India\'s data-protection regime moved from law to reality in November 2025, when the Government notified the Digital Personal Data Protection (DPDP) Rules, 2025. These rules put the DPDP Act, 2023 into practice and apply to almost any business that collects customer data. The rollout is phased, which gives you time to prepare, but the direction is clear.
What the law covers
The DPDP framework governs how organisations collect, store, use, secure and delete the personal data of individuals. If you keep customer names, phone numbers, email addresses, KYC documents or any other personal information, you are a “data fiduciary” with obligations toward the people whose data you hold.
Your core obligations
- Consent and notice: collect data only for a clear purpose, with a plain-language notice and genuine consent that can be withdrawn.
- Purpose limitation: use the data only for what you collected it for.
- Security safeguards: protect the data with reasonable technical and organisational measures.
- Breach notification: report a personal-data breach to the Data Protection Board and affected individuals.
- Retention and deletion: keep data only as long as needed, then delete it.
Why MSMEs should not ignore it
It is tempting to assume data-protection law is only for large tech companies. It is not. The obligations apply broadly, penalties for serious lapses can be significant, and customers increasingly expect their data to be handled responsibly. Getting the basics right early is far cheaper than fixing a breach later.
How we can help
We help businesses map what personal data they hold, tighten consent and retention practices, and put a simple, workable compliance routine in place. You do not need an enterprise-grade programme to start, just a clear, documented approach that matches your size and risk.
This article is general information, not legal advice. The DPDP Rules are being rolled out in phases; confirm the timeline and specifics for your business before acting.