The critical DPDP Act 2023 compliance guide every Indian MSME needs before May 2027
Key takeaways
- DPDP Act 2023 enforcement begins 13 May 2027. Indian MSMEs have roughly 18 months of runway.
- No small-business exemption. If you hold one customer’s name and phone number, the Act applies.
- Maximum penalty is ₹250 crore for failing to take reasonable security safeguards.
- 79% of Indian businesses are not ready per EY India’s DPDP readiness survey.
- A 100-person MSME needs ₹8 to 18 lakh in year one, not the ₹40 lakh consultants quote.
- Seven steps, ten focused days. Inventory, classify, rewrite consent, appoint DPO, close exit doors, breach plan, document.
The DPDP Act 2023 (Digital Personal Data Protection Act) becomes enforceable on 13 May 2027. Indian MSMEs that process personal data (names, phone numbers, PAN, photos, Aadhaar) must appoint a Data Protection Officer, map all data flows, get fresh consent, and prepare for penalties up to ₹250 crore per breach.
The Friday evening moment nobody talks about
Friday evening, Bhopal, about 7:15 PM. A client of mine, Rakesh, who runs a 60-person pharma distributor, forwards a screenshot from his son’s LinkedIn. A competitor had just posted that they were now “DPDP-ready” and offered a free audit to anyone still winging it.
Rakesh’s one-line message: “Sudeep, yeh DPDP kya bala hai? Kuch toh gadbad hai, everyone’s posting about it.”
I get this question twice a week now. And I don’t blame him. The Act passed Parliament in August 2023. The draft rules dropped in January 2025. Enforcement kicks in May 2027. Most Indian SMEs I meet still treat it like a large-enterprise problem. It isn’t. If you collect a customer’s phone number on a WhatsApp form, you are covered.
So here is the no-jargon version. What the law says. What you actually have to do. And what happens when you don’t.
What is the DPDP Act 2023?
In one line: the Digital Personal Data Protection Act, 2023 is India’s first proper privacy law. It governs how any business, big or MSME, collects, stores and shares the personal data of Indian citizens.
It replaces the patchy Section 43A of the IT Act and aligns India (loosely) with GDPR. The Act was passed in August 2023. MeitY put out draft rules in January 2025. Enforcement has been signalled from 13 May 2027, which gives most businesses roughly 18 months from rule notification to get their house in order.
The law applies to any “Data Fiduciary,” which is almost every business in India. If you hold one customer’s name and phone number on a spreadsheet, the Act applies to you. There is no small-business exemption.
What does the DPDP Act 2023 actually require?
| What the DPDP Act 2023 requires | What most MSMEs are doing today | Gap |
|---|---|---|
| Explicit, purpose-limited consent before collecting data | Pre-ticked checkboxes, buried T&Cs, “by submitting you agree” | Consent is not valid under DPDP |
| Clear data retention policy with a deletion date | Customer data kept forever in Tally, Excel, and old email boxes | Indefinite retention is a violation |
| Data Protection Officer (DPO), mandatory for Significant Data Fiduciaries | IT manager also handling printer issues and Wi-Fi | No named accountable person |
| Breach reporting to the Data Protection Board within 72 hours | Most SMEs don’t know a breach has happened for months | No detection, no reporting process |
| Right to erasure (delete on customer request) | Customer data scattered across CRM, email, laptops, field reps’ phones | Physically can’t delete what you can’t find |
| Security safeguards on personal data (encryption, access control) | Excel files on WhatsApp, shared laptop passwords, ex-employee access | Default-open, not default-secure |
The 7-step DPDP compliance roadmap for MSMEs
You do not need a ₹40 lakh consultant. You need a week of focused effort and a decent DLP solution for small businesses. This is the sequence I actually run with Sirius Star clients.
Step 1. Data inventory (day 1 to 3).
List every system that holds customer data. Tally, CRM, Excel trackers, Google Drive, field sales apps, WhatsApp Business, old laptops of ex-employees. (Those old devices need DPDP-compliant asset disposal too.) If you cannot draw a one-page map, you do not have a compliance programme. You have hope.
