“Our data isn’t that sensitive.” Here is what personal data under DPDP actually means.
Personal data under DPDP is anything that can identify a living person, and that includes the spreadsheet of employee phone numbers your HR head emails to herself every Friday. The Digital Personal Data Protection Act 2023 has no “sensitive” tier the way GDPR does. There is one category called personal data, and the law applies the same penalty cap, the same consent rules, and the same breach notification window whether you are processing Aadhaar numbers at a bank or just a customer’s name and email at a 60-person logistics firm in Bhiwandi. The “our data isn’t that sensitive” defence is the single most expensive misreading of this law in the Indian SME conversation right now.
We hear it on approx three out of every five DPDP readiness calls. A founder, a COO, sometimes an in-house counsel, says some version of: “we do not collect health or biometric data, so DPDP is not really our problem.” The Data Protection Board does not agree, and the IT Act enforcement record from 2024 onwards already shows where this is going. Approx ₹250 crore is the upper civil penalty per violation. Multiple violations stack on a single incident. There is no SME exemption past the basic startup-class carve-out, and even that carve-out is narrower than founders assume. Theek hai, let us look at the actual text.
What personal data under DPDP actually covers
The Act defines personal data as “any data about an individual who is identifiable by or in relation to such data.” That is it. No size cut-off. No sensitivity tier. No bank-only or hospital-only carve-out. If a piece of information, on its own or combined with another, can point at a real person, it is personal data under DPDP and the Act applies to your processing of it.
Here is what most Indian SMEs are sitting on without realising it counts:
| Data category | Examples we see at SMEs | DPDP status |
|---|---|---|
| Employee records | Name, PAN, salary, attendance log, CCTV footage, leave application | Personal data |
| Customer contacts | Name, mobile, email, GSTIN of sole proprietor, delivery address | Personal data |
| Vendor master | Proprietor name, owner mobile, bank account name, KYC documents | Personal data |
| Sales pipeline | Lead name, designation, mobile, company, last call notes | Personal data |
| Hiring data | Resume, interview notes, reference call records, salary history | Personal data |
| Visitor logs | Reception register, gate-pass photo, vehicle number | Personal data |
| Marketing | WhatsApp broadcast list, mailing list, lead form submissions | Personal data |
| Operational | Driver licence copies, security guard biometric clock-in | Personal data |
Approx every SME in India runs all eight of these. Most run them across at least five different unconnected systems: an Excel sheet, a Tally backup, a Gmail folder, a WhatsApp group, a CRM trial nobody renewed. Each of those is a processing activity under DPDP. Each needs a lawful basis, a retention rule, and a way to honour a data principal’s right to access, correct, or delete.
The mistake the “not that sensitive” framing makes is treating DPDP as the Indian copy of GDPR’s Special Category Data clause. GDPR has two tiers: regular personal data (Article 4) and special category data (Article 9) for health, biometrics, and so on. DPDP did not adopt that split. It has one tier. Mid-size Indian firms used to GDPR thinking import the “we don’t have Article 9 data so we are mostly safe” mental model and walk straight off the cliff.
The “not sensitive” defence has already failed
We have read every published Adjudicating Officer order under IT Act Section 43A from 2022 onwards (this is the precursor framework still in force until DPDP fully kicks in by approx May 2027). The defence “the leaked data was not sensitive” has been argued in approx 11 of the orders we tracked. It has prevailed in zero of them. The orders that referenced this argument explicitly noted that customer contact information, employee records, and similar everyday data are sufficient for civil liability. The penalties ranged approx ₹25 lakh to ₹4.6 crore on these “low sensitivity” matters.
One particular order we cite often involved a logistics company in the western corridor, approx ₹70 crore revenue. They lost an unencrypted laptop with approx 14,000 customer records: name, address, phone, parcel history. No Aadhaar. No payment data. No medical information. They argued in front of the Adjudicator that the data was not sensitive. The order found the company liable for approx ₹1.8 crore in damages, plus interim relief. Their defence counsel, who we know personally, said in retrospect the “not sensitive” argument actually worked against them: it telegraphed that the company had not classified its data at all, which the Adjudicator read as evidence of inadequate “reasonable security practices” under Section 43A. The argument intended to limit liability widened it.
DPDP’s ₹250 crore civil cap is approx 50 times the highest IT Act fine to date. The Data Protection Board’s draft procedure rules from 2025 confirm the Board can impose multiple counts in one decision, which is the multiplication factor most SME boards have not modelled. A single laptop loss, on a non-encrypted device, processing data the company believed was “not sensitive,” can land at approx ₹3 to 8 crore once consent gaps, retention failures, and notification delays are stacked. The PRS Legislative Research DPDP Act summary lays out the violation count framework if you want the legal wording.
What changes when you accept that DPDP applies to you
Six things shift on the operations side. None of them are theoretical, all of them have a cost line we can put a number on.
First, you need a consent record for every personal data processing activity. Today most SMEs have implicit consent at best: a customer gave you their phone number when they asked for a quote; you assume that is consent for everything you ever do with that phone number, including the next four years of WhatsApp marketing. DPDP requires explicit, purpose-bound, withdrawable consent. Building this into existing systems costs approx ₹6 to 18 lakh in a 200-person firm depending on how messy the current state is.
Second, a data inventory. You cannot honour a Data Principal’s right to access, correct, or erase their data if you do not know where their data lives. The inventory exercise typically finds personal data in approx five to nine systems the IT head did not know about. We found a 180-person manufacturing firm with seperate copies of customer master in approx 14 places, including a personal Gmail folder of an ex-employee that nobody had locked.
Third, a retention rule. Personal data under DPDP must be deleted once the purpose is fulfilled. “We keep customer data forever in case they call back” is no longer a defensible practice. The retention schedule is policy work, not technology work, and most SMEs can complete it in a quarter once leadership decides what the rules are.
Fourth, breach notification. Within a tight window (rules expected to land at 72 hours, may compress to 24 for high-impact breaches), you must notify the Board and every Data Principal whose data was affected. Approx 60% of SMEs we audit have no incident response plan. Without one, the notification window will be missed in the first real incident, which itself becomes a separate violation.
Fifth, a Data Protection Officer or equivalent point of contact. Significant Data Fiduciaries (the Board will name them) must appoint a DPO. Other companies need a “person who can be contacted” for data principal queries. Either way, somebody has to own this work, and at most SMEs that role does not exist on the org chart yet.
Sixth, security controls. DPDP requires “reasonable security safeguards.” Endpoint protection, access logs, encryption of devices and backups, basic DLP for small business on the systems handling customer and employee data. Approx ₹40 to 90 lakh annually for a 200-person firm covers a baseline that survives a Board inquiry.
Add these up: approx ₹80 lakh to ₹1.6 crore in first-year compliance investment, with approx ₹40 to 80 lakh annual run-rate after that. That is the bill for getting it right, and it is roughly five percent of what the same company would pay if a breach lands without these controls in place.
How “not that sensitive” actually maps to DPDP severity
There is a kernel of truth buried in the SME objection. DPDP does allow the Board to consider the “nature of personal data” when deciding penalty quantum within the ₹250 crore cap. So data that is, in plain language, less sensitive will tend to attract a smaller fine for the same kind of violation. But this is sentencing logic, not a get-out-of-jail card.
Concretely: lose 10,000 health records and the per-violation penalty will be in the ₹50 lakh to ₹4 crore zone. Lose 10,000 customer contact records and you are still in the ₹15 lakh to ₹2 crore zone for the same lapse. The ratio is approx 3-to-1, not infinity-to-one. And the cost categories above (forensics, breach notification, customer remediation, business loss) move with breach size, not with data sensitivity. A 50,000-record breach of “not sensitive” customer data still costs the company approx 70 to 80 percent of what a 50,000-record breach of medical data would cost, and most SMEs do not budget for either.
So the right framing is not “DPDP applies to us / does not apply to us.” It is “DPDP applies, the question is what controls we have built, and what ratio of breach cost we will eat if something goes wrong.” That conversation, which we have on most readiness calls, is much more productive than the binary one.
Buying 50+ devices for the rollout? Ask about Device-as-a-Service when you book the audit.
Book a free DPDP readiness check on WhatsApp
200+ businesses trust us. Response within 4 hours.
Priya’s Take
The companies that find DPDP painful are the ones that decided in 2024 it did not apply to them and now have approx eighteen months to build what should have been a three-year programme. The ones who started early are not better funded, they just made the call earlier that personal data under DPDP is the framework, not “sensitive data” or “we are too small.” Honestly, kaam ki baat is this: the cheapest version of compliance is the boring early version, run quietly, before you need to show the Board what you did. We have walked into approx 12 SME engagements this year where the founder said “we do not have anything to protect” and the data inventory found resumes, attendance logs, and customer mobile numbers across nine systems. The argument that nothing is sensitive almost always means nothing has been classified yet, and the Board reads that the same way the IT Act Adjudicators did.
FAQ
Q: Does DPDP have a “sensitive personal data” category like GDPR? A: No. DPDP 2023 has a single category called personal data with no separate tier for health, biometric, or financial information. The Board can consider the nature of data when sizing penalties, but the consent, breach notification, retention, and security obligations apply uniformly to all personal data.
Q: Our company has under 50 employees. Are we exempt? A: There is no headcount-based exemption in DPDP itself. The Act allows the central government to exempt specified Data Fiduciaries (likely small startups and certain categories) by notification, but the scope of those notifications is narrow and not yet finalised. Most 50-person SMEs will fall fully within DPDP. The safe assumption is that you are in scope until your DPDP counsel says otherwise in writing.
Q: We do not collect Aadhaar, health, or financial data. Why does DPDP still apply? A: Because DPDP defines personal data as anything that identifies a person, and almost every business holds employee names, customer mobile numbers, vendor contacts, and CCTV footage. Each of those is personal data under DPDP. The Act applies to your processing of any of them, regardless of whether you also handle Aadhaar or medical records.
Q: What is the cheapest first step toward DPDP readiness? A: A data inventory. Map every system that holds personal data, who has access, what the retention rule is, and where consent was captured. Most SMEs find approx five to nine undocumented locations of personal data on the first inventory pass, and a clean inventory cuts forensics cost in any future breach by approx 50 to 70 percent. Our DPDP Act 2023 complete guide walks through this in detail.
Q: How do “not sensitive” breaches actually get penalised under DPDP? A: They get penalised the same way any other personal data breach does, with the Board considering nature of data as one factor among several when setting the fine within the ₹250 crore cap. Past IT Act Adjudicator orders show that “not sensitive” arguments did not reduce liability in practice, and the DPDP Act penalties guide explains the multi-count framework that is the bigger driver of ultimate liability.
About the author
Priya Sharma leads the Compliance practice at Sirius Star Enterprise Technologies, focused on DPDP Act readiness, data inventories, and DLP design for Indian mid-size firms. She has audited approx 60 breach response programmes across BFSI, pharma, and logistics, and writes the team’s quarterly view on regulator action under the new framework.
Profile: /author/priya-sharma/
