All articles

DPDP is now law. Here's what it actually means for your business.

Ayush Joshi10 February 2026
DPDP is now law. Here's what it actually means for your business.
DPDPcompliance basicsdata fiduciarySME

India's Digital Personal Data Protection Act applies to almost every business that holds customer data — including yours. Here's the plain-language version of what changed and what you're now responsible for.

If your business holds a single customer's name, email, or phone number, the Digital Personal Data Protection Act now applies to you. Not "will apply." Not "applies to big tech." You.

Most Indian business owners have heard DPDP exists and quietly filed it under "something to deal with later." That instinct is the expensive one — because the law is here: the Rules were notified in November 2025, and the obligations are phasing in through May 2027. The runway is short — and shorter than it looks once you map what's involved. The businesses that wait until the deadline are the ones who'll be scrambling; the time to get ahead of it calmly is now.

This post is the plain version: what DPDP is, whether it covers you, and what you're suddenly on the hook for. No legalese.

What DPDP actually is

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data-protection law. In one sentence: if you collect and use people's personal data, you now have legal duties about how you collect it, what you do with it, how you protect it, and what rights you give people over it.

It's built around two roles. A Data Principal is the individual whose data it is — your customer, your lead, your user. A Data Fiduciary is whoever decides why and how that data gets used — that's your business. If you run a company that has customers, you are almost certainly a Data Fiduciary, with all the duties that come with it.

"But we're small. Surely this doesn't apply to us?"

This is the single most common — and most dangerous — assumption.

DPDP does not have a blanket small-business exemption that lets you ignore it. Your size affects some obligations (the heaviest requirements fall on the largest, highest-risk data handlers), but it does not change whether you have duties. A ten-person SaaS startup holding 5,000 user emails is a Data Fiduciary in the eyes of the law, the same as a bank.

The businesses most exposed are precisely the ones who assume they're too small to matter — because they've done nothing, have no records, and wouldn't know a compliance obligation if it landed in their inbox. Which, increasingly, it does.

What you're now responsible for

Here's the honest short list of what being a Data Fiduciary means in practice:

You need a lawful reason to hold data. You can't just collect and keep personal data because it's useful. You need a valid basis — usually the person's consent, or a specific permitted purpose — and you have to be able to show it.

You have to tell people what you're doing. Clear notice, in plain language, about what you collect and why. The era of a buried, unreadable privacy policy nobody updates is over.

You have to honour people's rights. Customers can ask what data you hold, ask you to correct it, and ask you to delete it. Each of those requests carries a deadline. Ignoring them isn't an option — it's a reportable failure.

You have to protect the data and report breaches. Reasonable security safeguards are now a legal duty, not a nice-to-have. And if data is breached, there are notification clocks that start the moment you become aware — some measured in hours, not days.

You're responsible for your vendors too. Your CRM, your email tool, your payment gateway — they process data on your behalf, and you carry responsibility for what happens to your customers' data inside them.

Why this is genuinely hard to do alone

None of the above is impossible. But notice what it requires: knowing which lawful basis applies to each thing you do, writing notices that actually meet the standard, tracking rights-requests against deadlines, maintaining records you can produce if asked, and keeping all of it current as your business changes.

That's not a one-time task you finish. It's an ongoing operating discipline — and it's the kind of thing most owners didn't start a business to spend their week on.

That's exactly the gap we built Pramaan to close: we map what you hold, surface your real obligations, catch the events you'd miss, and tell you precisely what's required and by when — operated by people who understand the law, so the judgment calls aren't left to you.

This article is general information, not legal advice. Your specific obligations should be confirmed with a qualified advisor. If you'd like a plain-language read on where your business actually stands under DPDP, book a free compliance review.

Start here

Get a free DPDP exposure review.

Find out, with no obligation, where your business stands under DPDP — and what it would take to be continuously compliant. A short call with our team.

  • A plain-language read on your actual exposure
  • The specific obligations that apply to your business
  • No jargon, no pressure — just a clear picture

Book your review

We'll get back to you within one business day.

By submitting you agree to be contacted about your review. We don't share your details.