DPDP compliance for MSME India: the 17-question self-test and 7-step rollout
Two Sundays ago an IT-plus-admin head at a 120-person Mumbai garment exporter sent me a WhatsApp at 11:10 in the morning. His Company Secretary had emailed a Rs.84,000-plus-GST “DPDP onboarding kit”. The AGM was 25 working days away, with a 20-minute slot reserved for a “data protection update”, and the CEO had asked for one A4 page with a number, a risk band, and three next moves. He had read two press articles and one LinkedIn carousel by a Big-4 partner. He still did not know whether the Act applied to a 120-person garment exporter, what an MSME has to do that a 5,000-person bank does not, and how much it would realistically cost. Across approx 41 MSME scoping conversations Priya and I have run in the last eight months the median MSME readiness score landed at 4 out of 17. The audit floor we recommend before the next board or AGM agenda is 13. Boss, that is the gap most Indian MSMEs do not see until the regulator already has, and it is the gap this post closes.
On this page
- DPDP compliance for MSME India: what is in scope
- The 9 obligations every Indian business has to meet
- The 17-question MSME readiness self-test (25 minutes)
- The penalty math: what Rs.250 crore really means at MSME scale
- The 7-step rollout for a 100 to 500-person MSME
- Build vs outsource: when a virtual DPO actually makes sense
- What the Big-4 retainer pitches will not tell you
- Frequently asked questions
How to ship DPDP compliance for MSME India in 90 days, score it before the AGM, and defer the Big-4 retainer for at least 12 months, even if you have no in-house legal counsel and the only privacy policy on file was last touched in 2021. That is the contract this post delivers.
DPDP compliance for MSME India: what is in scope
The DPDP Act 2023 does not exempt MSMEs by default. It exempts processing for personal or domestic purposes, for journalistic or research purposes under set conditions, and for limited startup categories the central government may notify later. A garment exporter, a logistics company, a 90-doctor hospital chain, an architecture firm with 70 staff, a 300-licence software house, a 200-person CA practice, all of them are firmly inside scope.
What changes at MSME scale is not whether the Act applies, it is which obligations bite first and which can be sequenced. A 120-person exporter does not need a board-approved DPO contract on day one. It does need a written grievance officer, a working consent flow, and a vendor list with at least DPA placeholders for the seven or eight processors it relies on. The MSME data protection compliance India question is really a sequencing question, not an applicability question.
The other useful frame: nothing in the Act forces a 120-person MSME into the heavier Significant Data Fiduciary (SDF) rulebook unless the central government separately notifies your company or your class of fiduciaries. SDF status is exception, not default. Most Indian MSMEs reading this are ordinary Data Fiduciaries, and that is the data fiduciary India meaning the Act actually attaches to your firm.
The 9 obligations every Indian business has to meet
DPDP Section 4 to Section 11 lays out 9 obligations in plain reading. Every Indian business processing personal data, MSME or not, has to address each one. The form changes by company size, the obligation does not.
| # | Obligation | What MSMEs actually have to ship |
|---|---|---|
| 1 | Lawful basis and clear notice | One privacy notice in English plus one scheduled-Indian-language version, listed at every collection point. It tells the data principal what you collect and why so you can defend the consent later which means a regulator asking “did the principal know” gets a yes in writing. |
| 2 | Consent and withdrawal | Affirmative consent (no pre-ticked boxes), with a withdrawal flow as easy as the original signup. It captures consent so you can prove lawful basis which means a grievance saying “I withdrew, why are you still emailing me” closes without an apology. |
| 3 | Purpose limitation, data minimisation | Every form field tied to a documented purpose. It strips the inventory to what you need so you can defend collection at audit which means “why are you collecting PAN here” gets a one-line answer. |
| 4 | Accuracy and correction | A self-service or written path for the principal to view and correct, honoured inside 30 days. It gives the principal a path so you can show accuracy is enforced which means a grievance escalation lands at advisory, not penalty. |
| 5 | Reasonable security safeguards | Encryption at rest, role-based access, signed Data Processing Agreements with every processor. It hardens the surface so you can demonstrate reasonable safeguards which means a breach notice does not become a penalty notice. |
| 6 | Breach response readiness | A written runbook, a named owner, a 72-hour Board clock, a 6-hour CERT-In integration, one tabletop drill in 12 months. It rehearses the response so you can stay inside the clock which means the regulator sees cooperation, not panic. |
| 7 | Erasure on purpose completion | A retention schedule per data category, with scheduled erasure on lapse. It clears historical exposure so you can prove minimisation which means the auditor stops asking why 2018 records still exist. |
| 8 | Grievance officer with published SLA | A named officer, a published email, an SLA, and grievances logged and closed inside it. It opens the door for the principal so you can defend responsiveness which means an escalation lands as a closed ticket, not a notice. |
| 9 | Children’s data plus SDF readiness only if notified | Verifiable parental consent for under-18s, suppress targeted advertising aimed at minors. The SDF overlay only applies if the government separately notifies your firm. |
Notice that none of these obligations is reserved for billion-rupee firms. The bar is the same; the scale of work changes.
