Compliance

DPDP Act 2023: What Indian Startups Must Do Before They Get Fined

May 3, 2026 7 min read iSocialize Team

India's Digital Personal Data Protection Act 2023 is not a future regulation. It is in force. The Data Protection Board has enforcement powers and the penalty structure — up to ₹250 crore per violation — is real. Most Indian startups I speak to have either never heard of it or assume it doesn't apply to them. Both assumptions are wrong.

Who Does the DPDP Act Apply To?

Any entity that processes the personal data of Indian residents in digital form. If your app collects a name, phone number, email, or location from an Indian user — you are a Data Fiduciary under the Act. This includes startups at the pre-revenue stage, B2B SaaS companies, e-commerce platforms, and offline businesses with a digital presence. There is no small-business exemption.

The Five Things Most Startups Are Missing

Valid consent before data collection. Under the DPDP Act, you need a specific, clear, and standalone consent mechanism before collecting personal data. Burying it in a 40-page terms document does not qualify. You need a consent notice that tells the user exactly what data you're collecting and why — before you collect it.

A Grievance Officer. Every Data Fiduciary must appoint a Grievance Officer and publish their contact details. This person handles data principal requests — access requests, correction requests, erasure requests. If you don't have one, you're in violation from day one.

Data breach notification. If you have a data breach affecting Indian users, you must notify the Data Protection Board and affected users within a defined period. If you don't have an incident response plan that covers this, you have no way to comply when it happens.

Children's data rules. If any of your users could be under 18, you need verifiable parental consent before processing their data. This is significantly stricter than most companies' current practices.

Vendor contracts (Data Processor agreements). Every vendor you share personal data with — your CRM, your analytics tool, your email platform — needs a contractual arrangement covering DPDP Act obligations. Most Indian startups have no such contracts in place.

The Penalty Structure

The Act specifies penalty tiers. Failure to implement security safeguards: up to ₹250 crore. Failure to notify a data breach: up to ₹200 crore. Non-fulfilment of obligations for children's data: up to ₹200 crore. These are per-violation maximums, not aggregate caps. A single enforcement action could involve multiple violations.

What Compliance Actually Costs

A DPDP Act gap assessment and remediation for a typical 20–50 person Indian startup costs ₹30,000–₹80,000 with iSocialize. That covers data mapping, consent mechanism review, privacy notice drafting, Grievance Officer appointment guidance, breach response plan, and vendor contract templates. It takes 2–3 weeks and the output is a documented, audit-ready compliance position.

Compared to a ₹200 crore penalty, this is not a difficult ROI calculation. Download our free DPDP checklist to see exactly where your gaps are before engaging anyone.

Tags: DPDP Act India Compliance Startups

Share: Twitter / X LinkedIn WhatsApp

Need help applying this to your business?

Our team has helped 40+ companies across the US and India implement exactly what's described in this article. Book a free 30-minute consultation — no sales pitch, just answers.

Book Free Consultation WhatsApp Us