DPDP Act: The Founder's Plain-English Guide

DPDP Act: The Founder's Plain-English Guide

April 2026 · ComplyDP Free Resource

I am going to explain the DPDP Act the way I wish someone had explained it to me when I was a founder who also happened to be a lawyer - and even I found the regulations operationally dense.

This guide is for Indian startup founders who know they need to deal with DPDP but have not had time to read the Act, the Rules, or the 47 LinkedIn posts explaining it. I am not going to explain what "Data Fiduciary" means in legal terms. I am going to tell you what you need to do, what it costs, what happens if you don't, and when you need to start.

The 60-Second Version

If you run a company that collects any personal data from anyone in India - names, emails, phone numbers, device IDs, location, payment info, anything - the DPDP Act applies to you. There is no revenue threshold. There is no employee count minimum. There is no "startups are exempt" clause.

Full compliance deadline: May 13, 2027.

Penalties: up to ₹250 crore per violation. The DPBI (the regulator) is already operational.

What you need to have in place by May 2027: - A privacy notice that tells users exactly what data you collect, why, and who you share it with - A consent system where users actively opt in (no pre-ticked boxes, no "by using this app you agree") - A way for users to access, correct, and delete their data (the law gives you 7 days for deletion) - A breach notification process that can report to the regulator within 72 hours - Contracts with every vendor that processes data on your behalf with specific DPDP clauses - If your users include children (under 18), verifiable parental consent and zero behavioural tracking

That is it. Everything else is detail, and the detail matters, but if you do those six things, you are ahead of 80% of Indian startups.

The 3 Things Founders Get Wrong

Wrong assumption 1: "We are GDPR-compliant, so we are covered."

You are not. The single biggest structural difference: India has no "legitimate interests" basis for processing. If your GDPR compliance relies on legitimate interests (and most SaaS companies' does - for analytics, product emails, fraud detection), you need to rebuild those consent flows from scratch for Indian users. Consent is the only general-purpose lawful basis under DPDP.

Also: GDPR gives you 30 days for data deletion requests. DPDP gives you 7. Your data deletion pipeline needs to be 4x faster.

Wrong assumption 2: "We will deal with it closer to the deadline."

The deadline is May 2027. A serious DPDP implementation takes 6–12 months for a startup with 3–10 systems processing personal data. That means implementation should have started already. If you start in January 2027, you are attempting a 4-month sprint on what is fundamentally a 9-month project.

Wrong assumption 3: "Our users will not care."

Your users may not care. Your enterprise customers will. DPDP compliance is already becoming a procurement checklist item for Indian enterprises and MNCs. If you sell B2B, your next big deal may require a DPDP compliance attestation as a vendor qualification step. Failing that attestation does not just mean regulatory risk - it means lost revenue.

What It Actually Costs

I wrote a separate CFO's Guide with detailed budgeting, but here is the founder-level summary:

Seed to Series B startups: ₹5–15 lakh first year, ₹3–8 lakh recurring. This assumes you use a compliance platform (like ComplyDP), not a Big 4 consulting engagement.

The biggest cost is not the platform - it is engineering time. Your engineers will need to integrate consent APIs, build a data principal rights portal, instrument your data flows for audit logging, and test your deletion pipeline. Budget 2–4 weeks of engineering time, depending on complexity.

The cheapest thing you can do is start with a gap analysis. ComplyDP's free diagnostic scan takes 10 minutes and tells you exactly where your gaps are - so you can scope the work before committing budget.

The Minimum Viable Compliance Stack

You do not need enterprise software. You need:

1. A privacy notice. Write it yourself using our template (see Compliance Template Pack), or use ComplyDP's notice builder. Must be standalone (not in your Terms), must be specific (not vague), must be offered in languages your users speak.

2. A consent mechanism. Granular, purpose-specific, opt-in only. If you use multiple third-party analytics or marketing tools, each needs separate consent. Build this into your onboarding flow, not as a retrofit.

3. A data principal rights portal. A simple form where users can request access, correction, or deletion of their data. Behind it, you need a workflow that routes requests to the right person and tracks SLA compliance. ComplyDP provides this out of the box.

4. A breach notification process. A documented plan, a pre-filled notification template, and a team that knows who does what. Run one tabletop exercise. Just one. That puts you ahead of 95% of startups.

5. Vendor DPA clauses. Add the DPDP-specific data processing addendum to every vendor contract where the vendor touches personal data. Our template pack includes the exact clauses.

6. A data inventory. You need to know what personal data you collect, where it lives, who has access, and how long you keep it. A spreadsheet works at the early stage. A compliance platform works better as you scale.

Total time to implement the minimum stack: 4–8 weeks for a 10–30 person startup, assuming one engineer and one person coordinating compliance (often the founder or Head of Product).

When "Minimum Viable" Is Not Enough

If any of these apply to you, you need more than the minimum: - Your users include children (under 18): you need verifiable parental consent and zero behavioural tracking/advertising - You process health, financial, or biometric data: higher security standards, consider DPIA - You are likely to be designated a Significant Data Fiduciary: you need a DPO, annual independent audit, and DPIAs for high-risk processing - You transfer data outside India: you need to confirm your destination countries are on the permitted list - You use AI/ML for decisions that affect individuals: algorithmic accountability and transparency requirements may apply

The Founder's Decision Tree

Should I hire a DPO? - Are you an SDF (or likely to be designated one)? → Yes, hire or appoint a DPO, India-based. - Are you a sub-500 employee company not processing data at massive scale? → Not required, but designate someone as the privacy point of contact.

Should I use a compliance platform or hire a consultant? - If you need help understanding the law and getting a legal opinion: hire a consultant or law firm. - If you understand what you need to do and need to actually implement it: use a platform. - Best approach for most startups: one-time legal opinion (₹3–5 lakh) + ongoing platform (₹2–5 lakh/year).

Should I get "DPDP certified"? - There is no such thing as DPDP certification. The Act does not have a certification regime. If someone is selling you a certificate, they are selling you a PDF.

What happens if I do nothing? - Penalties up to ₹250 crore per violation. - More practically: you will fail enterprise vendor qualification, lose B2B deals, and scramble to comply under time pressure when you could have done it systematically.

Getting Started

The fastest path from "I know I should do this" to "I know exactly what to do":

Step 1: Run ComplyDP's free diagnostic scan at complydp.com/scan. It takes 10 minutes, covers all 43 DPDP controls, and tells you exactly where your gaps are. No email gate, no sales call.

Step 2: Download the Compliance Template Pack (this article series) and customise the templates for your business.

Step 3: Block 2 weeks of engineering time on your next sprint to integrate the consent and rights infrastructure.

Step 4: Get a one-time legal opinion from a qualified privacy lawyer to validate your implementation.

Step 5: Run one tabletop breach exercise. Time it. Fix whatever broke.

You are now more DPDP-ready than the vast majority of Indian startups.