DPDP Act 2023 Data Protection Compliance for Startups: Timeline, Audit & Policy Checklist
By Adv. Manvee (Technology & Data Privacy Lawyer) & Priya Dutt
1. What is the DPDP Act 2023, and Why Does It Matter for Startups & SMEs?
The Digital Personal Data Protection Act, 2023, marks a significant shift in the regulation of personal data in India. The penalty-backed regime enforced by the Data Protection Board of India (“DPB”) allows monetary penalties of up to ₹250 crore under the Schedule read with Section 33 of the DPDP Act, 2023.
For startups and SMEs that rely heavily on user data, this creates significant legal, financial, and reputational risk.
This guide is a structured, implementation-focused data protection compliance roadmap designed to help Indian startups and SMEs achieve defensible and audit-ready data protection compliance before 2027 enforcement milestones.
This FAQ guide explains:
- What Compliance is Required for data protection under the DPDP Act 2023?
- What Policies are mandatory?
- Is Cookie Consent legally required in India?
- Is the appointment of a Consent Manager mandatory?
- What documentation must be maintained?
- How to prepare for regulatory audits before May 2027?
Data Protection Compliance Fundamentals for Startups & SMEs
2. Who is a Data Fiduciary under the DPDP Act 2023?
Any entity that determines the purpose and means of processing personal data.
Startups, SaaS platforms, e-commerce platforms, Fintech apps, and SMEs collecting user data will typically qualify as Data Fiduciary.
3. Who is a Data Principal under the DPDP Act 2023?
An individual to whom the personal data relates.
Example: Customers of FinTech apps, employees of startups, users of SaaS platforms or e-commerce platforms.
4. Who qualifies as a Data Processor under the DPDP Act 2023?
A person who processes personal data on behalf of a Data Fiduciary under a valid contract, i.e., Data Processing Agreement (“DPA”).
Examples:
- Cloud vendors
- Payroll providers
- CRM platforms
- Analytics service providers
What is the DPDP Act 2023 Implementation Timeline for Startups & MSMEs?
DPDP Act Implementation Phases
5. What Happens in Phase 1 of DPDP Act Implementation?
Immediate (November 13, 2025):
- Administrative provisions operational
- Penalty framework activated
- Board is fully functional
November 13, 2025:
- Consent Managers may begin registration applications by submitting the necessary particulars and information to the Board.
May 13, 2027:
Full substantive data protection compliance is expected by this stage, including security safeguards, privacy notices, consent systems, breach protocols, retention controls, and children’s data protections. The government has not indicated any additional grace period.
6. What Changes Can Be Expected in Phase 2 of Data Protection Compliance Implementation?
It will activate future phases:
- SDFs: The government will notify and designate a Significant Data Fiduciary (“SDF”), which will have a greater security compliance burden.
- Data Localisation: The government can mandate Data Fiduciary to store the data of citizens in India itself.
- Cross-border transfer restrictions: Government authorised to blacklist countries prohibiting transfers.
7. Is There Any Exemption for Startups or MSMEs under the DPDP Act?
There is currently no formal statutory exemption for startups or MSMEs.
Even if future relaxations are introduced, baseline obligations remain mandatory:
- Notice & consent
- Security safeguards
- Breach notification
- Rights enablement
- Grievance redressal

What Are the Core data protection Compliance Requirements under the DPDP Act for Startups?
8. Is Consent Mandatory for Processing Personal Data under the DPDP Act?
Yes, Consent is mandatory for the processing of personal data by entities under the DPDP Act 2023. Sections 4, 6, and 7 of the DPDP Act 2023 govern the lawful processing and consent requirements.
Consent must be:
- Free
- Specific
- Informed
- Unconditional
- Unambiguous
- Given through clear affirmative action
So, as a startup or as an MSME, you must:
- Map each processing activity to a legal basis
- Design compliant consent UI-UX
- Log consent with timestamp records
9. What is the Purpose Limitation and Data Minimisation Requirement?
So, the data must be collected only for specified purposes. Startups and MSMEs should avoid collecting any data beyond the purposes that they have specified[1].
And for every new purpose, a fresh consent is required from the end of the entities.
10. What Security Safeguards Must Startups Implement under the Data Protection Compliance?
Section 8(5) of the Act requires fiduciaries to take reasonable security safeguards to prevent personal data breaches and to any processing undertaken by it or on its behalf by a Data Processor.
