Why I wrote a book about a law most founders still haven’t read
Every week, I speak with startup founders and SME owners, smart people running real businesses. Almost all have heard of the DPDP Act by now. But when I ask what steps they’ve taken to comply, the honest answer is usually:
Nothing yet.
It’s not about laziness.
The real problem is that most information about this law is written for lawyers, not founders. Long government notices, dense legal jargon, and articles full of phrases like “data principal rights vis-à-vis fiduciary obligations” don’t really help you put anything into practice.
That gap between legal theory and business execution is exactly why I wrote this book.
I come at this from a different angle. After 18 years of building and managing IT systems, I now practise cyber law and data protection. That mix made one thing very clear to me:
Most founders understand technology risk.
Very few understand data liability risk.
Before we dive into the details, it’s important to outline what matters most.
What the DPDP Act 2023 actually requires (DPDP compliance basics for Indian businesses)
The Digital Personal Data Protection Act, 2023, is India’s first comprehensive data privacy law. It was passed by Parliament in August 2023 and governs how any Indian business collects, stores, uses, and shares personal data of Indian citizens processed digitally.
The law applies to you if your business collects, processes, or stores personal data digitally, including names, phone numbers, email addresses, purchase history, health information, location data, and more.
That description covers nearly every business operating online in India today.
The Act gives individuals, called Data Principals, control over their personal data. They have the right to know:
• What personal data do you hold
• The purpose of processing
• With whom it is shared
They can also request correction of inaccurate data and, in many cases, deletion of their data.
Your business must respond to these requests within a reasonable time. Ignoring them is no longer an option.
Who exactly is a Data Fiduciary under the DPDP Act?
If your business decides why and how personal data is collected, stored, or used, you are a Data Fiduciary under the DPDP Act. This is the main role the law focuses on.
As a Data Fiduciary, you must:
• Collect only the personal data necessary for a lawful purpose
• Inform users clearly what you collect and why
• Disclose sharing practices and retention timelines
• Delete personal data once the purpose is fulfilled (unless legally required to retain it)
• Appoint a Grievance Officer and publish contact details
• Implement reasonable security safeguards
There is also a category called Significant Data Fiduciary for businesses handling large amounts of sensitive data. The government will notify which entities fall into this group based on risk and volume.
For most SMEs and startups today, standard Data Fiduciary obligations will apply.
The November 2025 DPDP Rules: what changed for businesses
The DPDP Rules 2025 were notified in November 2025 after public consultation in 2024. These rules clarify operational aspects that the 2023 Act left open, including:
• Structure of consent notices
• Safeguards for children’s data
• Functioning of the Data Protection Board
• Cross-border data transfer conditions
Enforcement is being rolled out in phases. The Data Protection Board is being established, and Significant Data Fiduciary notifications are expected.
Penalties under the Act can go up to ₹250 crore per instance for serious violations, depending on the nature of non-compliance.
The phased rollout is no reason to delay getting ready.
Businesses that start building compliant systems now will find it easier to meet requirements. Waiting usually means gaps show up only after regulators spot them.
Three DPDP compliance actions every business should start this month.
1 Map the personal data you actually collect
Create a simple inventory of personal data across:
• Website forms
• WhatsApp communications
• CRM systems
• Payment platforms
• Employee records
• Marketing databases
You can’t protect what you don’t know you have.
2 Update your consent notices
Under DPDP, consent must be:
Free
Specific
Informed
Unambiguous
Generic statements like “by using this site, you agree” probably won’t be enough.
Make sure your website, forms, and applications clearly state:
• What data do you collect
• Why do you collect it
• How users can withdraw consent
This is one of the most common compliance gaps I see right now.
3 Set up a data deletion process
When a customer asks for deletion, your business must be able to:
• Verify identity
• Locate their data
• Delete or anonymise it
• Confirm completion
This needs a prepared process, not a last-minute reaction.
Set up this workflow before you get your first request.
The plain-language DPDP guide founders have been asking for
I’ve spent the past year turning the DPDP Act 2023 and the DPDP Rules 2025 into something a founder in Gurugram or any Indian city can actually use, without needing a legal background.
The result is a practical 10-chapter guide:
DPDP Compliance for Indian Businesses
A Practical Guide for SMEs, Startups, and Founders
The book covers:
• Every core DPDP obligation explained simply
• Real-world compliance examples
• Sector checklists for fintech, healthcare, e-commerce, and EdTech
• Practical compliance workflows
• Template language for privacy notices and consent flows
This book comes straight from real founder questions I get in my practice, the kind of questions founders usually ask only after they realize compliance gaps exist.
Who this book is for
This book is especially useful if you are:
• A startup founder
• An SME owner
• A SaaS builder
• A compliance professional
• A tech leader handling customer data
• Anyone building products involving Indian user data
If data is part of your business, DPDP is now part of your operations.
Where to get the book
The book is available on Amazon.
If your business handles personal data of Indian customers, and that includes most modern businesses, now is the right time to understand what compliance really requires.
Start early and make DPDP a process improvement advantage.
Starting late often means dealing with damage control.
Most founders will learn DPDP in one of two ways:
Preparation.
Or enforcement.
Choose wisely: prepare now, or respond during enforcement.