The 17-question MSME readiness self-test (25 minutes)
The 17-question self-test below extends the 10-question version we built for fintech IT heads (see our shorter DPDP readiness check) with 7 MSME-specific add-ons: worker data, export buyer DPDP demands, contractor records, the website privacy notice age, the WhatsApp marketing list, the courier vendor DPA, and the AGM-level reporting question. Score each row 0 (not met, or met but not enforced) or 1 (met and enforced).
| # | The question that matters | Score |
|---|---|---|
| 1 | Does every form, website, vendor onboarding portal carry a written privacy notice updated in the last 12 months? | 0 / 1 |
| 2 | Are all consent checkboxes affirmative (no pre-ticking) with a working withdrawal flow? | 0 / 1 |
| 3 | Is every field on every collection form mapped to a documented business purpose? | 0 / 1 |
| 4 | Can a data principal view and correct their record inside 30 days through a documented path? | 0 / 1 |
| 5 | Is encryption at rest enforced on every system that holds personal data, including backups and shared drives? | 0 / 1 |
| 6 | Is there a written breach-response runbook with a named owner and a 72-hour Board clock? | 0 / 1 |
| 7 | Does every data category have a documented retention period and a scheduled erasure job? | 0 / 1 |
| 8 | Is a grievance officer named, contactable through a published email, with a published SLA? | 0 / 1 |
| 9 | If you process children’s data, is verifiable parental consent captured and targeted advertising suppressed for minors? | 0 / 1 |
| 10 | Have you signed a DPA with every third-party processor (cloud, payroll, courier, e-mail, CRM, HRIS)? | 0 / 1 |
| 11 | Is worker and contractor personal data (addresses, KYC, bank details) held under the same controls as employee data? | 0 / 1 |
| 12 | If you export, have you mapped which EU or UK buyers will demand DPDP plus GDPR evidence, and prepared one-page proof for them? | 0 / 1 |
| 13 | Are pre-2022 records (old CRM lists, rejected CVs, expired vendor contracts) under a documented purge schedule? | 0 / 1 |
| 14 | Is the WhatsApp marketing list consent-mapped, with opt-out honoured inside 7 days? | 0 / 1 |
| 15 | Is the courier vendor handling addresses under a signed DPA with breach-notification clauses? | 0 / 1 |
| 16 | Is there a one-page board or AGM reporting template that summarises posture in under 200 words? | 0 / 1 |
| 17 | Has someone other than the IT head reviewed the score in the last 90 days? | 0 / 1 |
Score 0 to 7 is the red band. 8 to 12 is the amber band. 13 to 17 is the green band. Most MSMEs we have seen land in red on the first pass; the typical 90-day rollout takes a 4-out-of-17 to a 13-out-of-17, no DPO hired.
The penalty math: what Rs.250 crore really means at MSME scale
The headline number for an MSME is not Rs.250 crore. The Act caps fines per breach, per fiduciary, at Rs.250 crore. The Board considers turnover, sensitivity of the data, repeat offending, and cooperation when it sets the actual figure. For an MSME with Rs.50 to 200 crore turnover the realistic exposure for a single material breach (failure to notify, failure to honour withdrawal, missing DPA with a processor) lands in the Rs.2 to 25 lakh band, with extreme cases climbing higher. Our full DPDP penalty calculator for mid-size companies walks through 4 worked scenarios.
Two MSME-specific drivers that move the number up: a documented complaint from a data principal that was ignored, and a vendor breach where no DPA exists on file. Two drivers that move it down: a real grievance officer who responded inside the SLA, and a tabletop drill log from the last 12 months. None of these four levers costs more than internal time to put in place.
The 7-step rollout for a 100 to 500-person MSME
This is the sequence we run for clients with no in-house legal counsel and no DPO. Days are working days, not calendar days.
Step 1 (Days 1 to 5): score the 17-question test, with the IT head plus one of legal counsel, the CFO, or the COO in the room. It gives you a defensible starting number so you can defend the plan to the CEO which means the AGM does not begin with surprises.
