Why DPDP matters for you (yes, even if you think it doesn't)

When the Digital Personal Data Protection Act, 2023 was notified, the most common reaction inside Indian boardrooms was a polite shrug. "We'll wait for the Rules." "It only applies to the big tech platforms." "Our lawyers will tell us when it's time to worry." A year later, all three of those reactions have aged badly.

The DPDP Act is not a niche regulation for a handful of consumer internet companies. It is a horizontal data law that applies to anyone — and I mean anyone — who decides why and how the personal data of an individual in India is processed. The Act calls that decision-maker a Data Fiduciary (Section 2). If you run a thirty-person logistics startup that emails its delivery customers a CSAT survey, you are a Data Fiduciary. If you run a 200-person hospital that maintains patient records on a Postgres instance in Mumbai, you are a Data Fiduciary. If you run a school that collects parental WhatsApp numbers for fee reminders, you are a Data Fiduciary. The bar isn't size or sector — it's the act of deciding.

That single shift is the part most people are still missing. We grew up with Indian privacy law that was effectively a vacuum. The IT Act 2000 had a few thin clauses, the SPDI Rules 2011 covered a narrow slice of "sensitive personal information," and most of us just signed an NDA, locked the laptops, and called it a privacy programme. Those days are over. The DPDP Act puts every Data Fiduciary on the hook for a coherent, demonstrable, end-to-end privacy operation — and the penalties (Section 33) reach ₹250 crore per instance for the most serious violations. That's not a fine. That's a balance-sheet event.

So what changed?

Three things changed at the same time, and the combination is what makes this hard.

1. Consent stopped being a checkbox. Under the old regime, "I agree to the terms" was enough. Under DPDP, consent has to be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action (Section 6). It has to be given through a notice that itemises every purpose — not bundled, not buried in a 4,000-word policy. It has to be withdrawable as easily as it was given. And every consent action has to be auditable, because the Data Protection Board can ask you to prove it.

The plain-English version: if your signup flow has a single "I agree" checkbox that covers marketing, analytics, third-party sharing, and fraud prevention all at once, that signup flow is no longer compliant. You need a Consent Manager (or a credible internal equivalent) that stores who agreed, to what, on which date, with what wording shown to them, and provides the same person a one-click way to revoke any of those purposes later.

2. Data Principal rights are now enforceable. Section 11 gives every Indian individual the right to a summary of their personal data and processing activities. Section 12 gives them the right to correction, completion, updating, and erasure. Section 13 gives them the right to grievance redressal. These rights are not aspirational — they have statutory deadlines (the 2025 Rules pin most of them at days, not weeks), and the failure to honour them is itself a penalty event.

What this means for your IT team: when a customer emails you and says "delete my data," you need a workflow that can find every system that holds that customer's data, perform the deletion, log the action, notify any processor or sub-processor, and respond to the customer within the statutory window. If you can't do that in minutes per request — at scale, repeatedly, with audit evidence — you have a real problem.

3. The Data Protection Board can act on a complaint. The Act establishes the Data Protection Board of India (Section 18) as an independent regulator with powers to investigate, summon witnesses, impose penalties, and require corrective action. Crucially, it does not need to wait for a class action or a public outcry. A single Data Principal complaint is enough to open an investigation. And the Board's processes are designed to be light, fast, and low-friction for the complainant — which means easy for them, hard for you.

The "we're a B2B company" myth

This is the second-most common reaction I hear. "We don't sell to consumers. We sell to enterprises. DPDP is a B2C problem."

It is not. The Act applies to personal data — which the Act defines (Section 2(t)) as any data about an individual who is identifiable from that data, or in combination with such data. That definition is wide enough to swallow your entire CRM:

• The names and email addresses of your enterprise customers' employees, sitting in HubSpot — that's personal data.
• The phone numbers of the procurement managers at your prospect companies, sitting in your sales sequencer — that's personal data.
• The IP addresses your application logs against every API call from a customer's network — that's personal data.
• The badge photos your office security uploads to the visitor management system — that's personal data.

