
DPDP Act 2023: What Every Tech Startup Must Know Before Compliance Kicks In
India's landmark data protection legislation is reshaping the compliance landscape. We break down the key obligations, timelines, and strategic considerations for digital businesses.
India's Digital Personal Data Protection Act, 2023 (DPDP Act) marks a watershed moment in the country's regulatory landscape. For tech startups that collect, process, or store personal data — which is virtually every digital business — the Act creates a clear framework of obligations that will be enforced once the Rules are notified.
Who Does the DPDP Act Apply To?
The Act applies to the processing of digital personal data within India, as well as processing outside India if it is in connection with an activity of offering goods or services to persons within India. This extraterritorial reach is significant for cross-border startups and SaaS businesses with Indian user bases.
Key term: A 'Data Fiduciary' is any person who determines the purpose and means of processing personal data. Most tech startups qualify as Data Fiduciaries and bear the primary compliance obligations.
Core Obligations for Data Fiduciaries
- Obtain free, specific, informed, and unconditional consent before processing personal data
- Provide clear and plain-language notice to data principals about what data is being collected and why
- Ensure personal data is used only for the stated purpose
- Implement reasonable security safeguards to prevent personal data breaches
- Notify the Data Protection Board and affected individuals in case of a breach
- Erase personal data once the purpose is fulfilled or consent is withdrawn
- Establish grievance redressal mechanisms with a nominated Data Protection Officer (for Significant Data Fiduciaries)
Significant Data Fiduciaries: Higher Standards
The Government may designate certain entities as 'Significant Data Fiduciaries' based on the volume and sensitivity of data processed, risk to rights of data principals, and potential impact on national security. These entities face additional obligations including mandatory Data Protection Impact Assessments (DPIAs) and periodic audits.
Rights of Data Principals
- Right to access information about their data
- Right to correction and erasure
- Right to grievance redressal
- Right to nominate another individual for data rights in case of death or incapacity
Penalties: What's at Stake
Non-compliance with DPDP Act obligations can attract penalties of up to ₹250 crore per instance, with a maximum cap of ₹500 crore for the most serious violations including inadequate security safeguards resulting in data breaches.
Immediate Action Points for Startups
- Conduct a data mapping exercise to understand what personal data you collect, where it flows, and for what purpose
- Audit your existing privacy policy and consent mechanisms against the Act's requirements
- Evaluate whether your current security infrastructure meets 'reasonable safeguards' standards
- Identify your cross-border data transfer arrangements and assess compliance with likely Rules
- Begin drafting a DPDP compliance roadmap now — don't wait for Rules to be notified
The DPDP Act is not merely a compliance checkbox — it represents a fundamental shift in how Indian businesses must think about user data. Startups that build privacy-first from the ground up will find compliance far easier and will earn greater user trust in an increasingly privacy-conscious market.
Need expert guidance?
Book a Consultation
Speak with our advisory team about your specific legal and compliance needs.
Related Articles