Step 2 (Days 6 to 12): rewrite the privacy notice. One English version, one scheduled-Indian-language version, published at every collection point. It satisfies obligation 1 so you can close the loudest 0 on the score which means the regulator does not lead the audit with the easiest catch.
Step 3 (Days 13 to 25): publish a grievance officer, with a contactable email and a written SLA. Log every grievance, time-stamp closure. It opens the door for the principal so you can defend responsiveness which means escalations land as tickets, not notices.
Step 4 (Days 26 to 40): sign DPAs with every processor you can identify in the vendor master. Where you cannot get a signed DPA, document the gap and the mitigation. It pins accountability on the vendor so you can transfer some of the risk which means the inevitable processor-side incident does not become solely your exposure.
Step 5 (Days 41 to 55): retention schedule plus scheduled erasure for the three largest data stores. Workers first if your headcount is contractor-heavy, customers second, vendors third. It strips historical exposure so you can prove minimisation discipline which means the auditor stops asking why 2018 records still exist.
Step 6 (Days 56 to 70): write the breach-response runbook, name the owner, run one tabletop drill, attach the log to the runbook. It rehearses the response so you can stay inside the 72-hour clock which means the regulator sees cooperation when something does happen.
Step 7 (Days 71 to 90): re-score the 17-question test. Write the AGM-or-board paragraph: one number, one risk band, three next moves. Hand it to the CEO. It closes the loop so you can defend the year’s work in one page which means the directors stop asking for status updates.
A clean 7-step rollout at this scale, by our last 9 client engagements, cost between Rs.4 lakh and Rs.11 lakh in external help plus internal time, depending on whether the MSME outsourced the runbook writing or kept it in-house. No Big-4 retainer. No CISO hire.
Build vs outsource: when a virtual DPO actually makes sense
An ordinary Data Fiduciary, which most Indian MSMEs are, does not need a designated DPO by statute. SDFs do; the rest do not. So the practical question is whether your MSME wants the function for credibility and operational discipline, not whether the Act compels it.
A virtual DPO arrangement (a part-time external compliance counsel on retainer, typically Rs.18,000 to Rs.45,000 per month for an MSME of your size) is paisa-vasool when (a) your IT head already has 9-hour days and cannot absorb the privacy file, (b) export buyers in the EU or UK are asking for “DPO contact” boilerplate, or (c) the CEO wants a third party named on the AGM slide for credibility. Building in-house (a CISO or in-house DPO hire at Rs.18 to 30 lakh CTC) makes more sense at 800-plus headcount or where you process sensitive financial data at scale. Below those two triggers, build in-house is more expense for no extra defensibility, full stop.
What the Big-4 retainer pitches will not tell you
Most Big-4 DPDP pitches lead with the Rs.250 crore cap and a 90-minute discovery cycle. The discovery is sales theatre. The pitch is calibrated for the BFSI buyer, who has board-mandated audit budget and an existing CISO. Drop it on an MSME CFO and the response is a polite “we will get back to you”, which becomes silence, which becomes the IT head re-reading the Act on a Sunday morning at 11:10. The Indian MSME pays approx 2 to 4 times what it should for retainer-style advisory because the engagement was scoped from a BFSI template, not from a Rs.50 to 200 crore MSME reality.
The honest first move at MSME scale is not a retainer. It is a 25-minute self-score, a 7-step plan, and a Rs.4 to 11 lakh external-cost band, sequenced across 90 days. Anyone offering you a Rs.6 lakh “kick-off” before you have scored the 17 questions has not asked the right question first.
Frequently asked questions
Does the DPDP Act apply to my 120-person Indian MSME?
Yes. The Act applies to any business processing personal data, except for narrow personal, domestic, journalistic, or research purposes. A 120-person garment exporter, a 70-person architecture firm, a 200-person CA practice are all in scope. The msme data protection compliance india question is sequencing, not applicability.
Is my MSME a Significant Data Fiduciary?
Almost certainly not. SDF status is conferred by central-government notification, factoring in data volume, sensitivity, risk to processes, and impact on India’s sovereignty. Unless your firm has been seperately notified, you are an ordinary Data Fiduciary and the data fiduciary India meaning for you is the lighter rulebook. (See our plain-English data fiduciary explainer.)
Do I need a designated DPO under DPDP for an MSME?
Statutorily, no, unless you are an SDF. Operationally, a virtual DPO retainer (Rs.18,000 to Rs.45,000 per month) is worth it once your IT head has 9-hour days or your export buyers ask for a DPO contact.
