'We're a Small Startup — Does DPDPA Actually Apply to Us?' (Honest Answer)

This is the question we hear most often from Indian startup founders. Usually it's asked in one of two ways: 'we're only 20 people, this law is for big companies, right?' or 'we don't really collect much data, so it probably doesn't apply to us.'

The honest answer is: the Digital Personal Data Protection Act 2023 almost certainly applies to your startup. But what it requires from you — and when — depends on some factors that are worth understanding properly rather than assuming.

The Legal Answer: Who Is a Data Fiduciary?

Section 2(i) of the DPDPA defines a Data Fiduciary as 'any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.' That definition has no size threshold. No revenue floor. No headcount minimum.

If your startup has a website with a signup form, a mobile app that collects user information, a CRM with customer records, an email marketing list, or any system that stores information about identifiable individuals — you are a Data Fiduciary. The Act applies to you.

But We're Very Small — Doesn't the Act Have Exemptions?

This is where it gets nuanced, and where many startup founders get misled by incomplete information.

The DPDPA does allow the Central Government to notify exemptions for specific categories of Data Fiduciaries. Section 17 gives the government power to exempt entities or classes of Data Fiduciaries from certain provisions. The DPDP Rules 2025 reference the possibility of startup-specific exemptions.

However — and this is critical — as of March 2026, no startup or MSME exemption has been notified. The Rules state that provisions related to startup and MSME exemptions are expected to come into force on 13 May 2027, but that notification has not been made. Until the Central Government formally notifies a startup exemption, the Act applies to all Data Fiduciaries regardless of size.

What the Enforcement Timeline Actually Means

The enforcement timeline is real and important to understand — but it is often misread as 'we don't have to do anything until May 2027.' That reading is wrong.

Here is what the phased timeline actually means:

1. 1November 13, 2025 (NOW): The Data Protection Board is operational and accepting complaints. The penalty framework is active. The Board can investigate and impose penalties.
2. 2November 13, 2026 (12 MONTHS): Consent Manager registration opens. If your business plans to use a third-party Consent Manager, due diligence must start before this date.
3. 3May 13, 2027 (18 MONTHS): Core operational provisions become mandatory — consent notices, security safeguards, breach reporting, rights handling, retention policies, children's data protections.

The most common misreading: 'core obligations don't kick in until May 2027, so we have 14 months.' While technically the full enforcement of Rules 3 and 5-16 is on an 18-month timeline, the Board is operational right now. Breach notification (S.8(6)) is not in the 18-month group — it is active. Rights obligations under S.11-14 are active. The penalty framework is active.

More importantly: building compliant consent infrastructure, rights handling workflows, and breach response systems takes time. Organisations that start in March 2027 will be scrambling. The 18-month window exists to give you time to build — not permission to ignore the law.

The 'We Don't Collect Much Data' Argument

The second most common pushback: 'we only collect name and email for our newsletter, that's not really personal data.' Let's unpack this.

DPDPA Section 2(t) defines personal data as 'any data about an individual who is identifiable by or in relation to such data.' A name and email address is textbook personal data — it identifies a specific person. There is no minimum volume threshold. One user record is enough to make you a Data Fiduciary.

The Act's definition of personal data is intentionally broad and does not distinguish between sensitive and non-sensitive categories (unlike GDPR). Name, phone number, email address, IP address, device identifier, location data, purchase history — all are personal data under DPDPA.

What Small Startups Actually Need to Do

The good news: for a genuinely small startup that collects limited data for a single, clear purpose, DPDPA compliance is not as burdensome as large-enterprise compliance. Here is the practical minimum:

The Non-Negotiables (Required Now)

• A valid consent notice that meets S.5 requirements — plain language, itemised purposes, withdrawal mechanism, DPO contact
• Consent that meets S.6 standards — purpose-specific, affirmative, not bundled, with a method to withdraw
• A way to respond to rights requests from users (access, correction, erasure) — even if it is currently manual, you need a documented process and a 30-day SLA
• A breach response plan — who does what if a breach occurs, with the 72-hour Board notification requirement clearly understood
• A published grievance mechanism — users need to know how to raise a concern about their data

The Things You Can Phase (But Shouldn't Ignore)

• Full RoPA (Record of Processing Activities) — required for growth-stage companies; valuable for all
• Data Processing Agreements with all vendors and processors
• Formal compliance health tracking and regulator-ready reports
• Children's data protections (required if your service may be used by under-18s)
• SDF obligations (only if notified as an SDF — currently not yet operational)

The Real Risk for Small Startups: Complaint-Driven Enforcement

The Board's enforcement mechanism is complaint-driven. Any Data Principal — any user — can file a complaint with the Board about your data practices. The Board investigates and can impose penalties.

This is not abstract. A fintech startup with 10,000 users has 10,000 potential complainants. An EdTech platform with 50,000 users has 50,000. Any one of them can trigger a Board investigation if they believe their data rights were violated — a request for erasure that was ignored, a consent notice that was unclear, data used for a purpose they didn't consent to.

For small startups, the practical risk is not a proactive Board sweep of all SMEs. The risk is a single dissatisfied user who knows their rights and files a complaint. If that happens and you have no compliant consent infrastructure, no rights request process, and no documentation of your data practices — the Board will find you non-compliant.

The Investor Angle

Beyond regulatory risk, DPDPA compliance is increasingly a due diligence question for investors. Series A and B stage investors — particularly those with LP bases in the EU, US, or Singapore — are beginning to ask about data governance as part of standard due diligence. A startup that can produce a compliance report, show a functioning consent audit trail, and demonstrate a rights request process is a materially less risky investment than one that says 'we'll deal with it.'

As Indian venture capital matures and global funds increase their India exposure, data governance will move from 'nice to have' to 'required before term sheet.' Building it now is building moat, not just avoiding fines.

What DPDPA Shield Is Built For

DPDPA Shield was built for exactly this category of company: Indian startups and SMEs that need to be compliant, don't have a legal team or compliance department, and need something operational — not a consultant who writes a report and leaves.

The Starter plan covers the non-negotiables: consent management, rights request portal, breach incident management, and closure documentation. It is designed to be implemented by a founder or an engineer in under 2 hours — no compliance background required.

The honest answer to 'does DPDPA apply to us?' is: almost certainly yes. The more useful question is: what is the minimum you need to do, and what is the least painful way to do it? That is the question DPDPA Shield is designed to answer.