TL;DR — 6 things to do this quarter
- Update privacy notice (specific to DPDP wording)
- Implement explicit consent capture (no pre-ticked boxes)
- Add data principal rights flow (access, correction, erasure)
- Audit data processors (cloud, analytics, third-party SaaS) for compliance
- Designate Data Protection Officer if you process significant data
- Set up breach notification procedure (72-hour reporting to DPB)
Who DPDP applies to
Any "Data Fiduciary" processing personal data of "Data Principals" in India. Practically: any Indian website / app that collects email, phone, name, etc. — which is essentially all of them.
The 6 practical compliance items
1. Privacy notice
- What data you collect (specific, not generic)
- Purpose of processing
- Legal basis
- Categories of recipients (third parties)
- Data principal rights
- Contact for grievances
- In English + (best practice) the local language of users
2. Consent
Must be free, specific, informed, unconditional, unambiguous. No pre-ticked checkboxes. No "by using our website you agree" claims. Specific consent for each purpose (marketing, analytics, third-party sharing).
3. Data principal rights flow
Users can request: access (their data), correction, erasure (right to be forgotten), grievance redressal. Set up a flow — either a form on your site or an email — and respond within timeframes (typically 30 days).
4. Data processor audit
Every third-party that touches your user data is a "Data Processor". You need a contract (DPA — Data Processing Agreement) with each. Common ones for SMEs:
- AWS / DO / Vercel (hosting)
- Razorpay / Stripe (payments — they have own DPA)
- Mailchimp / SendGrid (email)
- Google Analytics / PostHog
- WhatsApp BSP
- Tally / Zoho integrations
5. Data Protection Officer (DPO)
Required if you're a "Significant Data Fiduciary" (criteria: data volume, sensitivity, risk). Most SMEs not hit this threshold yet, but designate someone (founder / ops head) as the contact for data matters anyway.
6. Breach notification
Under DPDP, you must notify the Data Protection Board (DPB) and affected users within 72 hours of becoming aware of a personal data breach. Have a procedure ready — contact, template notice, escalation path.
Common mistakes
- "Cookie banner" but no actual consent management — banner is theatre.
- Using EU GDPR notice for Indian site — DPDP has different requirements.
- Not signing DPAs with major processors.
- Storing user data for "as long as we want" — DPDP requires retention limits.
For all our client builds we now include DPDP-compliant privacy notice, consent capture, and rights flow as standard. DPA templates for top processors. ~₹15K add-on if retrofitting an existing site. Estimate cost →
FAQ
What about cookies?
DPDP doesn't have a cookie-specific rule like GDPR's ePrivacy. Cookies that personalise / track for marketing need consent. Strictly necessary cookies (login session) don't.
What about international users?
If you process data of Indian residents, DPDP applies regardless of where you're based. Foreign sites serving Indian users also need to comply.
Last reviewed: 30 March 2026 · Based on DPDP Act 2023 + Rules notified through Q1 2026.
Want this built for you?
Talk to Kashvi — 30-min call, honest assessment, no pitch deck.