Data Protection Demystified

A Real-World Guide for IT & ITES Teams in India

You’ve probably skimmed a DPDP explainer. Maybe even copied a privacy policy off a competitor’s site (no judgment). But here’s the thing: if your business handles personal data — even basic stuff like names or emails — you’re on the hook now.

The Digital Personal Data Protection (DPDP) Act is officially live. It covers most IT and ITES companies in India — even the small ones. The penalties? Real. And global clients are asking about your privacy posture before they sign the dotted line.

This isn’t about panic. It’s about not getting blindsided.

So… Who Does the DPDP Act Actually Apply To?

The law applies to:

• Any Indian company processing personal data (online or offline)

• Foreign businesses processing Indian users' data in connection with offering goods or services in India

• Vendors and subcontractors who process data on behalf of those companies

  
  

There are some carve-outs:

• Personal/domestic use (like storing family contacts on your phone) is exempt

• Certain government uses are excluded under specific clauses

  
  

If you’re collecting data from users, leads, customers, or employees — you’re within scope.

1. Start With: What Data Are You Collecting?

Not in theory — in practice.

Go through your app, website, CRM, lead forms, HR records — everything. What are you collecting? Why? Where does it go?

● List the personal info: email, phone, IP, device, location, etc. ● Track where it’s stored — internal tools, cloud vendors, spreadsheets? ● Ask: do we really need this? If not, stop collecting it.

⚠️ Most companies collect way more than they actually use. That’s where half the risk starts.

2. Fix Your Privacy Policy (Seriously)

If you pulled it from a template — odds are, it doesn’t align with DPDP.

Here’s what it needs to cover:

● What data you collect ● What you use it for ● Who you share it with ● How users can revoke consent or ask for deletion

Make it readable. Clear. Real. Skip the “we care about your privacy” fluff — and make it something your users (and clients) can actually trust.

3. Consent Isn’t a Checkbox Anymore

This is where things are getting tighter.

Under DPDP:

• Consent has to come before data is collected or used

• It must be purpose-specific — not broad or bundled

• Withdrawal should be as easy as giving it — not buried in a settings menu
  

No more vague catch-all lines like “By using this site you agree to everything we do.” That won’t cut it.

Track when consent is taken. Store it. Respect it.

4. Appoint Someone Who Actually Cares About This Stuff

You might need to formally designate a Data Protection Officer (DPO) if you're dealing with large volumes of sensitive data.

Even if it's not required, you still need a clear point person for: 

● Tracking what’s being collected and why 

● Reviewing contracts and policies 

● Handling user complaints or requests 

● Managing incident response if a breach happens

This isn’t a “side task.” It needs ownership.

5. You Need a Way for People to Complain

Yes, really. DPDP gives users the right to:

● Ask what data you have on them 

● Request deletion or correction 

● Escalate a complaint if they’re ignored

You’ve got 7 days to respond once they raise an issue.

Don’t just stick a dummy email in your Privacy Policy. Make sure someone checks it — and knows what to do.

6. If There’s a Breach, You Have to Speak Up

DPDP makes breach notification mandatory — both to the government and to users, in some cases.

You don’t need a 30-page playbook. But you do need a plan:

● Who handles it 

● What gets reported 

● Who gets notified — and how fast

Think of it like fire safety. You hope you never need it. But when it hits, you're glad it's in place.

7. Clean Up Vendor Contracts

Your compliance risk includes every SaaS tool, outsourced dev team, and cloud vendor you work with.

Check their terms: 

● Do they comply with DPDP (or an equivalent standard)? 

● Where’s the data stored? 

● Who has access — and what happens if they mess up?

If they’re touching your data, you’re still responsible.

Bonus: Serving EU Clients? You Still Need GDPR Compliance

DPDP doesn’t replace GDPR.

If you’re working with clients or users in Europe, you need to comply with both frameworks — especially around consent, cross-border transfers, and user rights.

There’s some overlap, but don’t assume one covers the other.

Quick Reality Check

Here’s your startup’s DPDP checklist. If you can’t check most of these, it’s time to fix that.

• Know what personal data you collect (and why)

• Updated, DPDP-aligned Privacy Policy

• Consent process that’s clear, legal, and logged

• One person owns data protection internally

• Grievance handling system is in place

• Breach reporting plan ready

• Vendor contracts reviewed and updated

• GDPR compliance sorted (if applicable)

Final Word: Don’t Wait Until It’s a Problem

Compliance isn’t just a legal checkbox anymore — it’s a growth factor. Your clients and users want to trust you.

Your investors expect your house to be in order.

The DPDP Act isn’t just for big companies or security teams. It’s now part of how tech businesses in India operate.

At Lex Certitude, we help startups and service businesses build simple, enforceable compliance systems that scale with them — not slow them down.

Legal Disclaimer

This article outlines general principles under the Digital Personal Data Protection (DPDP) Act and is intended for awareness and educational use. It is not a substitute for tailored legal advice.

Applicability of the law may vary based on specific facts, industry context, and future regulatory updates.

Reading this article or downloading any related materials does not create a lawyer-client relationship with Lex Certitude.

For case-specific guidance, we encourage you to consult our team directly.