Most DPDP guides are written for lawyers or large enterprises. This one is for the Indian SMB owner who has a business to run and needs to know exactly what to do — in plain language, in the right order.
You have until May 13, 2027. That sounds like a long time. It isn't, especially if you have customers, data spread across multiple systems, and a team that needs training. Start with Step 1 today.
Step 1: Determine If You're Covered
Take the EasyDP DPDP Checker at easydp.in/checker — it's free, takes 2 minutes, and tells you exactly which section of the Act applies to you and what your penalty exposure is. If you collect any customer information digitally (or on paper that you then enter into any software), you're almost certainly covered.
Step 2: Map Your Data
Before you can protect data, you need to know where it lives. Create a simple inventory:
- What personal data do you collect? (Name, phone, address, payment, medical, biometric)
- Where is it stored? (WhatsApp, CRM, Excel, Shopify, physical files that get scanned)
- Who has access to it? (Owner, staff, delivery partners, accountant)
- Who do you share it with? (Payment gateway, courier, email tool, WhatsApp Business)
A simple spreadsheet is fine. This becomes your Data Register — keep it updated.
Step 3: Identify Your Data Processors
List every third-party tool or service that handles customer data: Razorpay, Shiprocket, Google Analytics, Mailchimp, Tally, your billing software. Under DPDP, you are responsible for their compliance. Check if they have a privacy policy and data processing terms.
Step 4: Write Your Privacy Notice
Draft a privacy notice that covers: what data you collect, why, who you share it with, how long you keep it, and how customers can exercise their rights. Keep it simple — one A4 page in plain language. Publish it on your website footer, Instagram bio link, or WhatsApp pinned message.
Step 5: Build a Consent Collection Process
Define how you'll get consent from customers before collecting their data. For a WhatsApp business, this might be a standard message you send to all new customers. For a Shopify store, it's a checkbox at checkout. For a physical store, it could be a QR code at the counter that opens a digital consent form.
Consent must be explicit, specific, and documented. "They gave me their number so it's fine" is not consent under the DPDP Act.
Step 6: Build a DSR (Data Request) Process
Create a way for customers to ask about their data, request corrections, or ask for deletion. Minimum viable: a dedicated email address (privacy@yourbusiness.in) and a documented process for what to do when a request arrives. Response target: within 30 days.
Step 7: Implement Security Basics
"Reasonable security safeguards" is the legal standard. For an SMB, this means:
- Two-factor authentication on any account or device containing customer data
- Password-protect spreadsheets containing customer lists
- Limit staff access to only the data they need
- Secure Wi-Fi in your office (WPA2 minimum)
- Regular backups of customer data
- A clear policy about not copying customer data to personal devices
Step 8: Train Your Team
Every person who handles customer data needs to know the basics: what data you collect, why, how to handle customer requests, and what to do if there's a potential breach. A one-hour team session with a written summary is sufficient for most SMBs. Document that you did it.
Step 9: Review Your Third-Party Contracts
Your contracts with Data Processors (delivery partners, payment gateways) should include data protection clauses. These are often called Data Processing Agreements (DPAs). Most large providers (Google, Meta, Razorpay) already offer these. Review and sign them.
Step 10: Handle Children's Data
If any of your customers might be under 18 — schools, coaching centres, apps, gaming, children's products — you must implement parental consent verification. This is non-negotiable and carries the highest penalty (₹200 Crore). If you're in this category, contact EasyDP specifically about the parental consent flow.
Step 11: Prepare a Breach Response Plan
Write down: what you'll do if customer data is compromised. Who to call, what to tell customers, how to notify the Data Protection Board. Keep this document somewhere everyone on your team can find it. The 72-hour clock starts the moment you discover a breach — you don't have time to figure out the process then.
Step 12: Update Your Existing Customer Base
For customers you already have — who you haven't obtained DPDP-compliant consent from — you need to send a re-consent notice before May 2027. This doesn't mean they all need to re-confirm immediately, but you need a plan to get consent from your existing database before enforcement begins.
Step 13: Set Up Retention and Deletion
Decide how long you'll keep different types of data and when you'll delete it. Tax records: 7 years. Marketing contacts: until they opt out. Customer accounts: 2 years after last activity. Then actually implement deletion — if you're using Shopify, use their built-in anonymization feature. If it's a spreadsheet, set a calendar reminder to clean it annually.
Step 14: Document Everything
The DPB can ask for evidence of your compliance efforts. Keep records of: when you updated your privacy notice, consent records for customers, DSRs received and resolved, breach incidents (even minor ones), staff training sessions, and third-party DPAs signed. This documentation is your defence if a complaint is ever filed against you.
Want to Automate Most of This?
Steps 5, 6, 8, 11, and 14 can all be handled by EasyDP. Our platform automates consent collection (in 22 Indian languages), provides a customer portal for DSRs, runs a breach notification workflow, and generates your compliance audit log automatically. Most SMBs are fully set up in under 30 minutes.