If you run a shop with a customer WhatsApp list, a coaching centre with student records, a clinic with patient files on a computer, or an online store of any size — India's Digital Personal Data Protection Act, 2023 (DPDP Act) applies to you. This is not just a law for big tech companies.
Who does the Act apply to?
The Act applies to anyone who processes digital personal data in India — names, phone numbers, addresses, photos, payment details, health records — whether collected online or collected offline and later digitised. If customer numbers are saved in your billing software or phone, you are processing personal data.
The key obligations, in plain language
- Take valid consent. Before collecting personal data you must give a clear notice — in English or any of the scheduled Indian languages, including Hindi — stating what data you collect and why, and obtain consent.
- Use data only for the stated purpose. A number collected for delivery updates cannot be quietly reused for marketing blasts.
- Keep it accurate and secure. Reasonable safeguards are mandatory — password-protected systems, limited staff access, secure backups.
- Delete when done. When the purpose is over or consent is withdrawn, the data must be erased.
- Honour data-principal rights. Customers can ask what data you hold, demand corrections, or ask for erasure — and you must have a way to respond.
- Report breaches. Data breaches must be reported to the Data Protection Board and to affected individuals.
What happens if you ignore it?
Penalties under the Act are severe — up to ₹250 crore for failure to take reasonable security safeguards. While enforcement will be proportionate, "we didn't know" is not a defence, and even a single customer complaint to the Data Protection Board can trigger an inquiry.
Consent notices must be as easy to withdraw as they were to give. If unsubscribing from your messages is harder than subscribing, you are already non-compliant.
A practical starter checklist
- List every place personal data lives in your business (billing software, phone contacts, CCTV, registers you digitise, website forms).
- Add a simple consent notice — bilingual (Hindi/English) works best in our region — at every collection point.
- Write a one-page privacy policy and publish it on your website or display it at your premises.
- Restrict staff access: not everyone needs every customer's data.
- Decide retention periods and actually delete old data.
- Nominate one person to answer data-related requests and complaints.
How we can help
SRC Legal Services offers a DPDP applicability assessment, drafts bilingual consent notices and privacy policies, reviews vendor contracts, and guides you through breach response. For most small businesses, becoming compliant is a matter of days, not months — if it is done systematically.