Practical DPDPA Compliance for Indian Businesses
Led by CA Richa Jain, CISA, CSOE, DPCAC (ICAI)
Does your business collect customer data?
Then India’s DPDP Act makes you legally responsible for it.
We help Indian businesses — startups, clinics, CA firms, e-commerce stores, manufacturers — understand what this law means for them and become compliant before the deadline.
What is DPDPA?
The Digital Personal Data Protection (DPDP) Act, 2023 makes businesses legally responsible for how they collect, use, store, share, and protect personal data.
If your business handles names, phone numbers, emails, IDs, employee records, financial information, or customer databases — the law applies to you.
Why you cannot ignore this
Penalty up to ₹250 crore
For failure to protect personal data — even an accidental breach.
72-hour breach reporting
If customer data is leaked, you must report to the Board within 72 hours.
Customers can demand data deletion
Can your business honour that request today? If not, that is a compliance gap.
Your vendors are your responsibility
If your cloud provider or HR software mishandles data — you are still liable.
Who does DPDPA apply to?
If your business does any of the following, the DPDP Act applies to you:
Collects customer names, phone numbers, emails, or addresses
Processes Aadhaar, PAN, KYC, or financial information
Runs a website, app, or digital platform
Has employees whose data you manage
Works with vendors or partners who handle personal data on your behalf
There is no minimum size or turnover threshold. If you collect data, the law applies.
HOW WE HELP?
INDUSTRIES WE SUPPORT
Startups & SaaS
Build DPDPA-ready products, consent flows, and privacy processes from day one.
Healthcare
Protect patient records, diagnostics, and health-tech systems with stronger data governance.
E-Commerce & Retail
Manage customer data, marketing consent, and vendor risk across your sales ecosystem.
CA Firms & Professional Services
Secure client financial data, employee records, and internal practice systems.
Manufacturing & Industrial
Control employee, dealer, distributor, and ERP-linked personal data across operations.
Education & EdTech
Protect student, parent, and staff data with compliant consent and access controls.
BFSI & Fintech
Strengthen customer data governance, breach readiness, and regulatory compliance practices.
IT & Technology
Embed privacy into applications, APIs, cloud systems, and software workflows.
Why businesses choose us
- Led by CA Richa Jain — CA, CISA, CSOE, DPCAC (ICAI)
- Deloitte Risk Advisory background
- Practical implementation-focused approach
- Supported by cybersecurity and legal specialists
- Clear business-friendly guidance — not legal jargon
- Built for Indian businesses, startups, and MSMEs
START WITH A DPDPA READINESS ASSESSMENT
Complete our short DPDPA Readiness Assessment and understand where your business stands today.
You can also book a focused advisory session to discuss your risks, gaps, and next steps directly with Richa Jain.
Practice of J S R T & Co LLP · Sector 62, Noida · Delhi NCR
FAQ
Does the DPDP Act apply to small businesses?
Yes. The DPDP Act applies to businesses of all sizes if they collect or process personal data digitally — including customer, employee, vendor, or website user data.
What is personal data under the DPDP Act?
Personal data means any data that can identify an individual, directly or indirectly — such as names, phone numbers, emails, IDs, device data, employee records, or customer information.
What is a Data Fiduciary?
A Data Fiduciary is any business or organisation that decides why and how personal data is collected and used.
What is a Data Principal?
A Data Principal is the individual whose personal data is being processed — such as your customers, employees, users, or website visitors.
Does DPDPA apply to employee data?
Yes. HR records, payroll data, attendance, ID proofs, health records, and employee contact details are covered under the DPDP Act.
Does DPDPA apply to WhatsApp, emails, and Excel sheets?
Yes. Personal data processed through emails, spreadsheets, WhatsApp, cloud storage, CRMs, HR software, and similar digital systems may fall within DPDPA scope.
I use Google Drive, Microsoft 365, AWS, or Zoho. Am I still responsible?
Yes. Cloud providers and software vendors may act as Data Processors, but your business remains responsible for protecting the personal data you collect and process.
Do I need a Data Protection Officer (DPO)?
Only certain Significant Data Fiduciaries may be required to appoint a DPO. However, many businesses still choose ongoing privacy advisory support to manage compliance, vendor risk, and breach readiness.
What is a Significant Data Fiduciary (SDF)?
An SDF is a business designated by the Government based on factors such as volume and sensitivity of personal data processed, risk to individuals, and impact on national interests.
What is DPDPA consent?
Consent under the DPDP Act must be clear, informed, specific to a purpose, and easy to withdraw. Many existing website forms, app sign-ups, and marketing practices may require review.
What rights do individuals have under the DPDP Act?
Individuals may have rights relating to access, correction, erasure, grievance redressal, and nomination under the DPDPA framework.
How long can businesses keep personal data?
Personal data should only be retained for as long as necessary for the purpose for which it was collected, or as required under applicable law.
What happens if there is a data breach?
Businesses may be required to notify the appropriate authorities and affected individuals under applicable DPDPA requirements. Having a breach response process is therefore essential.
My vendor caused a data leak. Am I still responsible?
Businesses remain responsible for how vendors and service providers handle personal data on their behalf. Proper vendor governance and Data Processing Agreements are important controls.
Does DPDPA apply to B2B data?
Yes. Business contact details linked to individuals — such as names, emails, and phone numbers — may still qualify as personal data.
How is DPDPA different from GDPR?
Both laws focus on personal data protection, but DPDPA is designed specifically for the Indian regulatory environment and follows a different compliance structure from the EU GDPR.
Does the DPDP Act apply to businesses outside India?
Yes. The DPDP Act may apply to businesses outside India if they offer goods or services to individuals in India and process their personal data digitally.
Can businesses manage DPDPA compliance internally?
Yes. Some businesses manage compliance internally, while others engage external advisors for structured assessments, implementation support, policy frameworks, and ongoing advisory.
How much does DPDPA compliance cost?
The cost depends on your business size, industry, systems, and the volume of personal data processed. Compliance programmes are typically tailored to operational complexity and risk exposure.
Why choose a CA firm for DPDPA compliance?
DPDP compliance involves governance, risk management, documentation, internal controls, and accountability — areas where Chartered Accountants have long supported businesses.
The Institute of Chartered Accountants of India (ICAI) has also actively contributed to the privacy and data protection space through specialised certification programmes, professional guidance, and publications on the DPDP Act and data protection governance.
At J S R T & Co. LLP, our approach combines compliance, governance, and implementation practicality. Our lead consultant holds CA, CISA, CSOE, and DPCAC (ICAI) credentials, bringing experience across internal controls, audit readiness, risk advisory, and privacy compliance.