Data Protection & Privacy in India: What Businesses Need to Do Today

Firm News

January 20, 2026

Data Protection & Privacy in India: What Businesses Need to Do Today

Samrat Rawat

Author

Introduction

India's Digital Personal Data Protection Act (DPDP Act 2023 is now fully operational with rules notified in 2025. Businesses face fines up to ₹250 crores for violations.

90% of Indian companies still lack basic compliance. Customer data breaches cost ₹4-15 crores per incident + reputational damage.

This practical guide covers 8 immediate action steps every Delhi business must take to protect customer data and avoid penalties.

1. Understand DPDP Act Scope (Who It Covers)

**Data Fiduciaries** (Your Business):
✅ Collects/stores/processes personal data
✅ Includes websites, apps, SaaS, e-commerce
✅ Startups & SMEs included (no exemptions)

**Personal Data** = Any data identifying individual:
- Name, email, phone
- Customer ID, transaction history
- IP address, device ID, location

Myth Busted: "Only banks need compliance" ❌

2. Mandatory Website Compliance (72 Hours)

**IMMEDIATE ACTION** - Add these to your site TODAY:

1. **Privacy Policy** (separate page)
2. **Cookie Consent Banner**
3. **Contact Form Consent** ("I agree to Privacy Policy")
4. **Terms Checkbox** on checkout/registration

**Legal Text Ready**:
> "By submitting this form, you consent to our Privacy Policy and data processing for [purpose]."

Non-compliance fine: ₹50 lakhs+

3. Consent Management Framework

**DPDP Consent Requirements**:
✅ **Verifiable** (checkbox + email confirmation)
✅ **Specific** (marketing vs service vs analytics)
✅ **Granular** (separate consents)
✅ **Easy Withdrawal** ("Unsubscribe" link)

**Implementation**:

Email: marketing@yourbusiness.com Website: Cookie consent tool (₹5k/year) CRM: Consent tracking fields

4. Vendor & Third-Party Data Agreements

**90% of breaches = vendor failures**

**Must-Have Vendor DPA Clauses**:
□ Data Processing Agreement signed
□ Security audit rights
□ Data breach notification (24 hours)
□ Sub-processor approval required
□ Data return/deletion on termination

**High-Risk Vendors**:
- Payment gateways
- Cloud storage (AWS, Google)
- Marketing agencies
- Customer support outsourcers

5. Data Breach Response Plan (Mandatory)

**72-Hour Notification Rule**:

**Incident Response Timeline**:
Hour 0-2: Isolate breach
Hour 2-12: Assess scope
Hour 12-24: Notify Data Protection Board
Hour 24-72: Customer notification
Week 1: Forensic audit
Month 1: Root cause report

**Cost of Delay**: 10x penalty increase

6. Employee & Internal Compliance

**Staff Training Checklist**:
□ Data classification (sensitive vs normal)
□ Password policies (12+ chars, 90-day change)
□ No personal devices for customer data
□ Email security (no forwarding customer data)
□ Incident reporting (immediate notification)

**Tools Needed**:
- Password manager (₹2k/user/year)
- Email encryption
- Access logs monitoring

7. Technical Security Requirements

**Minimum Standards** (₹50k-2 lakhs setup):

INFRASTRUCTURE:
✅ SSL certificate (HTTPS)
✅ Cloud backups encrypted
✅ Access logs (6 months retention)
✅ Firewall + antivirus enterprise

DATA FLOWS:
✅ API encryption
✅ Database encryption (at rest)
✅ Secure file transfer (no email attachments)

8. Data Protection Officer (DPO) Decision

**Mandatory if**:
- Large scale processing (>5 lakh users)
- Sensitive data (health, finance)
- Children data processing

**DPO Cost**: ₹15-30 lakhs/year (full-time)
**Alternative**: Compliance consultant (₹5 lakhs/year)

**DIY Option** (<1 lakh users): Internal compliance officer

Compliance Cost Breakdown (2026)

**Startup (<₹10cr revenue)**: ₹2-5 lakhs
- Privacy policy: ₹25k
- Cookie tools: ₹50k/year  
- Vendor DPAs: ₹1 lakh
- Basic security: ₹1 lakh
- Training: ₹25k

**Mid-size (₹10-100cr)**: ₹10-20 lakhs
**Enterprise**: ₹50 lakhs+

ROI: Avoid ₹50 lakh+ fines + ₹5 crore breach costs

Quick Compliance Checklist (Week 1)

WEBSITE: ☐ Privacy Policy ☐ Cookie Banner ☐ Form consents
VENDORS: ☐ Top 5 DPAs signed ☐ Security questionnaire
INTERNAL: ☐ Employee training ☐ Password policy
TECHNICAL: ☐ SSL certificate ☐ Access logs enabled
PLAN: ☐ Breach response documented ☐ DPO decision made

Common Myths Busted

❌ "Only customer PII matters" → Employee data too
❌ "GDPR compliance = DPDP compliance" → Different rules  
❌ "Small breach = no problem" → All breaches reportable
❌ "IT guy handles it" → Board responsibility

Penalty Examples (Real Cases)

**Case 1**: E-commerce, 50k user breach
Fine: ₹2 crores + remediation

**Case 2**: SaaS platform, poor consent
Fine: ₹75 lakhs

**Case 3**: Marketing agency, vendor breach
Fine: ₹1.2 crores (joint liability)

Conclusion: Compliance = Competitive Advantage

Data protection isn't just compliance—it's trust.

**2026 Priority Actions**:
1. Privacy Policy live (48 hours)
2. Cookie banner + consents (1 week)  
3. Vendor DPAs (2 weeks)
4. Employee training (1 month)
5. Full audit (3 months)

**Customer Trust Multiplier**: 3x conversion rates
**Penalty Avoidance**: ₹50 lakhs+

Need DPDP compliance roadmap? Contact Enveridian Legal for Privacy Policy drafting, vendor audits, and Data Protection Officer services.

About the Author Enveridian Legal Team Delhi-based law firm specializing in DPDP Act compliance, data protection audits, and privacy policy drafting.

Categories: Data Protection, Compliance, DPDP Act Tags: DPDP Act 2023, data privacy India, privacy policy, data breach, compliance checklist

This article provides general guidance on data protection compliance and does not constitute legal advice. Consult a qualified lawyer for DPDP Act implementation specific to your business.