Skip to content
Octane
Octane Writing May 10, 2026

DPDPA 2023, in plain English.

India’s data privacy law is now live. If you run a startup or SMB, here’s what’s mandatory, what’s coming, and what to fix before May 2027.

By Delbin George May 10, 2026

Your startup collects user emails. Phone numbers. Maybe IP addresses through a cookie banner you copy-pasted from a competitor in 2022. Congratulations — you’re a Data Fiduciary under India’s new data privacy law. And the clock is already running.

DPDPA 2023 (the Digital Personal Data Protection Act) sat as a paper tiger for two years. On November 13, 2025, that changed. The Rules were notified, the Data Protection Board went live, and the “we’ll wait for clarity” excuse officially expired. Here’s the version of this law that actually fits in your head, plus what to do before the May 2027 deadline lands.

Why DPDPA 2023 suddenly has teeth

The Act got presidential assent back in August 2023, then sat there. No Rules. No enforcement body. No real bite.

Then MeitY notified the DPDP Rules 2025. Through Gazette notifications G.S.R. 843(E) to 846(E), the rollout was split into three phases. Phase 1 is already live (Data Protection Board operational, definitions in force). Phase 2 hits on November 13, 2026 (Consent Manager registration opens). Phase 3 is the big one on May 13, 2027, when notices, security safeguards, breach reporting, children’s data rules, and Data Principal rights all kick in.

That’s 18 months. Sounds like a lot. It isn’t.

“We’re too small for this” is the worst defence you can pick

I hear this every week from founders. “We have 50 customers. This law is for the big guys.”

It isn’t.

The Indian data privacy law doesn’t ask about your revenue, headcount, or Series A status. It asks one question: are you processing digital personal data of people in India? If yes, you’re in.

Section 17(3) of the Act does mention possible startup relaxations. Here’s the honest read though: until the government issues a formal notification, no SMB or startup is automatically exempt. Waiting for that notification isn’t a strategy. It’s a gamble with your bank balance.

Speaking of which, the penalty schedule:

  • Failure to maintain reasonable security safeguards: up to ₹250 crore
  • Failure to report a data breach: up to ₹200 crore
  • Violations involving children’s data: up to ₹200 crore
  • Any other violation of the Act or Rules: up to ₹50 crore

These are per-violation caps, not per-incident totals. One breach can theoretically trigger the ₹250 crore penalty (inadequate security) and the ₹200 crore penalty (failure to notify) at the same time.

The 6 things every Indian startup needs to fix

Forget the 80-page compliance documents your law firm wants to sell you. Here’s the working list:

  1. Standalone privacy notice. Plain language. Tells users what data you collect and why, before you collect it. Burying it inside Terms & Conditions doesn’t count anymore.
  2. Easy consent withdrawal. If signing up takes one click, withdrawing consent should take one click too. Anything harder is non-compliant.
  3. 72-hour breach reporting. Any breach, any size, must be reported to the Data Protection Board and to affected users within 72 hours. No minimum threshold. No grace period.
  4. Verifiable parental consent for users under 18. If your product is accessible to minors, you need a way to verify a parent actually said yes.
  5. A named grievance officer. Publish their contact details on your site. Real person, real email, grievance resolution timeline of 90 days maximum.
  6. Reasonable security safeguards. Encryption, access controls, audit logs. The kind of thing your CTO has been meaning to set up since pre-seed.

Myth vs. reality (the one that catches everyone)

Myth: “We use a third-party tool, so they’re liable, not us.”

Reality: If that vendor processes data strictly on your instructions, they’re a Data Processor and you stay liable. The moment they use the data for their own purposes (analytics, marketing, training their own models), they become an independent Data Fiduciary, and now you’re both on the hook.

Read your vendor contracts. This week.

What to do this month

You don’t need a six-figure compliance budget. You need a Saturday afternoon and a spreadsheet.

  1. Map every place your business touches user data (signup forms, CRM, payment gateway, analytics, support tool).
  2. Rewrite your privacy policy in language a 14-year-old could understand.
  3. Add a working “withdraw consent” button to your account settings.
  4. Pick a grievance officer from your team and publish their email today.
  5. Draft a one-page breach response playbook so you’re not Googling at 2 AM when something goes wrong.

That’s a starting point, not a finish line. Layer the rest in over the next 12 months.

What we’re building for this

The list above is the same one we kept handing founders over coffee. So we started building it into a tool. Vyuham is our DPDPA readiness app for Indian startups and SMBs — you answer a focused set of questions about how your business handles personal data, and Vyuham gives you back a prioritised gap list mapped to the obligations under the Act and the 2025 Rules, plus the boilerplate (privacy notice, grievance officer page, breach playbook) you can adapt the same afternoon.

One thing we want to be loud about: Vyuham is not a compliance-certifying authority. Under DPDPA 2023, only the Data Protection Board can issue binding compliance findings. Nobody else — not us, not any private vendor — can hand you a certificate that means anything in front of a regulator. What Vyuham does is help you get prepared: it points at the gaps a regulator would notice, gives you a sane order to close them, and keeps doing that as the Rules evolve. Coach, not referee.

Vyuham lives at vyuham.co, and the quickest way to see where you stand is the free assessment at vyuham.co/assessment — it takes a few minutes and gives you back the gap list without asking for a credit card. If you’d rather walk through it together, get in touch from the contact page.

The honest takeaway

DPDPA 2023 isn’t designed to crush startups. It’s designed to stop the casual misuse of user data that’s been the default setting in India for over a decade.

Build privacy in now, while you’re small and your stack is simple. Doing it later, when you’re at 50,000 users and three engineering teams, is the expensive route.

So what’s the first data touchpoint in your business you’d flag as risky? Start there.