contact-icon
DPDP Act 2023

What is the DPDP Act?  

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s central law for protecting people’s personal data. It defines how businesses should collect, store, use, and delete personal information.

Who must comply with the DPDP Act?  

The DPDP Act applies to:

  • All businesses operating in India

  • Any company collecting personal data (name, phone, Aadhaar, email, IP address)

  • Indian startups, SMEs, online stores, private limited companies, and professional service firms

  • Foreign companies offering services to Indian users

Key Terms to Know  

Term

Meaning

Personal Data

Any information that can identify a person (e.g., name, mobile number)

Data Fiduciary

The business or individual deciding how and why to process data

Consent

Permission given by the individual to collect and use their data

Significant Data Fiduciary

Large companies handling sensitive data (subject to extra rules)

DPDP Compliance Checklist for Small Businesses  

1. Provide a Privacy Notice  

  • Clearly tell users:

    • What data are you collecting?

    • Why you are collecting it

    • How long you will keep it

    • Who they can contact for concerns

Add this to your website footer or app settings.

2. Collect Valid Consent  

  • Ask for clear, affirmative consent

  • Allow users to withdraw consent anytime

  • Use consent checkboxes or pop-ups

Avoid auto-opt-ins or unclear language.

3. Keep Data Safe and Minimal  

  • Don’t collect more data than needed

  • Limit who can access it

  • Use secure cloud or server platforms

  • Delete old or unused data regularly

Review email, CRM, and file storage for cleanup.

4. Add a Grievance Contact  

  • Users should be able to ask:

    • What data do you store

    • To correct or delete it

    • How to file a complaint

Example: Add privacy@yourcompany.in or info@yourcompany.com as the grievance email.

5. Prepare for Data Breaches  

If you leak or lose data:

  • Inform the Data Protection Board of India

  • Inform the affected users promptly

Keep a basic internal plan for data breach handling.

What are Significant Data Fiduciaries?  

These are larger organizations that:

  • Handle data of children or vulnerable persons

  • Use AI to make decisions (like loan approval, job shortlisting)

  • Process large amounts of sensitive personal data

If your company is notified as a Significant Data Fiduciary, you will also need:

  • A Data Protection Officer (DPO)

  • Impact assessments for risky data processing

  • More transparency in automated decisions

Most SMEs will not fall into this category.

Penalties Under DPDP Act  

Violation Type

Maximum Penalty

Data breach or misuse

₹250 crore

Failure to inform or obtain consent

₹200 crore

Improper use of children’s data

₹100 crore

FAQs

1. Is the DPDP Act applicable to small businesses?

Yes. All businesses that collect personal data must follow basic compliance steps—no matter their size.


2. Do I need a DPO or legal team to comply?

Not unless your business is large or notified as a Significant Data Fiduciary. Small businesses can manage with internal processes and expert support.


3. Can I store customer data on Google Drive?

Yes, if access is limited, data is encrypted, and you delete unnecessary data regularly.


4. Do I need consent for WhatsApp marketing?

Yes. Any communication using personal data (email, WhatsApp, phone) requires prior consent.


5. Is the DPDP Act 2023 applicable to freelancers or solo entrepreneurs?

Yes, even individual service providers who collect personal data such as names, phone numbers, or emails must comply with the DPDP Act by following basic rules like consent and privacy notices.


6. Do I need to display a privacy policy if my business only operates on WhatsApp or Instagram?

Yes, if you collect or store any personal data, you must make your privacy policy accessible—either through a website link, in your bio, or via a pinned message.


7. What should be included in a valid privacy notice under the DPDP Act?

A valid privacy notice should explain what data you are collecting, why you’re collecting it, how long it will be retained, and who users can contact for queries or complaints.


8. Can I rely on pre-filled checkboxes or implied consent under the DPDP Act?

No, the DPDP Act requires clear, active consent. You must use opt-in methods like checkboxes that the user selects themselves, not pre-ticked boxes or passive approval.


9. What does 'minimal data collection' mean under this law?

It means you should only collect data that is necessary for your business purpose. Collecting extra, unrelated information is discouraged under DPDP compliance.


10. Do I need to notify users every time I update my privacy policy?

Yes, if the changes affect how user data is collected, used, or stored, you must notify users and get fresh consent if required.


11. How should small businesses handle user data deletion requests?

You must verify the request and delete the personal data from your systems, including backups, within a reasonable time unless you have a legal reason to retain it.


12. What qualifies as a data breach under the DPDP Act?

A data breach refers to unauthorized access, exposure, or loss of personal data, whether through hacking, employee error, or system failure.


13. Is storing customer data in Excel files on a personal laptop allowed?

It is discouraged. The Act expects businesses to use secure storage methods with access control and encryption. Personal devices increase the risk of breaches.


14. What support does EbizFiling offer for DPDP compliance?

EbizFiling provides end-to-end support, including drafting privacy policies, setting up consent forms, handling grievance systems, and training your team on compliance best practices.

Ebizfiling’s DPDP Compliance Support  

We assist businesses with:

  • Privacy policy drafting

  • Consent form setup

  • Grievance redressal system

  • Compliance training for your team

  • Record-keeping templates

Book a free consultation at www.ebizfiling.com or write to info@ebizfiling.com

Interesting Facts

LLP Form 23 Vs 27
Top 7 Tangible Trademark Classes of Registration in India
LLP Forms You Must Know and Their Purposes
8 Interesting Facts about Indian Subsidiary Business
How to Overcome Trademark Application Refusal?
View all stories

POPULAR ARTICLES

RECENT ARTICLES

BROWSE BY TOPICS

About Ebizfiling -

EbizFiling is a concept that emerged with the progressive and intellectual mindset of like-minded people. It aims at delivering the end-to-end corporate legal services 0f incorporation, compliance, advisory, and management consultancy services to clients in India and abroad in all the best possible ways.
 
To know more about our services and for a free consultation, get in touch with our team on  info@ebizfiling.com or call 9643203209.
 
Ebizfiling

Author: dhruvi

Dhruvi Darji is a Content Writer at Ebizfiling who turned her passion for writing into a full-time career. She holds a Bachelor's degree in Computer Applications from KSV University and has been writing content professionally since 2023. Over time, she has worked on various topics and enjoys creating simple, clear, and helpful content that helps people gain a better understanding. She also holds a 7-band IELTS score, reflecting her strong grasp of language and communication. Beyond work, Dhruvi enjoys journaling and crafting stories.

Follow Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Hi, Welcome to EbizFiling!

Hello there!!! Let us know if you have any Questions.

Thank you for your message.

☎ Call Now
whatsapp
LLP Form 23 Vs 27 Top 7 Tangible Trademark Classes of Registration in India LLP Forms You Must Know and Their Purposes 8 Interesting Facts about Indian Subsidiary Business How to Overcome Trademark Application Refusal?