DPDP Rules, 2025[2], includes reasonable safeguards such as:
- Encryption,
- Obfuscation,
- Masking,
- Access monitoring
- Incident detection & remediation
Failure to implement safeguards may attract significant financial penalties from the Data Protection Board (“DPB”).
11. What Are the Data Retention and Deletion Obligations under the Data Protection Compliance?
Retention[3] is permitted only if necessary under law or for a specified purpose. The Act does not prescribe fixed retention periods or dormancy-based deletion timelines.
Startups must:
- Define dataset-specific retention periods
- Automate deletion where possible
- Maintain deletion logs
12. What Does Transparency and Accountability Mean for Startups?
For startups and MSMEs, it means that they must:
- Publish a clear privacy notice on their websites/applications
- Enable rights exercise for the data principals, i.e., the customers/consumers
- Provide a grievance escalation mechanism for easy complaint filing
What Mandatory Policies Must Startups & SMEs Implement under the Data Protection Compliance?
While neither the DPDP Act nor the DPDP Rules prescribe any policy template, by reading Sections 5, 8, 10, and 13 combined with DPDP Rules 2025, we can compile six core policies that translate statutory duties into operational frameworks for resource-constrained startups and SMEs.
13. Is a Privacy Policy Mandatory under the DPDP Act?
Yes, Every startup processing personal data must publish a standalone privacy policy, separate from general Terms & Conditions, satisfying the notice requirement[4] under the DPDP Act 2023.
The privacy policy shall be in plain language (no heavy legal jargon) and must disclose:
- Data collected
- Purpose of processing
- Retention period
- Rights mechanism
- Grievance contact details (Email or phone number of the grievance officer)
- Itemised description of data
- Specific purposes
- Withdrawal links (direct links to withdraw consent, exercise rights, and file complaints)
14. Are Vendor Contracts or Data Processing Agreements Mandatory?
Yes, Section 8(1) & 8(2) of the data protection Act requires a valid contract (DPA) with the processors.
Mandatory Clauses in the DPA:
- Security safeguard flow-down
- Breach notification obligation
- Audit rights
- Data deletion confirmation
- Liability allocation
Startups are advised to maintain:
- Vendor register
- Annual review record
15. Is a Grievance Redressal Policy Mandatory under DPDP Act?
DPDP Act[5] and DPDP Rules[6] Both mandate the designation of a Grievance Officer for the redressal of complaints and queries of the fiduciaries.
Startups must publish the details of the Grievance Officer on their websites/apps or in the privacy policy itself.
The grievance resolution timeline should not exceed 90 days (ninety days).
The startups and MSMEs should maintain a grievance register, which should include the instances of incident response, time-stamp of complaints recorded.
16. Is the Appointment of a Consent Manager Mandatory for Startups?
Startups and SMEs should operationalise Consent by hard-coding that data can be processed only with consent that is free, specific, informed, conditional, and unambiguous, obtained through clear opt-in mechanisms.
Smaller entities may initially manage consent in-house via logs and simple dashboards. Startups are not required to appoint a third-party Consent Manager unless specifically notified. Consent may be managed internally through compliant systems.
17. Is an Information Security Policy Required under the Data Protection Compliance?
Yes, it is advisable to have it for implementing reasonable security safeguards[7]. Startups and MSMEs should frame their policy to implement:
- Encryption
- Access control
- Monitoring
- Detection mechanisms
- Incident remediation
18. Is a Data Retention & Deletion Policy Mandatory?
Yes, unless it’s specified under the law[8] for any compliance requirements, the data has to be deleted.
Startups and MSMEs should put in place their data retention and deletion policies and schedules for the ease of data protection compliance.
Startups and MSMEs must define:
- Retention timelines
- Deletion triggers
- Log maintenance
- Vendor flow-down deletion obligations
Cookie Policy & Tracking
19. Is a Cookie Policy Mandatory under the DPDP Act in India?
Neither the DPDP Act 2023 nor the DPDP Rules 2025 explicitly mentions about cookies. But the mere silence in law does not mean that cookies are exempt from regulations.
20. Why Do Cookies Fall Within the Definition of Personal Data under DPDP?
However, Section 2(t) defines personal data broadly as data relating to an identifiable individual. Personal Data under the DPDP Act is not limited to data that directly identifies individuals (like mail, Aadhaar number). It includes data that relates to an identifiable individual, even if that data, on its own, cannot identify them. Cookies may fall within this definition where they enable identification directly or indirectly. As cookies are tied to your device, your session, and your browser behaviour. When combined with other data points and in some cases on its own, it can be linked back to an identifiable person. This is why cookies fall under the DPDP Act’s definition of personal data.
