The Digital Personal Data Protection Act, 2023 applies to nearly every Indian business that handles personal data digitally - customers, users, employees. Penalties scale to ₹250 crore. Yet most SMBs haven't taken the first step, largely because the consulting-speak around it makes it sound harder than it is. Here's the honest checklist.
Step 1: Know your data (the RoPA)
You cannot comply with data law without knowing what data you hold. Build a Record of Processing Activities: what personal data you collect, from whom, why, where it's stored, who accesses it, and how long you keep it. For a typical SMB this is a structured afternoon's work, not a consulting engagement.
Step 2: Fix your consent
- Consent must be free, specific, informed and unambiguous - pre-ticked boxes and buried clauses don't qualify.
- Every consent request needs a clear notice: what's collected, why, and how to withdraw.
- Withdrawal must be as easy as giving consent was.
Step 3: Stand up data principal rights handling
Users can demand access to their data, correction, and erasure. You need a working process - an inbox, an owner, a deadline tracker - not a policy PDF. Most requests are simple; unanswered ones are what become complaints to the Data Protection Board.
Step 4: Map your processors
Your cloud provider, analytics tools, payroll software, CRM and marketing platforms all process personal data on your behalf. List them, check their data protection terms, and record the purpose for each. You remain accountable for what they do with your users' data.
Step 5: Prepare the breach protocol before you need it
The Act mandates notifying the Data Protection Board and affected individuals on a personal data breach. The middle of an incident is the wrong time to draft your first notification - template it now, assign an owner, and rehearse the decision tree once.
What NOT to do
- Don't copy-paste a foreign GDPR policy - DPDP's obligations and terminology differ, and a mismatched policy signals non-compliance to anyone who reads it.
- Don't wait for the first enforcement wave to hit your sector - retrofitting under deadline pressure costs multiples.
- Don't treat it as one-time: every new tool, vendor or data flow changes your RoPA.
Regno Compliance walks you through every step - guided data mapping, generated policies and consent notices, rights workflows and breach protocols - at ₹4,999/month. regno.in/product/compliance