◆ XILIGENTFIELD NOTES·DPDPA & INDIAN MSMES
SubscribeShare
Field Notes · Issue 04 · APR 26, 2026

DPDPA for Indian MSMEs: Do Small Businesses Really Need to Comply?

There is no headcount threshold. There is no revenue threshold. A grounded look at what the law actually expects of small Indian businesses — and what doing nothing for eighteen months actually costs.

From the essay
The MSMEs that will struggle in 2026 are not the ones that read the law and discover it applies to them — they are the ones that decide it does not, do nothing for eighteen months, and find themselves unable to pass a vendor review.
◆ FIG. 01 — XILIGENT FIELD NOTES VOL. 04

It is one of the most common questions we hear from founders and operations heads at Indian MSMEs heading into 2026: we are a small company — does the DPDPA actually apply to us?

The instinctive hope — that a 30-person company processing customer data in spreadsheets and CRMs is somehow below the threshold of a serious data protection law — is understandable. Most regulatory regimes globally have some accommodation for size. The GDPR has Article 30 record-keeping relief for under-250-employee organisations. Many sectoral Indian regulations carry MSME-specific relaxations.

The DPDPA does not. And that is the single most underappreciated fact about the law.

This post answers the question directly: what the law actually says about small businesses, what compliance looks like at MSME scale, and what the practical consequences of doing nothing actually are.

What the Law Actually Says

The Digital Personal Data Protection Act, 2023 applies to any Data Fiduciary that determines the purpose and means of processing personal data of Data Principals located in India. There is no employee headcount threshold. There is no revenue threshold. There is no carve-out for MSMEs.

Section 17 of the Act does give the Central Government power to notify exemptions for specific classes of fiduciaries — including, potentially, startups or small organisations — but until such a notification is issued, every Indian business processing personal data is in scope. As of early 2026, no such MSME exemption has been notified, and there is no public indication one is imminent.

The DPDP Rules, finalised in November 2025, did not introduce a small-business exemption either. The drafting choice was deliberate: Indian regulators have publicly framed the law as protecting the rights of data principals regardless of who is processing their data.

So the legal answer is straightforward: yes, DPDPA applies to your MSME.

What Counts as "Processing Personal Data"

This is where many MSMEs underestimate their exposure. Personal data under the DPDPA is broadly defined: any data about an identified or identifiable individual. That includes:

  • Customer names, phone numbers, and email addresses in your CRM
  • Employee records, including PAN, Aadhaar, bank details, salary information
  • Vendor contact information
  • Visitor logs at your office
  • Marketing email lists
  • WhatsApp chat histories with customers
  • Cookies and analytics data on your website
  • Job applicant CVs sitting in your inbox

If you have any of these — and almost every business does — you are processing personal data. The DPDPA applies whether the data is held in a sophisticated SaaS platform or in an Excel sheet on someone's laptop.

What Compliance Actually Looks Like at MSME Scale

The law is uniform, but its operational expectations are calibrated to risk and scale. The DPDPA repeatedly uses the language of "reasonable" — reasonable security safeguards, reasonable measures — which is the regulatory acknowledgement that a 30-person SaaS company is not expected to operate the same compliance machinery as HDFC Bank.

For most MSMEs, the practical compliance picture is roughly:

The non-negotiables — every fiduciary, regardless of size:

  • A privacy notice that meets DPDPA's specific content requirements (purposes, rights, grievance contact, data principal rights)
  • A lawful basis for every processing activity — typically consent, except for the narrow set of statutorily defined "legitimate uses"
  • A consent collection mechanism that meets the "free, specific, informed, unambiguous" standard
  • A documented grievance redressal process and a designated grievance contact
  • Reasonable security safeguards proportionate to the data and its sensitivity
  • Breach notification capability — to the Data Protection Board of India and to affected data principals, with no risk-based threshold for individual notification
  • Data principal rights handling — access, correction, erasure, nomination
  • Vendor agreements that contractually flow down DPDPA obligations to processors

The scaled-down version of obligations larger fiduciaries must do more on:

  • A lightweight data inventory (a spreadsheet listing what data you have, where it sits, who has access, and how long you keep it is a reasonable starting point)
  • Periodic review of consent and privacy practices (annual is reasonable for an MSME)
  • Staff awareness training (a once-a-year session is far better than nothing)

What you almost certainly do not need to do as an MSME:

  • Appoint a formal Data Protection Officer (this is required only for Significant Data Fiduciaries — a category MSMEs will almost never fall into)
  • Conduct formal Data Protection Impact Assessments for every processing activity
  • Build dedicated privacy engineering teams or large-scale tooling
  • Comply with the additional obligations imposed on Significant Data Fiduciaries

The gap between what MSMEs need and what enterprises need is real and significant. It just does not extend to the threshold question of whether the law applies.

What Non-Compliance Actually Looks Like

The DPDPA's penalty structure is fixed-amount, not turnover-linked, with a top end of ₹250 crore for failure to implement reasonable security safeguards. The most common reaction we hear from MSMEs is some version of: we are too small for the regulator to come after us at those numbers.