The National e-Governance Division Business Requirements Document (2025) recognises cookies within consent frameworks. It specifies that cookie consent must include granular consent options, explicit opt-in mechanisms, auditable consent logging, auto-expiry, and user dashboards for managing preferences.[9]
The Advertising Standards Council of India whitepaper (2025) also stresses transparent cookie consent. It highlights that industries, including e-commerce, must implement transparent cookie banners with clear opt-in and opt-out functions, consent withdrawal options, and auditable records. It also flags the need to avoid dark patterns in cookie consent flows.[10]
21. What Does DPDP-Compliant Cookie Consent Look Like?
Section 6 of the DPDP Act and Rule 3 of the DPDP Rules set out the requirement for valid consent, and the same can be translated for the cookies[11].
- Consent must be informed and specific: Consent banner must clearly explain what data is being collected, for what purpose, and who it will be processed. Vague language like “we use cookies to improve your experience” is not sufficient.
- Consent must be obtained through affirmative action: If the consent is taken by pre-ticked boxes, then the same violates the principle of free consent. The user must actively opt in. This applies especially to non-essential cookies.
- Consent must be granular: There should not be any dark patterns, and the users should be free to accept/reject/manage different categories of cookies independently. An all-or-nothing approach does not meet the standard.
- Consent must be withdrawable: Users must have the right to withdraw their consent at any time, with the same ease of doing so being comparable to the ease with which such consent was given. This means that cookie preferences should be accessible at any time and not just on their first visit.
- Consent must be logged and auditable: Startups and SMEs must have an organised record of what the user consented to, when, and how. This is your proof in case of disputes or regulatory scrutiny.
- Notices must be available in English and the scheduled Indian language. Rule 3 requires consent notices to be provided in English and other Indian languages as notified. Your cookie banner should support this.
Internal Documentation for data protection compliance
22. What Internal Documentation Must Startups Maintain for data protection act compliance?
Startups and SMEs need lean, practical documentation that proves accountability without enterprise overhead.
While the DPDP Act does not mandate GDPR Style RoPA (Records of Processing Activities) DPDP Act 2023 and DPDP Rules 2025 require demonstrable data protection compliance through records, governance, and SOPs. All of these will be essential for Board audits and investor due diligence.
23. What Governance Framework Should Startups Create?
| Document | Purpose | Startup Implementation |
| Privacy Lead Charter | Designates accountability (founder/CTO/COO) | 1-page document naming “Privacy Lead,” reporting line, responsibilities |
| DPDP Roadmap | Timeline to May 2027 data protection compliance | 6-month milestones: data mapping → consent UX → deletion automation |
| Processing Register | RoPA‑style data inventory | Google Sheet: data type, purpose, retention, processors, safeguards |
24. What Should a DPDP Breach Response Plan Include?
Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025 set the basic framework for the breach response. They guide startups on how to behave when things go wrong.
- Detection: Monitoring access to personal data and flagging any unusual access.
- Classification: Classifying the scope and sensitivity once any incident is flagged, such as what data is involved, and how many users are affected.
- Containment: Isolate the system, revoke compromised credentials, take the affected server offline, and block malicious IPs.
- Board notification within prescribed timeframe: Section 8(6) requires them to notify the Data Protection Board. The intimation should be immediate, and there should be a detailed report of the breach.
- User communication: At the same time, inform the affected individuals about the breach and their compromised data.
- Investigation/root cause analysis: After emergency actions, there is a requirement of thorough investigation of the breach.
- Remediation: Based on the investigation, you patch the underlying issues, update software, enforce stronger authentication, and improve monitoring.
- Documentation of the incident lifecycle: Finally, keep a detailed record of the incident.
Consent Management
25. Is Third-Party Consent Management Mandatory under the DPDP Act 2023?
No. The DPDP Act 2023 does not mandate Data Fiduciaries to engage a third-party consent Manager. Startups and SMEs are fully empowered to request consent directly, manage consent records internally, enable withdrawal and updates on their own platforms, and maintain DPDP compliant consent framework.
26. What Is the Consent Management Checklist for Startups?
- Map Legal basis: For each processing activity, you have to label it “consent” or “Section 7 legitimate use” (with justification).
- Compliant consent UX: No tricked boxes, plain language prompts tied to a specific purpose.
- Notice integration: Consent prompts are either precedent or accompanied by Notice. The notice should explain and inform the Data Principal of the personal data, purposes, sharing, and rights.
