Regulatory & Tax

DPDP Act

India's Digital Personal Data Protection Act, 2023 — the country's first comprehensive personal data protection law.

The DPDP Act regulates how Indian businesses collect, store, process, and share personal data of Indian residents. It introduces consent-first processing, the concept of a Data Principal (the individual) and a Data Fiduciary (the business), and a right to access, correction, and deletion. Penalties run up to ₹250 crore per violation.

Implementation rules were notified through 2025; enforcement began phased in early 2026. SMBs that process personal data — even simple things like a customer's name and phone for WhatsApp messaging — fall under the Act.

Most India SaaS providers built consent capture, audit logs, and data-deletion APIs in 2024-2025 to meet the rules. Businesses that didn't are now scrambling.

India context

Indian SMBs need: explicit consent before sending WhatsApp marketing (utility templates are an exception), a documented privacy policy, the ability to delete a customer's data on request within 7 days, and audit logs of who accessed what. WhatsApp Business API providers (BSPs) help with the consent capture but the responsibility sits with the business.

Examples

  • A salon must collect Yes-consent before adding a customer to a marketing broadcast list.
  • An ecom store must delete order history and address on customer request within 7 days.
  • A clinic must log every employee who accessed a patient's contact info.

FAQ

Does DPDP apply to small businesses?

Yes. The Act applies to any business processing personal data of Indian residents, regardless of size. Small SMBs may have lighter compliance burdens but the principles — consent, deletion rights, breach notification — still apply.

Is consent always required?

Not always. Lawful purposes like fulfilling a contract (delivering an order you bought) don't require separate consent. Marketing, broadcasts, and unsolicited contact do.

What's the penalty for non-compliance?

Up to ₹250 crore per violation, with the Data Protection Board having enforcement powers. SMBs typically face proportionate penalties, but reputational damage is the real cost.

Related concepts

GDPRPIIdata fiduciaryconsent managementdata localization

Doggu handles DPDP Act compliance for you.

Whether it's auto-filing GST returns, DPDP-compliant consent, RERA-friendly templates, Doggu was built specifically for the Indian SMB regulatory environment. One platform, all the requirements.

Try Doggu free for 14 days

More in Regulatory & Tax

GSTINGSTR-1GSTR-3BRCM (Reverse Charge Mechanism)ITC (Input Tax Credit)RERAFSSAIHSN Code
← All glossary entriesBlogWhatsApp TemplatesFree tools