now have to do. As the founder of Softechinfra, I have spent the last few weeks reading the draft alongside our engineering team and translating it into something a non-lawyer can act on. This guide is that translation: no legalese, no fear-mongering, just the durable framework an Indian SMB can use to get compliant and stay compliant.
Why DPDP Matters Even If You're Small
A common misread is that the DPDP Act targets big tech. It does not. The Act governs any business that processes "digital personal data"—any information about an identifiable person, handled electronically. If you store customer phone numbers in a spreadsheet, run a Shopify store, send marketing emails, or keep employee records in an HR tool, you are a Data Fiduciary under the law: the entity that decides why and how personal data is processed. The vendor whose software you use to do it is a Data Processor.
The Act applies to processing within India, and also to processing outside India if it relates to offering goods or services to people in India. So a small SaaS company in Bangalore and a Dubai-based store selling to Indian customers are both in scope. Penalties for serious lapses—particularly failure to take reasonable security safeguards that leads to a breach—are significant, designed to be felt by a company of any size.
The honest framing for an SMB is this: DPDP is not a one-time project you survive, it is a discipline you adopt. The businesses that struggle are the ones treating it as a legal formality bolted on at the end. The ones that breeze through already had a rough idea of what data they hold and why—which, conveniently, is also just good data hygiene.
The Vocabulary, Decoded
Half the intimidation of any privacy law is its vocabulary. Five terms carry most of the weight, and once they click, the rest of the Act reads like common sense.
Data Principal
The individual the data is about—your customer, user, or employee. They hold the rights.
Data Fiduciary
You, if you decide the purpose and means of processing. You hold the obligations.
Data Processor
A vendor processing data on your behalf, bound by your contract and instructions.
Consent Manager
A registered intermediary through which a person can give, manage, and withdraw consent.
The word "fiduciary" is doing deliberate work here. The Act frames you not as a passive data holder but as someone holding data in trust for the person it describes. Every obligation below flows from that idea: collect only what you need, be honest about why, keep it safe, and let go of it when the purpose is done.
Your Core Duties as a Data Fiduciary
Strip away the sections and sub-sections, and a Data Fiduciary's job comes down to a handful of durable obligations. None of these expire when the headlines move on—they are the spine of the law.
- Lawful basis. Process personal data only with valid consent, or for a specific set of "legitimate uses" the Act lists (such as a service the person actively asked for).
- Purpose limitation. Use the data only for the purpose you stated when you collected it. New purpose, new notice and consent.
- Data minimisation. Collect only what the stated purpose genuinely requires. The extra field "just in case" is now a liability, not an asset.
- Notice. Tell people, in clear language, what you collect, why, and how they can exercise their rights and withdraw consent.
- Security safeguards. Protect the data with reasonable technical and organisational measures—encryption, access control, logging, backups.
- Erasure. Delete personal data once the purpose is served or consent is withdrawn, unless a law requires you to retain it.
- Breach notification. Report a personal-data breach to the Data Protection Board and to affected individuals, in the manner the rules prescribe.
Consent Notices That Actually Comply
The draft rules are specific about consent: it must be free, informed, specific, unambiguous, and given through a clear affirmative action. A pre-ticked box is not consent. A buried clause in a 40-page terms document is not consent. And crucially, the notice that accompanies the consent request must be understandable—available in English and, where relevant, in the languages listed in the Eighth Schedule of the Constitution, so a Hindi- or Tamil-speaking customer can genuinely understand what they are agreeing to.
A compliant consent flow has a few non-negotiable properties:
| Property | Non-Compliant Pattern | Compliant Pattern |
|---|---|---|
| Granularity | One checkbox for everything | Separate consent per distinct purpose |
| Default state | Pre-ticked / opt-out | Unticked / explicit opt-in |
| Clarity | Legalese buried in T&Cs | Plain-language notice at point of collection |
| Withdrawal | No way to revoke, or hidden | As easy to withdraw as to give |
| Language | English only | English plus relevant Indian languages |
The withdrawal requirement is the one most teams underestimate. If a customer can tick a box in two seconds to consent to marketing, they must be able to untick it just as easily—and your systems have to honour that withdrawal across every place the data flows. That is an engineering requirement, not a policy one, and it is why consent should be tracked in a system of record, not scattered across forms. We walk through building that record in our data privacy compliance guide.