This misreads how DPDPA enforcement is likely to work. Three points worth absorbing:

Penalties are calibrated, not capped at the maximum. The ₹250 crore figure is the upper limit. The Data Protection Board of India, when imposing penalties, must consider the nature, gravity, and duration of the breach, the type of personal data affected, and the gain or loss involved. A small-scale breach by a small organisation will not attract a small fraction of the maximum.

Most MSME exposure will not come from DPBI fines. It will come from contractual exposure. Enterprise customers, banks, and increasingly SaaS resellers will bake DPDPA compliance into vendor agreements. Loss of customer contracts because you cannot pass a vendor security review is the more probable cost of non-compliance for most Indian MSMEs.

Reputation costs are asymmetric for small businesses. A large enterprise can absorb a public privacy incident with a press release and a remediation plan. For a 50-person SaaS company, the same incident — losing a chunk of customer data and being unable to demonstrate adequate safeguards — can be existential.

There is also a less-discussed exposure: personal liability for officers in cases where consent is obtained improperly or grievance mechanisms are absent. The DPDPA does not carry the same director-liability provisions as some other Indian laws, but the DPBI has the power to issue directions to specific individuals as well as organisations.

The Realistic MSME Compliance Path

For an MSME starting from zero in 2026, a sensible compliance journey looks like this:

Months 1–2: Get the foundation in place.

  • Build a one-page data inventory (categories of data, where stored, who has access, retention period)
  • Publish a DPDPA-compliant privacy notice on your website and in your customer onboarding flows
  • Set up a consent capture mechanism for new customer interactions
  • Designate a grievance officer (this can be an existing role) and publish their contact

Months 3–4: Cover your processor relationships.

  • Identify every vendor that touches personal data on your behalf — your CRM, email tool, payroll provider, analytics, hosting
  • Update vendor contracts to include DPDPA-compliant data processing terms
  • Document the legal basis for each processing activity

Months 5–6: Operationalise rights and incidents.

  • Create a simple internal process for handling data principal rights requests (a shared inbox and a workflow document is usually enough)
  • Write a breach response playbook — even a one-page version covering containment, notification, and documentation is a meaningful step
  • Run a tabletop exercise once with the team

Ongoing: Light-touch maintenance.

  • Annual review of the privacy notice and data inventory
  • Annual staff awareness session
  • Quarterly check on vendor processor agreements
  • Track DPBI guidance and update practices as enforcement clarifies expectations

The total time investment for a typical MSME is in the order of 80 to 150 hours of internal effort across the first six months, with annual maintenance after that being significantly lower. The direct cost — legal review, lightweight tooling — can be kept under ₹3–5 lakh for most organisations if the work is approached pragmatically.

When MSMEs Should Spend More Than the Minimum

Some MSMEs face risk profiles that warrant more than the baseline path described above. Spend more if any of the following apply:

  • You serve global customers and need to demonstrate compliance through vendor security reviews
  • You handle health, financial, or children's data
  • You are pursuing or already hold ISO 27001 certification (the marginal cost of integrating DPDPA controls into an existing ISMS is small)
  • You are fundraising — institutional investors increasingly include DPDPA readiness in their due diligence
  • You operate in a sector where regulators (RBI, IRDAI, SEBI, DGCA) impose layered data obligations

In these cases, treating DPDPA compliance as a strategic asset rather than a minimum cost is usually worthwhile.

A Closing Note

The honest answer to "do small businesses really need to comply?" is: yes, but the operational lift is far smaller than most MSMEs assume before they look closely. The law is uniform in scope, but it is intelligent about scale in execution.

The MSMEs that will struggle in 2026 are not the ones that read the law and discover it applies to them. They are the ones that decide it does not, do nothing for eighteen months, and then find themselves unable to pass a customer security review or unable to respond credibly to a data subject complaint.

Done well, DPDPA compliance for an MSME is a one-quarter project followed by light-touch maintenance — a small fraction of the operational cost most founders fear, and a credential that increasingly opens doors with enterprise customers, banks, and global partners.

The most useful first step for an Indian MSME is the data inventory. It is unglamorous, but it is the document that determines what every other compliance decision should look like — and it is the one most organisations skip.

Field Notes · Weekly

Long-form privacy & GRC essays in your inbox. One per Tuesday. No filler.

Free. Unsubscribe in one click. We don't have a cookie banner.

Read next

All essays →
AI Governance

The AI System Lifecycle Under ISO 42001: Stages and Gate Criteria

APR 26, 2026 · 14 min read
AI Governance

ISO 42001 vs the EU AI Act: Certification vs Regulation

APR 26, 2026 · 13 min read
AI Governance

What Is an AI Management System (AIMS) — And Why Your Organisation May Need One

APR 26, 2026 · 11 min read
© Xiligent 2026 · All rights reservedField Notes · Issue 04 · APR 2026