Browse courses
Izel.Legal
Contact us
← All articles
Corporate8 min read

The DPDP Act, quietly — what a small Indian startup actually has to do

The rules landed. Most of the coverage is for enterprises. Here's the checklist for a twenty-person company that collects user data.

KS
Adv. Kabir Sethi
Partner (Of Counsel) · Corporate Law Faculty ·

The Digital Personal Data Protection Act, 2023 finally has teeth, and the DPDP Rules followed in late 2025. For Indian founders with between ten and a hundred employees, most of the legal commentary feels aimed at enterprises. This piece is for you.

Do you fall within scope?

If you process personal data of users in India, yes. That's almost every consumer-facing app and a sizeable chunk of B2B SaaS. The question isn't scope. The question is how proportionate your compliance can be.

The minimum you should have by next quarter

  1. A privacy notice that reads like a human wrote it, not a 2012 template.
  2. A consent mechanism that actually captures, logs, and timestamps the consent.
  3. A named Data Protection Officer (can be a co-founder for smaller teams) and a published grievance mechanism.
  4. A data-processing register — what you collect, why, where it sits, who touches it.
  5. A breach-response runbook — who decides, who calls, within what hours.

The consent trap

Section 6 requires consent to be 'free, specific, informed, unconditional, and unambiguous.' Most Indian founders ship a long privacy policy and a click-through. That survived pre-DPDP. It will not survive a Data Protection Board enquiry. You need a layered consent — an initial notice at a specific moment, with the granular consents captured at the moment they are relevant.

Third-party processors

Every data-processor relationship (analytics, email, CRM, cloud) must now sit under a written processing agreement that meets the Rules' content requirements. Your vendor contracts almost certainly do not. This is where a three-hour clean-up pays for itself.

The penalty exposure

The financial penalties range up to ₹250 crore for the most serious contraventions. For a small company the realistic range is lower — but the Board has already issued public notices, and reputation hit in diligence is the bigger cost for a Series A-stage company.

Treat DPDP the way you treated GST in 2017. It's boring, it's important, and the founders who handle it early look institutional at diligence.
KS
Written by
Adv. Kabir Sethi
Partner (Of Counsel) · Corporate Law Faculty
Keep reading

More field notes.

Criminal · 9 min read

BNS, BNSS, BSA — what actually changed for the practising advocate

The 2023 criminal-law overhaul is here. Past the headlines: the five provisions that will show up in your drafts this quarter.

Adv. Nisha Rathore
Read
CLAT · 6 min read

CLAT Legal Reasoning — how to read a passage (the part no one teaches you)

A month of 1:1 coaching distilled into a reading pattern. Works for principle-fact, assertion-reason, and the weird one they threw in last year.

Adv. Raghav Menon
Read
Corporate · 9 min read

Ten contract clauses every Indian founder keeps signing away

The clauses that come up in every SaaS or services agreement — and what the market rate actually is in 2026.

Adv. Kabir Sethi
Read
Next step

Book a free discovery call.

30 minutes with a senior advocate to scope your matter or your course. We'll tell you honestly whether we can help — and what the right engagement would look like.

Or send us a message →