A Concrete Compliance Starter for SMBs
Frameworks are easy to nod along to and hard to start. Here is the sequence we actually run with clients, ordered so that each step makes the next one cheaper. You do not need a Data Protection Officer or a six-figure budget to begin—you need a weekend and a willingness to be honest about what you hold.
Map your data
List every place personal data lives: your app's database, the CRM, email tools, spreadsheets, support inbox, payment processor. For each, note what fields, why you have them, and who can access them. You cannot protect what you cannot see.
Justify or delete
For each data store, ask: is there a lawful basis and a current purpose? If not, delete it. Most SMBs can shrink their data footprint by a third in this single pass.
Rewrite your notices
Replace the boilerplate privacy policy with a plain-language notice at each point of collection. Add granular, opt-in consent and a genuine withdrawal mechanism.
Lock down security
Encryption in transit and at rest, role-based access, audit logging, tested backups, and a documented incident response. These are the "reasonable safeguards" the law expects.
Vet your processors
Every vendor that touches personal data is a Data Processor. Put data-processing terms in your contracts and confirm they will honour erasure and breach-notification obligations downstream.
Build a rights workflow
People can ask to access, correct, or erase their data, and nominate someone to act on their behalf. Decide today who handles those requests and how fast—before the first one arrives.
Steps 1 and 2 are where the real risk reduction happens, and they cost nothing but time. Note also that the draft rules introduce extra duties for larger players classified as Significant Data Fiduciaries—things like data protection impact assessments and audits. Most SMBs will not fall into that bucket, but knowing the threshold exists helps you plan before growth pushes you across it.
Sector Realities: The Data-Heavy Cases
Two situations make DPDP harder, and most SMBs hit at least one.
The first is regulated data. If you operate in financial services, lending, or anything touching KYC, DPDP layers on top of sector rules rather than replacing them. When we built Radiant Finance, the financial platform in our portfolio, consent capture, retention windows, and access controls had to satisfy both privacy and financial-compliance expectations at once—which is exactly why mapping data early pays off. We go deeper on that overlap in our guide to fintech compliance in India.
The second is data acquisition. Many SMBs enrich their CRM with scraped or third-party data, and DPDP changes the calculus: personal data collected without a lawful basis is a liability the moment it lands in your systems, however it arrived. Our data extraction practice builds pipelines that respect source terms and privacy obligations by design, and the broader principles are covered in our legal and ethical web scraping guide. The short version: just because data is technically reachable does not make it lawfully yours to keep.
What This Means Beyond the Headline
I have watched a lot of regulation arrive over the years, and the pattern repeats: the law lands, everyone scrambles, and a year later the only companies that suffered are the ones who waited for perfect clarity before doing anything. I have written more about that founder's instinct to build ahead of the curve on my personal blog, and DPDP is a textbook case. The draft rules will be refined through consultation, but no plausible final version will tell you to collect more data, secure it less, or ignore consent. So the no-regret moves are clear today.
The deeper truth is that DPDP rewards businesses that already respect their customers. If your instinct is to hoard data, manufacture consent, and hope nobody asks, the law is going to be painful. If your instinct is to take only what you need, be honest about why, and treat people's data as theirs, you are most of the way to compliant—and you will have built something customers trust, which outlasts any specific regulation. For a focused, SMB-sized starting checklist, our DPDP readiness starter for Indian SMBs distils the data-map and consent work into a single weekend plan.
Need to Make Your Product DPDP-Ready?
We help Indian SMBs map their data, redesign consent flows, harden security, and bake privacy into the build—so compliance becomes a feature, not a fire drill.
Talk to Our Team →