Step 2. Classify (day 3 to 4).
Mark each data element as personal (name, phone), sensitive (Aadhaar, health, financial), or non-personal. The Act cares about the first two.
Step 3. Rewrite consent (day 5).
Replace every pre-ticked checkbox with an explicit, purpose-specific one. “I agree to receive marketing SMS from ABC Pharma” is valid. “By submitting you agree to our terms” is not.
Step 4. Appoint a DPO (day 6).
Even if you are not a Significant Data Fiduciary yet, name someone. Founder, CFO, Head of IT, it really does not matter. What matters is that one person has the title and the board minutes to prove it.
Step 5. Close the exit doors (day 7 to 10).
This is where most of my clients lose sleep. USB copying, personal Gmail forwarding, WhatsApp exports, unmanaged laptops of field reps. Without a DLP tool in place, you cannot prove you took reasonable safeguards. (If you want the blunt version of how employees actually leak data in Indian offices, I wrote about how data walks out of the building on a USB drive. Worth a read.)
Step 6. Write the 72-hour breach plan.
A one-page document. Who gets called. Who informs the Data Protection Board. Who handles customer communication. Test it once a quarter. Most SMEs don’t, and then discover at 11 PM on a Sunday that nobody has the CEO’s personal mobile.
Step 7. Document everything.
The Data Protection Board will not take your word for it. Keep dated screenshots, policy PDFs, training records, breach drill logs. If it isn’t in writing, in Indian compliance it didn’t happen.
The penalties, and why ₹250 crore is the number that wakes you up
| Violation | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards (Section 8(5)) | ₹250 crore |
| Failure to notify a breach to the Board and affected users | ₹200 crore |
| Non-fulfilment of obligations for children’s data | ₹200 crore |
| Non-compliance by Significant Data Fiduciaries (DPIA, DPO, audits) | ₹150 crore |
| Breach of duties by data principals themselves (frivolous complaints) | ₹10,000 |
According to an EY India analysis of the draft DPDP Rules, 79% of Indian businesses surveyed said they are “not fully prepared” for enforcement. Almost half haven’t even completed a data inventory. Fortune Business Insights projects the Indian data protection market at $4.8 billion by 2032. The spend is coming whether you plan for it or not. (MeitY draft rules, EY India DPDP readiness report, Fortune Business Insights – India data protection market)
Sudeep’s take, what I actually tell clients over chai
Look, I have been selling laptops, licences and data protection in this country since before Y2K. Every time a big regulation lands (Y2K, GST, COVID-era HR compliance, now DPDP) the same script runs. A panic industry appears overnight selling “certifications” for ₹5 lakh. And the actual problem (messy data, unmanaged devices, no written policies) sits exactly where it was.
Here is the honest trade-off. A full DPDP programme will cost a 100-person MSME somewhere between ₹8 lakh and ₹18 lakh in year one, depending on tool choice and consultant fees. That is real money. But one USB exfiltration, or one angry ex-employee walking out with the CRM, or one accidental WhatsApp leak of customer PAN details can cost you ₹2 to 10 crore in penalty plus the brand damage. The maths (kuch toh gadbad hai waali maths) only works one way.
You do not need the most expensive tool. You need a named owner, a written policy, a device lifecycle management view of every laptop and phone that touches customer data, and the discipline to actually run the drill every quarter.
5 common DPDP Act 2023 mistakes I see in MSME audits
After two dozen audits in the last nine months, the same five DPDP Act 2023 mistakes keep surfacing. Each one is fixable in a week, but all five together are what turn a ₹20 lakh remediation cost into a ₹2 crore penalty.
- Treating ISO 27001 as DPDP Act 2023 compliance. Security is not privacy. You can hold the ISO certificate and still fail every consent test under the DPDP Act 2023.
