Introduction
India’s Digital Personal Data Protection Act, 2023 (DPDPA) marks a watershed moment in the evolution of India’s data privacy framework. After years of deliberation and drafts, the Act brings much-needed regulation to the handling of digital personal data, aligning India, at least in spirit, with global regimes like the EU’s General Data Protection Regulation (GDPR).
However, as the dust settles and stakeholders begin to unpack its nuances, one section of the Indian economy—Small and Medium Enterprises (SMEs)—finds itself grappling with a serious challenge. Without clearly defined exemptions or scaled-down compliance mechanisms, SMEs fear that the cost and complexity of adhering to the DPDPA could act as a significant deterrent to digital adoption.
The Scope of DPDPA: Digital-Only Data and Its Limitations
The DPDPA applies exclusively to digital personal data. Section 2(b) of the Act defines "personal data" to mean any data about an individual who is identifiable by or in relation to such data, provided it is in digital form. The Act does not apply to personal data in non-digital or paper-based formats unless subsequently digitized.
This digital focus presents a stark dichotomy for businesses. Many SMEs still operate in semi-digital or offline environments and may be exposed once they digitize operations.
SMEs in India: The Economic and Digital Backbone
India’s SME sector comprises approximately 63 million enterprises, contributing over 30% of India’s GDP. With government initiatives like Digital India, Startup India, and Make in India 2.0, the importance of digital transformation in this segment is crucial. Yet, the digital adoption among SMEs remains uneven, and the DPDPA’s stringent obligations could deter these businesses from further adoption.
Core DPDPA Obligations and Their Implications for SMEs
Despite being data fiduciaries under the Digital Personal Data Protection Act (DPDPA), 2023, Small and Medium Enterprises (SMEs) in India face unique challenges due to their size, resources, and digital maturity. Below are the five key compliance obligations under DPDPA and their real-world implications for SMEs, along with illustrative examples.
1. Notice and Consent Requirements (Section 6)
DPDPA Requirement: Inform data principals about the purpose and nature of data collection, and obtain their explicit consent.
SME Challenge: SMEs often lack legal teams and resources to draft multilingual, understandable consent notices.
Visual: A chaiwala with a smartphone, confused by a legal document titled “Consent Form” while a customer waits impatiently.
2. Purpose Limitation & Data Minimization (Sections 4 & 5)
DPDPA Requirement: Collect data only for specific, defined purposes and only as much as is necessary.
SME Challenge: SMEs may collect excess data without structured policies, leading to compliance risks.
Visual: Kirana shop owner asking for blood group on a loyalty card form—collecting more than required.
3. Grievance Redressal & Consent Management
DPDPA Requirement: Businesses must allow users to withdraw consent and have systems to handle grievances.
SME Challenge: No dedicated redressal officers, systems, or ticketing mechanisms in place in most SMEs.
Visual: Customer asking “Where do I file a complaint?” to a confused small shop owner with no answer.
4. Breach Notification & Security Safeguards (Section 8)
DPDPA Requirement: Reasonable security measures must be in place. Any breach must be reported to the Data Protection Board and affected individuals.
SME Challenge: SMEs are unaware of what qualifies as "reasonable safeguards" and lack breach response processes.
5. Cross-Border Data Transfer & User Rights Fulfillment
DPDPA Requirement: Government can restrict international data transfers. SMEs must honor requests for data correction, access, or deletion.
SME Challenge: Many SMEs use foreign SaaS platforms and lack control over or access to deletion or compliance tools.
Summary Table
| Obligation | What the Law Requires | SME Challenge | Visual Metaphor |
|---|---|---|---|
| Notice & Consent | Inform & get clear consent | No legal team, language issues | Shopkeeper baffled by consent form |
| Purpose Limitation | Only collect what's needed | Over-collection, no policies | Asking irrelevant data |
| Grievance Handling | Withdraw consent & handle complaints | No formal processes | “Where do I complain?” confusion |
| Breach Reporting | Report breaches, secure data | Ignorance about breach norms | Googling after ransomware hit |
| Cross-Border + Rights | Restrict transfers & allow deletion | No control over SaaS data | “Data stored in Germany” panic |
Large corporations can afford full-fledged privacy teams. But SMEs face a disproportionate burden if not given simplified mechanisms for compliance.
India needs a tiered, risk-based approach to data protection to ensure SMEs are not excluded from the digital economy due to over-regulation.
Impact on Innovation and Digital Economy
- Reduced Tech Adoption: SMEs may avoid digital tools.
- Startup Growth Affected: Compliance may hinder scalability and funding.
- Talent Drain: Professionals may migrate to less restrictive jurisdictions.
- Economic Fragmentation: Large companies may thrive, while SMEs lag.
The Privacy vs. Progress Paradox: Finding Balance
Privacy is a fundamental right, but enforcement must not impede the right to livelihood. Regulation should balance both rights under Article 21 and Article 19(1)(g) of the Indian Constitution.
The Way Forward: Recommendations
1. Risk-Based Compliance: Obligations Should Reflect Processing Risk
Compliance obligations should be proportionate to the volume and sensitivity of personal data processed. SMEs handling minimal or low-risk data should not be overburdened with regulations meant for large enterprises. This supports innovation without compromising privacy rights.
2. Micro Fiduciary Category: Simplified Requirements for Small Businesses
Introduce a "Micro or Low-Impact Data Fiduciary" category for businesses with limited data usage and no cross-border transfers. These entities should benefit from simplified compliance such as basic notices and minimal audits.
3. Privacy Sandbox: Lighter Regulations for Startups
Allow startups to test services under a Privacy Sandbox framework with relaxed compliance during early development, while ensuring basic privacy principles like purpose limitation and consent remain intact.
4. Toolkits and Templates: Standardized Compliance Aids
Government bodies like the Data Protection Board or MeitY should offer standardized templates, DIY guides, and sector-specific compliance toolkits to make compliance accessible and cost-effective for SMEs.
5. Incentivize Compliance: Tax Breaks and Subsidies
Provide tax incentives and reimbursement schemes for SMEs investing in DPDPA compliance—such as hiring DPOs, undergoing audits, or buying privacy-enhancing technologies—to encourage voluntary adoption.
6. Phased Implementation: Grace Periods for Adoption
Allow longer grace periods (e.g., 12–18 months) for SMEs to achieve compliance, with leniency for first-time violations if good faith efforts are shown. Focus enforcement first on high-risk entities.
Conclusion
The DPDPA is a progressive step, but its implementation must be inclusive. A scalable, proportional approach to compliance can ensure India’s SMEs remain competitive while respecting citizen privacy. If not addressed, the law risks becoming a barrier to digital transformation rather than a pillar of digital trust.