How much will the first 90 days of DPDP compliance for MSME India realistically cost?
In our last 9 engagements, external cost landed between Rs.4 lakh and Rs.11 lakh, depending on whether you outsourced the runbook writing. Internal time burn is approx 60 to 90 hours of the IT head plus 20 to 30 hours of legal or CS time.
Does our Indian Secure Data Guard product help on DPDP rollout?
Yes, but selectively. Secure Data Guard covers obligation 5 (reasonable security safeguards), obligation 6 (breach readiness), and part of obligation 10 (vendor accountability) on the endpoint and shared-drive side. The privacy notice, consent flow, grievance officer, and retention schedule remain organisational, not product, work. We bundle the product with a 17-question scoping read-out, which is how Manish first heard of us. Where MSMEs have field laptops we usually layer the Device Lifecycle Management piece on top, because field-laptop loss is the easiest DPDP breach trigger.
External authority anchor: the Bill text, the rules consultation, and the implementation tracker are maintained by PRS India at PRS India’s DPDP tracker; we cross-check our 17-question test against the obligations there every quarter.
The hard part of dpdp compliance for msme india is not the Act. It is the sequencing inside a company that does not have a CISO, a DPO, an in-house lawyer, or a privacy budget line. Sudeep and I disagreed for about 25 minutes during our Monday review on whether the 17-question self-test should include question 17 (peer review). I argued yes. He argued that the IT head will skip it because nobody else in the room has read the Act. We landed on yes, because the self-review-only scores drift optimistic by approx 1.5 to 2 points on the 17-point scale, and that is the gap that costs the AGM its credibility.
The Act is not the hard part. The sequencing inside a company that has no CISO, no DPO, no in-house lawyer, and no privacy budget line is the hard part.
Here is the part nobody says out loud: most MSME DPDP work in the first 90 days is not legal work. It is documentation work. Writing down what data you actually hold, who touches it, where it goes, and when it has to be deleted. The reason it feels like legal work is the consultant brought a legal template. Theek hai if you are a 5,000-person bank. For a 120-person exporter, the document that matters is the vendor master, not the privacy notice. Get the vendor master right, every other obligation gets a foothold. Get the vendor master wrong, your Rs.6 lakh retainer just bought you a PDF that you cannot enforce.
One opinion I hold and most of the Big-4 sales decks will not: an MSME that ships a defensible 80% solution in 90 days, scores 13 out of 17 on the self-test, and stops there, is in a stronger position than an MSME that signs a Rs.18 lakh retainer to chase 16 out of 17 over 18 months. The point is not the missing two questions. It is whether the directors can read the one-page status update and sleep that night. Score, fix, document, defer the rest. That is the move.
By the way, did you know we keep a one-page MSME DPDP self-assessment template, the same 17-question version Priya uses on every Sunday-evening scoping call? It is a single A4 PDF, scored in 25 minutes, with the four risk bands, three first-move shortlists by band, and a board-memo paragraph you can paste verbatim. Reply MSMEDPDP on WhatsApp and we will send it across, no scoping call required, no email gate.
Get the 17-question MSME readiness read-out, scored on a call inside 30 minutes
200-plus Indian businesses trust Sirius Star Enterprise Technologies. Response inside 4 hours on the working day, half a day on weekends. If we do not surface at least three score-band 0s on the call, the call is free and you keep the template.
Get the 30-minute MSME DPDP scoping call
Lead magnet: the 17-question MSME self-assessment PDF. Reply MSMEDPDP on WhatsApp. Risk reversal: if we do not surface 3 actionable 0s, you keep the template and the call is free.
The how to stop data leaks over email in India guide deep-dives the email DLP layer for SMBs.
P.S. The 17-question MSME readiness PDF Priya runs on every scoping call is a one-page A4 download. Reply MSMEDPDP on WhatsApp +91 91375 93228 and we will send it. It includes the four risk bands and what each one means at audit, the three lowest-cost first moves by band, and a 200-word AGM-paragraph template you can paste verbatim into the directors’ pack. If you have to present at the AGM in the next 30 days and you have not scored yet, this is where to start.
—
Author
Priya Sharma is the Compliance Lead at Sirius Star Enterprise Technologies. She has run DPDP scoping calls for approx 41 Indian MSMEs in the last eight months, including garment exporters, hospital chains, CA practices, and B2B SaaS firms across Mumbai, Pune, Bengaluru, and Chennai. She writes the Secure Data Guard compliance briefings and co-owns the Sirius Star DPDP readiness tooling. Reach her on care@siriusstar.in or via the WhatsApp scoping line. ���������
