Most Indian startups have spent the last two years watching the DPDP Act move through notification, consultation, and draft rules, assuming the enforcement timeline was still distant. That assumption is now a risk. The rules are finalised, the Data Protection Board is being constituted, and enforcement is moving from paper to practice.
This guide covers what the Act actually requires, who qualifies as a Data Fiduciary, what the penalties look like in practice, and the specific steps a startup needs to take before an investigation arrives.
If your product collects, stores, or processes any personal data of individuals in India, names, emails, phone numbers, location, health data, financial data, you are a Data Fiduciary under the DPDP Act. There is no minimum size threshold.
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 was notified in August 2023. It is India's first comprehensive personal data protection law, replacing the patchwork of provisions in the IT Act 2000 that previously governed data privacy.
The Act governs the processing of digital personal data, any data about an identifiable individual that is collected or stored in digital form. It applies to:
- Any entity that processes personal data of individuals in India, within India
- Any entity outside India that processes personal data of individuals in India in connection with offering goods or services to them
This extraterritorial scope mirrors the GDPR model. An Indian SaaS startup serving users in India, or a foreign company with Indian users, both fall within scope.
Key Definitions
- Data Principal, the individual whose personal data is being processed. In India, this includes minors whose data is processed by a guardian.
- Data Fiduciary, the entity (startup, company, organisation) that determines the purpose and means of processing personal data. This is where most obligations sit.
- Data Processor, an entity that processes data on behalf of a Data Fiduciary. Cloud providers, analytics vendors, payment processors.
- Significant Data Fiduciary (SDF), a Data Fiduciary designated by the government based on volume of data processed, sensitivity of data, national security risk, and other criteria. SDFs have additional obligations including a Data Protection Officer, Data Auditor, and Data Protection Impact Assessments.
- Consent Manager, an accredited entity through which a Data Principal can give, manage, review, or withdraw consent.
Core Obligations for Data Fiduciaries
1. Lawful Basis: Consent First
The DPDP Act operates primarily on a consent-first model. Before processing personal data, a Data Fiduciary must obtain free, specific, informed, unconditional, and unambiguous consent from the Data Principal. The consent request must:
- Be presented in clear, plain language, not legalese
- State the specific purpose of processing
- Be presented separately from terms of service or other documents
- Be available in all 22 official languages of India (for consumer-facing applications)
The Act also recognises "legitimate uses", processing without consent for employment purposes, state functions, medical emergencies, and certain research activities. But most startup use cases will require explicit consent.
2. Purpose Limitation & Data Minimisation
Personal data may only be processed for the specific purpose for which consent was obtained. Once that purpose is fulfilled, the data must be erased. You cannot collect user email addresses for account creation and then use them for marketing without separate consent.
3. Data Principal Rights
- Right to access, summary of personal data processed and processing activities
- Right to correction and erasure, correct inaccurate data or erase data no longer needed for the stated purpose
- Right to grievance redressal, a readily available mechanism to raise complaints, with response within a defined period
- Right to nominate, nominate an individual to exercise rights on their behalf in case of death or incapacity
- Right to withdraw consent, withdrawal must be as easy as giving consent. You cannot make withdrawal harder than opt-in.
4. Breach Notification
On becoming aware of a personal data breach, a Data Fiduciary must notify both the Data Protection Board and each affected Data Principal. The draft rules indicate a 72-hour notification window to the Board, matching GDPR's standard. Delayed notification is itself a separately penalised offence.
5. Children's Data
Processing of personal data of children (under 18) requires verifiable parental consent before processing. Behavioural tracking and targeted advertising to children is prohibited outright. This is one of the most strictly enforced provisions and carries a separate penalty tier.
Penalties: How Much Does Non-Compliance Actually Cost?
These are per-instance penalties, not annual caps. A single breach affecting 50,000 users could attract multiple simultaneous penalties across notification failure, security failure, and erasure failures.
6-Step DPDP Compliance Roadmap for Startups
| Step | What to Do | Timeline |
|---|---|---|
| 1. Data Mapping | Map every category of personal data your product collects, stores, or transmits. Include third-party integrations (analytics, payments, CRM). | Week 1–2 |
| 2. Consent Architecture | Redesign signup and data collection flows to capture granular, purpose-specific consent. Remove pre-ticked boxes. Build consent withdrawal flows. | Week 2–4 |
| 3. Privacy Notice | Draft a plain-language privacy notice covering: what data is collected, why, how long it is retained, who it is shared with, and how users exercise rights. Available in relevant Indian languages for consumer apps. | Week 2–3 |
| 4. Security Safeguards | Implement encryption at rest and in transit, access controls, audit logging, and a data breach detection mechanism. Document all safeguards. | Week 3–6 |
| 5. Breach Response Plan | Create a documented incident response procedure covering: detection, internal escalation, Board notification within 72 hours, and Data Principal notification drafts. | Week 4–5 |
| 6. Vendor Contracts | Audit Data Processor agreements. Every vendor handling Indian personal data must have a contract specifying processing restrictions, security obligations, and breach notification requirements. | Week 5–8 |
DPDP Act vs GDPR: Key Differences
Many startups already have GDPR compliance in place. Here is what transfers, and what does not.
| Dimension | DPDP Act 2023 | GDPR |
|---|---|---|
| Lawful bases | Primarily consent + legitimate uses | 6 lawful bases including legitimate interests |
| Right to portability | Not included in current Act | Explicit right to data portability |
| Data localisation | Government may restrict cross-border transfers to certain countries | SCCs and adequacy decisions govern transfers |
| Children's age | Under 18 (higher than GDPR's 16) | 13–16 depending on member state |
| DPO requirement | Only for Significant Data Fiduciaries | Required for certain processing activities |
| Max penalty | ₹250 crore per instance | €20M or 4% global annual turnover |
| Enforcement body | Data Protection Board of India | National supervisory authorities (28 DPAs) |
Map your DPDP Act gaps before the Board does
SecComply runs a dedicated DPDP Act readiness assessment, data mapping, consent architecture review, breach notification readiness, and vendor contract audit. Output: a prioritised remediation roadmap with timelines.
Book Free DPDP Assessment →