- Using pre-ticked consent checkboxes on sign-up forms. Under the DPDP Act 2023, consent must be free, specific, informed, unconditional, and unambiguous. Pre-ticked boxes fail on unambiguous.
- Pointing the DPO role at a junior IT manager. The DPO under the DPDP Act 2023 needs authority to halt a campaign or delete a dataset. Seniority matters more than technical depth.
- No 72-hour breach drill. The 72-hour clock starts when the fact of the breach is known, not when remediation is complete. A dry-run once a quarter is cheap insurance.
- Trusting vendors to handle DPDP Act 2023 compliance on your behalf. If your CRM, HR software, or cloud provider mishandles data, you are still the Data Fiduciary. Vendor contracts need DPDP-specific clauses.
DPDP Act 2023 vs GDPR vs CCPA, what is different for Indian MSMEs
If your customers are only in India, you do not need GDPR or CCPA. You need the DPDP Act 2023. But many founders, especially those who sell SaaS or export services, ask me how the three compare. The short answer: the DPDP Act 2023 borrows the spirit of GDPR, keeps the penalty teeth of CCPA, and adds India-specific rules around Consent Managers and Significant Data Fiduciaries.
| Dimension | DPDP Act 2023 (India) | GDPR (EU) | CCPA / CPRA (California) |
|---|---|---|---|
| Applies to | Any business processing personal data of Indians, including offline | EU residents’ data, regardless of where the business operates | California residents, above revenue or data thresholds |
| Max penalty | ₹250 crore (~$30M) per violation | €20M or 4% of global turnover | $7,500 per intentional violation |
| Breach notification | 72 hours to the Board, without delay to affected users | 72 hours to supervisory authority | No specific timeline in statute |
| Data localisation | Default allowed; Central Government can restrict to specific countries | Allowed only to adequacy countries | Not mandated |
| Unique feature | Consent Manager as a registered entity | Lawful basis beyond consent (legitimate interest) | Sale of data opt-out |
If you are an Indian MSME selling only to Indian buyers, ignore GDPR and focus on the DPDP Act 2023. If you export SaaS to EU or California, you need a superset approach, but the DPDP Act 2023 becomes your baseline, not your ceiling. Most 50 to 500 person MSMEs I work with treat the DPDP Act 2023 as their one and only privacy regime.
Frequently asked questions
Does DPDP apply to a 15-person company with no website?
Yes. If you collect a single customer’s name and phone number on a paper form, on WhatsApp, or on a Tally invoice, the Act applies. There is no small-business exemption in the law. Your obligations are lighter if you are not classified as a Significant Data Fiduciary, but lighter is not zero.
Is ISO 27001 enough to be DPDP compliant?
No. ISO 27001 is an information security standard. DPDP is a privacy law. They overlap in parts (security safeguards, access control) but ISO does not cover consent, data principal rights, or 72-hour breach reporting to the Data Protection Board.
Who should be the DPO in a 50 to 200 person MSME?
Start with your CFO or Head of Operations, not IT. The DPO needs the organisational authority to halt a marketing campaign or delete a dataset. IT usually has the skills but not the political weight, which sounds unfair but is the truth in most Indian firms I have worked with.
What is the actual enforcement date of the DPDP Act 2023?
The Act was notified in August 2023. Draft rules were published in January 2025 and final rules notified in late 2025. MeitY has signalled enforcement from 13 May 2027, though phased deadlines for Significant Data Fiduciaries may come earlier.
Do I have to store data only in India?
The original Act required data localisation for certain categories. The 2025 rules relaxed this. Cross-border transfer is now allowed to countries not on the Central Government’s negative list. For most MSMEs, AWS Mumbai, Azure India and Google Cloud Mumbai are safe defaults.
How does the DPDP Act 2023 differ from GDPR in everyday operations?
