Most Bangalore businesses we speak to have heard of the DPDP Act and assume it is a 'big tech' problem. It is not. The Digital Personal Data Protection Act, 2023 applies to anyone who processes the digital personal data of an Indian individual — that includes the dental clinic running a WhatsApp reminder bot, the coaching centre storing scanned Aadhaar copies, and the D2C brand that bought a list of phone numbers.
The Data Protection Board of India (DPBI) is the regulator. Penalties go up to Rs. 250 crore per instance for failing to safeguard data. The compliance burden is real, but it is also tractable. Here is the checklist we use when we onboard a Bangalore business.
1. Map your data flows
You cannot protect what you have not inventoried. List every system that touches personal data — your CRM, billing software, WhatsApp Business, Google Workspace, recruiting tools, marketing automation, third-party analytics. Note what fields, what retention, and which vendor (data processor) is downstream.
2. Rewrite your notice and consent
Section 5 of the DPDP Act requires a clear, plain-language notice at or before the point of collection. The old 'we may share your data with affiliates' boilerplate does not survive. Notices must be available in English plus any of the 22 scheduled languages the user prefers, and consent must be specific, informed, free, unconditional and unambiguous.
3. Build a withdrawal pipe
Consent is now a switch the user can flip back. If your tech stack cannot delete a customer record on request, propagate that deletion to backups and downstream processors, and confirm it within a reasonable period — you have a Section 6(4) problem. We see this break most often at the Mailchimp/Zoho-CRM boundary.
4. Appoint a Data Protection Officer (if applicable)
DPOs are mandatory only for Significant Data Fiduciaries — a category that will be notified by the Centre based on volume, sensitivity and risk. Most SMEs will not be in scope, but everyone needs a designated grievance officer whose contact details are published on your website and inside your app.
5. Children's data is treated differently
Section 9 prohibits processing children's data in a way that is detrimental, prohibits behavioural tracking or targeted advertising, and requires verifiable parental consent. EdTech companies, paediatric clinics, gaming apps and tuition platforms — this section is aimed squarely at you.
6. Cross-border transfers
Section 16 allows transfer of personal data outside India except to countries the Centre specifically restricts by notification. The US, Singapore and EU are open at the time of writing. If your servers are on AWS Mumbai but your backup snapshots replicate to Ireland, document the legal basis and update your processor agreements.
7. Breach notification readiness
Any breach must be reported to the DPBI and to affected Data Principals — without an explicit grace period in the Act itself, the practical standard is 'as soon as possible'. CERT-In's parallel six-hour reporting obligation under the IT Act still applies. Have an incident response runbook before you need one.
8. Vendor and processor contracts
Every third party that touches your data — your payroll provider, your call-centre vendor, your WhatsApp BSP — must be bound by a written contract under Section 8(2). Old MSAs from 2019 that say nothing about data are no longer compliant. Refresh them.
9. Security safeguards that match the data
Section 8(5) requires reasonable security safeguards. There is no specific standard prescribed yet, but ISO 27001-aligned controls, encryption at rest and in transit, role-based access, audit logging and meaningful key management are what regulators and courts will look for. Hashing passwords with bcrypt, not MD5. TLS, not plaintext. The basics, done properly.
10. Grievance redressal and the DPBI
The Data Principal must first approach you. You have a reasonable period to resolve. Only then can they escalate to the DPBI, whose orders are appealable to the Telecom Disputes Settlement and Appellate Tribunal. Build the grievance flow now — empty placeholder pages get treated harshly. The grievance officer's name, designation, email and postal address must be visible on the website footer, in the app's settings screen, and in your privacy notice.
Operational discipline beats policy templates
We have seen well-drafted privacy policies live alongside spreadsheets full of customer phone numbers being emailed unencrypted to a marketing intern. Compliance is what your team actually does — the access reviews you actually run, the data deletions you actually propagate, the vendors you actually audit. The DPBI's investigation powers under Section 28 include calling for records, conducting inquiries, and inspecting premises. Polished documents will not survive a mismatch with operational reality.
Where most Bangalore SMEs go wrong
Three patterns recur. One: collecting Aadhaar copies for KYC and storing them in shared Google Drives without access control or retention limits. Two: marketing teams importing scraped contact lists into Mailchimp or WhatsApp Business with no recorded basis of consent. Three: dev teams keeping production database dumps on local laptops for 'debugging'. Each is a Section 8 problem, each is fixable, and each is a soft target for a regulatory action once the DPBI starts taking matters up.
We help Bangalore businesses move from policy templates to actual compliance — data flow maps, vendor contract redlines, notice-and-consent rewrites, and incident runbooks. If you would like a one-hour scoping conversation to see where you stand, send a WhatsApp message to +91 63634 69138. The cost of getting this wrong has gone up materially. The cost of getting it right early has not — and the first 24 hours of a breach are not the time to discover that nobody on the team has read the Act.
Discuss your matter with us.
Articles can only go so far. Every legal matter has its own facts. Reach out for a confidential consultation.