The Digital Personal Data Protection Act was passed by Parliament in August 2023 and received Presidential assent the same month. The rules under the Act are still being finalized, but the core obligations are clear, and any Indian startup that processes personal data needs to understand them now - not when enforcement begins.
The honest assessment is that DPDP is significantly lighter than GDPR in several important respects. It doesn't require a legal basis for every processing activity (consent is the primary mechanism). It doesn't mandate a Data Protection Officer for most companies. It doesn't have the concept of "privacy by design" baked in at the same level of detail. That's not a criticism - it reflects a deliberate choice to create a compliance framework that Indian businesses can actually implement. The question is what implementation looks like.
Who It Applies To
DPDP applies to any entity that processes digital personal data within India, and to any entity outside India that processes personal data of Indian residents in connection with offering goods or services in India. If you're an Indian startup processing user data - which describes basically every consumer or B2B SaaS company - you're covered.
The Act distinguishes between "Data Fiduciaries" (entities that determine the purpose and means of processing) and "Data Processors" (entities that process on behalf of a fiduciary). Most startups are fiduciaries for their own user data. If you use a third-party analytics platform or CRM, that platform is a processor, and you need contractual protections in place that flow down DPDP obligations.
There's also a category called "Significant Data Fiduciaries" that will be designated by the central government based on volume of data, sensitivity, risk to national security, or other factors. These entities face additional obligations including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and submitting to periodic audits. The threshold hasn't been formally published yet, but most startups won't hit it initially.
The Core Obligations
Consent is the primary legal basis under DPDP. Before collecting personal data, you need to provide a clear, specific notice about what data you're collecting and why. The notice must be in plain language - the Act explicitly prohibits the kind of legalese that nobody reads. You then need to obtain free, specific, informed, and unambiguous consent. Pre-ticked boxes don't count. Bundled consent (agreeing to everything as a condition of using the service) is also prohibited for non-essential processing.
Data Principal rights are a significant addition compared to older Indian data protection frameworks. Users have the right to access information about what data you hold about them, the right to correction of inaccurate data, the right to erasure, and the right to nominate someone to exercise rights on their behalf in case of death or incapacity. You need a mechanism to receive and respond to these requests. The Act doesn't specify a response timeframe in the main text (it will be specified in rules), but 30 days is the reasonable benchmark to plan for.
Breach notification is mandatory. If there's a personal data breach, you must notify the Data Protection Board and affected data principals. The specific timeline will be in the rules, but GDPR's 72-hour notification requirement for supervisory authorities is a useful benchmark for planning. This means you need breach detection capabilities and a notification workflow before a breach happens, not after.
DPDP vs. GDPR: What's Different
The biggest structural difference is that DPDP doesn't have the same catalogue of legal bases for processing that GDPR has. Under GDPR, you can process data on the basis of consent, contract, legal obligation, vital interests, public task, or legitimate interests. DPDP primarily uses consent, with limited exceptions for state activities and emergencies. This is actually simpler to implement - but it means consent management becomes more important.
The penalties under DPDP are significant but structured differently from GDPR. GDPR penalties can reach 4% of global annual turnover or €20 million, whichever is higher. DPDP penalties are fixed-amount maximums under a tiered schedule - up to ₹250 crore (approximately $30 million) for the most serious violations involving a Significant Data Fiduciary. For smaller companies, the maximum penalties in the lower tiers are more limited, but still substantial enough to matter.
What a 20-Person Startup Needs to Do
At this stage, for a startup with fewer than 25 employees, the minimum viable DPDP compliance posture looks like this. First, audit your data flows. Know what personal data you collect, where it lives, how long you keep it, and who has access. You can't manage what you haven't mapped. This doesn't require a consultant - a spreadsheet and an afternoon will get you 80% of the way there.
Second, update your privacy notice to be actually readable. Describe in plain language what data you collect, why you collect it, how long you keep it, and how users can exercise their rights. Put a real email address or form for data requests on your website.
Third, implement a process for data principal requests. Someone at your company needs to own incoming requests for access, correction, or deletion. It doesn't need to be a formal ticket system if you're small - a shared email inbox with a commitment to respond within 30 days is enough.
Fourth, add DPDP obligations to your vendor contracts. When you sign up for a new SaaS tool that will process Indian user data, make sure there's contractual language committing them to appropriate data processing standards. Most major vendors have GDPR data processing agreements that can serve as a template.
At 200 people, the priorities shift. You need a data protection coordinator (not necessarily a full DPO, but someone with clear accountability), a more formal data mapping program, a documented breach response procedure that's been tested, and vendor contracts that have been reviewed by counsel. You also need to monitor the central government's designation of Significant Data Fiduciaries closely, because it could apply to you depending on your user numbers.
The rules are coming and they will add detail to all of this. Start now with what you can control - the fundamentals of consent management, data mapping, and breach notification readiness. That foundation will serve you whether the enforcement timeline moves fast or slow.