Introduction
India’s Digital Personal Data Protection Act, 2023 and the accompanying Digital Personal Data Protection Rules, 2025,transformed India’s data-driven economy with innovation that creates a formal privacy-compliance framework or context for processing of digital personal data. The primary objective of the act is to protect individuals while allowing lawful processing of the data. The laws statehow to handle data, along with keeping it safe, give and takepermissions, how to disclose breaches, and how the rights of individuals are being protected.
Importance for Start-ups and Small & Medium-Sized Businesses
India’s Start-ups and SMEs sector comprises of 63 million organisations, forming over 30% of India’s GDP[1]. Most Start-ups and SMEs don’t have their own privacy or legal teams, unlike big companies. But the law applies to all kinds of data fiduciaries, no matter how big they are. The Digital PersonalData Protection Act’s stringent obligations could prevent these businesses from further implementation, as it impacts technologyadoption, start-up growth, talent drain, and economic fragmentation, so it becomes important for SMEs to comply with the laws to keep up with the market:
- Lawful processingof Data-Personal data shall processed only for legal and lawful purposes as per the terms of the Act. This sets the point of departure for all private and public companies thatevery data flow must map to a legal ground[2].
- Consent– Personal data can only be processed with consent or for legitimate purposes under the DPDPA.Consent must be free, specific, informed, unconditional and unambiguous and displayed by a strongpositive act. Any entity that determines the purpose and manner of processing is a Data Fiduciary as per DPDPA, making it completely accountable for compliance even if it uses external providers[3].
- Significant Data Fiduciary Obligations- TheAct allows the Government to notify entities as Significant Data Fiduciaries. They face heavy duties such as audits, DPIAs, appointing DPOs. The Rules specify additional SDF obligations as well[4].
- Security and breach reporting- the Act requires “reasonable security safeguards” and prompt breach notification. The penalty frameworkincludes very large fines that goes up to hundreds of crores for hefty mischief. The Rules set timelines for reporting in case of breach and formats for the Data Fiduciaries[5].
- Operational Rules- The Rules give practical requirements and obligationssuch as notice content, data minimisation expectations, DPIA triggers, procedure for breach reporting, special rules for children, transfer or processing outside the country and phased enforcement timelines.[6]
Why Provisions Create Implementation Hurdles for Start-Ups
The Digital Personal Data Protection Act, 2023establishes a clear privacy regime but creates uneven implementation hurdles for Start-ups and SMEs. The framework[7] which focuses on “consent of the individual” requires clear notices and consent which is purpose specific, obligingStart-ups that depend on quick onboarding, A/B testing, behavioural analytics, and third-party SDKs to redesign product flows. This change or mostly reduces conversion rates, fragments data, and experimentation becomes slow. Purpose limitation and data minimisation obligations[8] further restrains the common Start-up practice of collecting broad datasets for analytics and future growth, increasing engineering and compliance costs. Security and breach obligations[9] add high-stakes danger or risk, as the undefined standard of “reasonable security safeguards,” attached with potential penalties, which leads to over-compliance or under-investment. Data transfer governance in case of Cross border Companies and restrictions for infrastructure raises holding and contractual costs, especially for start-ups that are reliant on global cloud and SaaS tools, which has been prescribed by the Ministry of Electronics and Information Technology.
Practical Recommendations and Conclusion
To succeed in these challenges, Start-ups should structure data flows early on, design such consent mechanisms that balance compliance primarily with user experience, and adopt privacy by design and strict minimisation. Start-ups must be able toleverage shared compliant services, develop a clear breachresponse playbook, and most importantly budgeta realistic way for legal compliance early, as it can help Start-ups meet DPDPA obligations without stifling innovation or scale further in different direction.The DPDP Act, 2023 builds trust in India’s digital economy but it has created short-term hurdles for Start-ups through strict consent obligations, security, and compliance requirements, increasing friction, costs, and uncertainty for the small businesses in India. With early action, right choices and proper compliance, these challenges are controllable, and in the long term, it can become a competitive advantage.
[1]Dr.Prashant M, The DPDPA conundrum for Indian SMEs: A legal and policy perspective on the challenges of compliance and Innovation DPDPA, Available at: Link.
[2] Section 4 of The Digital Personal Data Protection Act, 2023.
[3] Section 6 of The Digital Personal Data Protection Act, 2023.
[4] Rule 13, The Digital Personal Data Protection Rules, 2025.
[5]PwC, analysis on penalties and compliance obligations under DPDP Act, 2023, Available at:Link.
[6]The Digital Personal Data Protection Rules, 2025.PIB, Press release explaining Rules, 17 Nov 2025, Available at:Link.
[7]Section 6 of The Digital Personal Data Protection Act, 2023.
[8]Section 4 and 5 of The Digital Personal Data Protection Act, 2023.
[9]Section 8 of The Digital Personal Data Protection Act, 2023.
Author Name- Akshansh Negi, BBA LL.B (Hons.)