You don't have a product that touches personal data. You are an organisation that touches personal data. There is no version of running a modern business in India in 2026 that doesn't touch personal data.

The "we'll wait for enforcement" trap

Some organisations have decided that, since the Data Protection Board hasn't levied a major penalty yet, they have time. This is a mistake for two reasons.

First, the absence of a high-profile penalty is not the absence of a clock. Once enforcement begins in earnest, the Board will look at your state of compliance on the day of the complaint, not the day you started preparing. If a Data Principal complains in October and your retention policy was first drafted in August, that retention policy didn't exist when the alleged violation occurred. You will be defending an environment that didn't exist yet.

Second, building a real privacy programme is not a one-quarter project. The honest timeline is 6–9 months for an organisation with no existing practice — longer if you have legacy systems, longer still if you're a Significant Data Fiduciary (Section 10). If you start when the first ₹100-crore penalty hits the news, you are 6–9 months behind everyone who started when the Act was notified. Your competitors will be quoting their compliance posture in their RFP responses while you're still picking a Consent Manager vendor.

What "doing it" actually looks like

People often ask me: "OK fine, what does compliance actually look like? Like, on Monday morning, what do I do?" Here's the short version, ordered by what produces the most regulatory protection per hour of effort:

1. Inventory your personal data. Not a heroic data discovery exercise — just a spreadsheet, or a DB query, listing every system that holds personal data, who owns it, what it's for, and how long it lives there. This is your Record of Processing Activities (RoPA). Without it, every other step is guessing.

2. Write a real notice. Not your existing privacy policy. A new, itemised notice for each major collection point (signup, checkout, support form, job applications, vendor onboarding). Each notice lists the purpose, the legal basis, the retention period, the rights, and how to contact your DPO or Grievance Officer.

3. Build a consent withdrawal path. The hardest one. Most teams discover that they can capture consent fine, but they have no idea how to un-process the data when consent is withdrawn. That's the work.

4. Set up a grievance inbox. A dedicated email address (grievance@yourcompany.in), an SLA, a routing rule, and a real human owner. When the complaint comes, you don't want to be inventing the process.

5. Pick a Consent Manager. Either deploy a registered Consent Manager like AutoCops or build the equivalent functionality in-house. The Board expects to see this layer.

6. Train your people. Not annual compliance e-learning. Real, role-specific training for the people whose actions create privacy risk: marketers who buy lists, engineers who copy production data, support agents who hand out account information.

That's six steps, none of them rocket science individually, all of them load-bearing in combination. The companies that quietly start now will spend a couple of months in the discomfort of figuring out the unknowns, and then they'll be done. The ones who wait will discover that the Data Protection Board doesn't grade on a curve.

The real point

I started this piece by saying DPDP is not a problem for someone else's department. Here's why I keep saying that: every privacy programme I've worked on starts with the same conversation. The General Counsel says, "we're handling it." The CISO says, "the lawyers are handling it." The CEO says, "between Legal and Security, we're covered."

And then nothing happens. Because privacy doesn't live in any one of those functions. It lives in the gap between them. It's the marketing tool that nobody asked Legal about. It's the SaaS contract that nobody asked Security about. It's the data warehouse that everyone's using and nobody's documenting. It's the new product feature that needs a fresh notice and a fresh consent flow that nobody remembered to commission.

Someone — probably you, if you're reading this — has to be the person who walks into the room and says, "we own this end-to-end, and here is our plan." That's what DPDP is asking for. Not a checkbox. A plan, and the discipline to execute it before the regulator asks.

The Act is your problem. Not because the law is unfair — it isn't, it's pretty mild by global standards — but because you're the one who'd have to live with the consequences. The good news is that the playbook is now well-known. The bad news is that the people who follow it will eat the people who don't.

Start this week.