India's DPDP Act — A Complete Compliance Guide for Startups and SMEs

What is the DPDP Act and why does it matter now

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection legislation. Passed by Parliament in August 2023, it establishes a legal framework for how organisations must handle the personal data of individuals in India. The law applies to any entity that processes digital personal data collected in India — regardless of whether the organisation is headquartered in India or abroad.

The enforcement rules and the Data Protection Board of India are expected to be operational by 2027. That gives businesses a window to prepare — but that window is shorter than most founders realise. Building compliance from scratch takes time, and organisations that start late will face the same penalties as organisations that never started.

Source: Ministry of Electronics and Information Technology, Government of India — Digital Personal Data Protection Act, 2023 (No. 22 of 2023)

Who the DPDP Act applies to

The DPDP Act applies to any "Data Fiduciary" — an entity that determines the purpose and means of processing personal data. In plain terms: if your business collects names, email addresses, phone numbers, payment information, or any other data that can identify a person in India, the law applies to you. This includes Indian startups processing user data, SaaS companies with Indian customers, e-commerce businesses, healthcare apps, edtech platforms, and fintech services.

Significant Data Fiduciaries — organisations processing large volumes of sensitive data — face additional obligations including mandatory Data Protection Impact Assessments and the appointment of an independent Data Auditor. The government will define the threshold for this classification through rules, but large consumer platforms should assume they will qualify.

Core obligations under the DPDP Act

The DPDP Act structures obligations around five core principles. First, consent: you must obtain free, specific, informed, and unambiguous consent before collecting personal data. Pre-ticked boxes and bundled consent do not qualify. Second, purpose limitation: data collected for one purpose cannot be used for a different purpose without fresh consent. Third, data minimisation: you should collect only what is necessary for the stated purpose. Fourth, accuracy: you must take reasonable steps to ensure data is accurate and up to date. Fifth, storage limitation: personal data must be deleted once the purpose for which it was collected is fulfilled.

Beyond these principles, the Act requires Data Fiduciaries to implement appropriate technical and organisational security measures to protect personal data, notify the Data Protection Board and affected individuals in the event of a data breach, and honor data principal rights including the right to access, correct, and erase personal data on request.

Penalties — what non-compliance actually costs

The DPDP Act sets penalties on a tiered basis. Failure to implement adequate security safeguards to prevent data breaches can attract a penalty of up to INR 250 crore (approximately USD 30 million). Failure to notify the Data Protection Board of a breach carries penalties up to INR 200 crore. Non-fulfilment of obligations related to children's data can result in penalties up to INR 200 crore. Breaching other provisions can result in penalties up to INR 50 crore per instance. These are not theoretical numbers — the Data Protection Board will have investigative and enforcement powers equivalent to a civil court.

Source: DPDP Act, 2023 — Schedule, Penalty provisions (Clause 33)

A practical compliance roadmap for Indian startups

Start with a data audit. Map every category of personal data your business collects, where it is stored, who has access, and how long you retain it. This single exercise will surface most of your compliance gaps. Next, review your consent mechanisms. Every data collection touchpoint — signup forms, checkout flows, contact forms, cookie banners — needs a lawful basis, and for most consumer-facing businesses that basis is explicit consent. Update your privacy policy to reflect DPDP Act language. Document your data processing activities. Establish a process for responding to data principal requests — access, correction, and erasure requests — within the timeframe the rules will specify. Build a breach notification workflow so you can respond within the required window when something goes wrong.

The organisations that will struggle most with DPDP Act compliance are those that have never thought systematically about their data. The organisations that will find it manageable are those that start the audit now, before the rules are finalised, because the core principles are already clear from the Act itself.

How Monarc helps with DPDP Act compliance

Monarc's compliance automation module is built to support Indian businesses preparing for the DPDP Act alongside UAE PDPL, ISO 27001, and GDPR. Rather than managing compliance in spreadsheets, Monarc gives you a structured workflow: identify your data assets, track your controls against regulatory requirements, and maintain an audit-ready posture continuously — not just before an assessment. Plans for Indian businesses start at ₹2,499 per month.

Ready to start your DPDP Act compliance journey?