Three practical differences. First, the DPDP Act 2023 has no equivalent of “legitimate interest” as a lawful basis, consent is central, with narrow exceptions for employment, medical emergency and statutory compliance. Second, data subjects in India are called Data Principals and have fewer rights than GDPR subjects, there is no explicit right to data portability at present. Third, the DPDP Act 2023 creates a new role called Consent Manager, a registered intermediary. GDPR has no such parallel. For a 50 to 200 person MSME, this means your consent forms will be simpler than GDPR demands, but your 72-hour breach clock is identical.
What is a Consent Manager under the DPDP Act 2023?
A Consent Manager is a registered entity under the DPDP Act 2023 that lets Data Principals give, manage, review and withdraw consent across multiple data fiduciaries from one dashboard. Think of it as a single login that controls what data your bank, insurance, hospital and e-commerce platforms can hold. For an MSME, you do not become a Consent Manager, you integrate with one, usually through an API. The first registered Consent Managers are expected in FY 2026 to 2027. Most 50 to 500 person MSMEs can safely delay integration until their sectoral regulator mandates it.
Who qualifies as a Significant Data Fiduciary under the DPDP Act 2023?
Significant Data Fiduciaries, or SDFs, are companies the Central Government notifies specifically, based on volume and sensitivity of personal data, risk to Data Principal rights, risk to sovereignty, or risk to electoral democracy. Most 50 to 500 person MSMEs will not be notified as SDFs. However, if you process biometric data, financial data at scale, or run a platform with over 25 crore users, you are on the radar. SDFs have extra obligations, they must appoint a resident DPO, conduct periodic Data Protection Impact Assessments, and undergo independent data audits. For standard MSMEs, baseline compliance with the DPDP Act 2023 is sufficient.
What are the best DPDP Act 2023 compliance tools for mid-size MSMEs?
For a 50 to 500 person MSME, the stack that covers DPDP Act 2023 obligations without overspending looks like this. One DLP platform for USB, email, and cloud exfiltration controls. One consent management tool, either standalone or inside your CRM. One SIEM for 72-hour breach detection, even a lightweight one. One policy repository with dated PDFs. One training platform for the annual awareness refresher. You do not need the enterprise-grade stack the SDF banks buy. Total tooling for standard DPDP Act 2023 baseline compliance lands between ₹8 lakh and ₹25 lakh a year for a 200 person firm.
Does the DPDP Act 2023 apply to Indian companies with only foreign customers?
Yes, partially. The DPDP Act 2023 has extraterritorial reach when you process personal data of individuals in India, even if you are outside India. Conversely, if you are a company in India processing only the data of non-Indian residents, the DPDP Act 2023 does not directly apply to that processing. But the moment one customer in India uses your service, the full DPDP Act 2023 regime kicks in. Most Indian SaaS exporters end up complying anyway, because the cost of splitting pipelines is higher than the cost of adopting the DPDP Act 2023 baseline across the board.
What to do this week
If you have read this far, you probably already know you are behind. That is fine. 79% of Indian businesses are. The question is whether you close the gap in the next 60 days, or the next 60 weeks.
Sirius Star runs a free 45-minute DPDP readiness check. We map your data, score your current state against the seven steps above, and tell you on a call (not in a 40-page deck) what to fix in the next 30 days. No licence sales pitch in the first meeting. That is a promise.
Book your DPDP readiness check
45 minutes. Your data mapped. Your gap scored. A plain-English action list.
Once your data is mapped, the next piece of the puzzle is stopping data from leaving. Our Secure Data Guard platform is the DLP layer most Indian MSMEs end up deploying after a readiness call.
A note from the author
Honestly, the MSMEs I work with are rarely tripped up by the DPDP Act’s legal complexity. They’re tripped up by the evidence gap. You can cover everything in an article like this one, and six months later the auditor arrives and there’s no log. No DPO appointment letter on file, no DSR intake process, no consent record past the checkbox. The law isn’t the bottleneck. The paper trail is.
What I tell clients in the first week of an engagement is this: treat DPDP as an audit-proof exercise, not a privacy policy exercise. Build the evidence first. Write the policy second. Train the staff third. Most of my BFSI clients got there the hard way after their first regulatory audit. You don’t have to.