DPDPA Compliance Roadmap for Small and Medium Enterprises

Under Section 2(i) of DPDPA, any entity that determines the purpose and means of processing personal data qualifies as a Data Fiduciary. For SMEs, this typically includes customer databases, employee records, vendor information, and any data collected through websites or applications. The statutory framework does not distinguish between large corporations and smaller enterprises in terms of core obligations. However, the practical implementation allows for proportionate measures based on the volume and sensitivity of data processed. The first step in any compliance journey involves understanding precisely what data flows through your organization and for what purposes.

Before implementing any compliance measures, organizations must develop a comprehensive understanding of their data landscape. This involves identifying all touchpoints where personal data enters the organization, mapping how this data moves between systems and departments, documenting the purposes for which data is processed, and establishing the legal basis for each processing activity. For most SMEs, personal data exists in customer relationship management systems, accounting software, human resources platforms, email communications, and website analytics. A thorough discovery exercise often reveals data repositories that were previously overlooked, including legacy systems and informal spreadsheets maintained by individual employees.

Section 6 of DPDPA establishes specific requirements for valid consent. For SMEs, this translates into practical considerations around how consent is obtained, recorded, and managed throughout the customer lifecycle. Consent must be free, specific, informed, unconditional, and unambiguous. This means organizations cannot bundle consent with other agreements or use pre-ticked checkboxes. The consent mechanism must clearly articulate what data is being collected, for what purpose, and how Data Principals can withdraw consent. Most SMEs will need to implement technical solutions that capture consent records with timestamps, allow for granular consent management, and facilitate easy withdrawal mechanisms.

Section 8 requires Data Fiduciaries to implement reasonable security safeguards. For SMEs, this does not necessarily mean enterprise-grade security infrastructure, but rather proportionate measures appropriate to the data being processed. Essential security measures include access controls that limit data access to authorized personnel, encryption for data at rest and in transit, regular backup procedures, incident detection and response capabilities, and employee training on security protocols. The standard of reasonableness will be assessed based on the nature and sensitivity of data processed, the risks associated with processing, and the current state of technology available at a reasonable cost.

DPDPA requires that personal data not be retained beyond the period necessary for the specified purpose. For SMEs, this necessitates developing clear retention schedules that align processing purposes with retention periods. Different categories of data will have different retention requirements. Customer transaction records may need retention for tax and accounting purposes. Employee records have retention requirements under labor law. Marketing databases should only retain data while consent remains valid and the marketing relationship continues. Implementing automated deletion processes ensures compliance without creating ongoing administrative burden.

Most SMEs rely on third-party service providers for various functions including cloud storage, payment processing, and customer communications. Under DPDPA, Data Fiduciaries remain responsible for data processed by their vendors. This requires careful vendor assessment, contractual safeguards, and ongoing oversight. Vendor contracts should include data processing agreements that specify the scope of processing, security requirements, breach notification obligations, and audit rights. Regular vendor assessments ensure continued compliance and identify any changes in vendor practices that might affect data protection.