- Easy withdrawal of Consent: withdrawal of consent should be as easy as giving consent, and you have to stop processing and trigger deletion where applicable.
- Consent Logs: Systematically store who consented, when, for what, and through which interface.
- Data-to-consent traceability: You can trace any dataset back to the consent that allows it. So you know what to delete when consent is withdrawn.
- Avoid overuse of “legitimate use”: Startups and SMEs can not use ordinary commercial processing as Section 7 just to avoid consent.
Personal Data Inventory
27. What is a Personal Data Inventory and Why Is It Important for data protection compliance?
A personal data inventory is a structured list of
- What data is collected
- Why it is collected
- Where it is stored
- For how long it is stored
- Who can access it
Even though this is not a formal “GDPR RoPA” requirement by name under DPDPA, Indian SME guidance treats it as the building block for data protection compliance, as without it, you can not design notices, retention schedules, consent flows or breach responses.
A basic spreadsheet is enough to list the personal data collected, where it is stored, the reason for processing it, and the team members who can access it. This clarity helps avoid gaps and supports better decisions as the product grows.
A data inventory answers four basic questions:
- What personal data do we have (e.g., names, emails, passwords, KYC docs, Aadhaar?
- Why do we have it (business purpose/legal basis)?
- Where is it stored (systems, vendors, regions)?
- Who can see it (teams, roles, processor)?
Data Mapping
28. Is Data Mapping Required under the DPDP Act?
For startups and SMEs, data mapping is not a separate requirement mentioned in any section, like consent or breach notification, but it becomes a de facto expectation under the DPDP Act because you cannot comply with retention vendor or breach duties if you do not know how data actually moves through your systems.
While personal data inventory is a table of “what we have, why we have it, where it sits, who has access to it.” Data mapping goes one step further, and it shows how that data flows end-to-end from user to app, then to database, then to third parties, and then gets backups and then deletion. Think of inventory as a list, mapping as a flow diagram (even if it is a rough sketch on Miro or paper).
Inventory = what exists
Mapping = how it flows
Data mapping helps you to:
- Align your privacy notice and consent wording with what actually happens to data, so there are no “invisible” uses that could be challenged later.
- It shows where personal data is overshared or over- retained, helping you cut unnecessary storage, vendor risk, and cloud costs.
- Where a user asks for access or deletion, mapping tells you exactly which systems, vendors, and backups to touch, so you can respond within DPDP Act timelines without manual scrambling.
Record- Keeping &Audit Readiness
29. What Records Must Be Maintained for DPDP Act Audit Readiness?
DPDP Act, 2023, and DPDP Rules, 2025 do not give you a fixed template, but the commentary is clear that the Data Fiduciary must be able to prove how you handled consent, processing, grievances, and policy changes over time. For startups and SMEs, record-keeping is where “we comply” becomes something you can actually show to investors, acquirers, or the Data Protection Board.
Audit Readiness Checklist
- Consent Logs: Timestamped records showing who consented, for what purposes, under which notice version, whether it was ‘legitimate use’, and when consent was withdrawn, if applicable
- Processing Register: A simple sheet listing each processing activity with data types, purpose, legal basis, vendors, and retention period. Keep updating it, and the old version is archived.
- Breach Register: For each incident, record detection time, impact summary, Board/user notification timestamps, root cause, and remediation steps.
- Grievance register: Complaints, acknowledgement date, decision closure date, and proof that you met your stated resolution timelines.
- Deletion logs: Evidence of automated or manual deletions per retention policy
- Vendor File: All DPAs plus brief notes on the last security and data protection compliance review for key processors.
- Training records: Dates, topics, and attendance for security training of staff who handle personal data.
- Policy version History: Archived versions of core policies and SOPs with effective dates and short change notes.
[1] Section 6, DPDP Act 2023.
[2] Rule 6
[3] Section 8(7), DPDP Act 2023.
[4] Section 5, DPDP Act read with Rule 3 of the DPDP Rules 2025.
[5] Section 13
[6] Rule 14(3)
[7] Section 8(5) DPDP Act 2023.
[8] Refer Section 8(7) DPDP Act 2023.
[9] https://d38ibwa0xdgwxx.cloudfront.net/create-edition/7c2e2271-6ddd-4161-a46c-c53b8609c09d.pdf
[10] https://www.ascionline.in/wp-content/uploads/2025/01/Navigating-Cookies-Whitepaper.pdf
[11] https://www.consent.in/blog/cookie-consent



Post Comment