Skip to main content

Q3 - Do small businesses and start-ups also need to comply, or only big companies?

Answer

The Digital Personal Data Protection Act, 2023 (DPDPA) applies to all organizations — large corporations, small businesses, and start-ups — that process personal data within India or offer goods and services to individuals in India.

However, the Act gives the Central Government the power to exempt certain small businesses and start-ups from some of its more stringent provisions to avoid creating unnecessary compliance burdens.

1. General Rule — Applicability to All

Every entity that collects, stores, or processes personal data of individuals (called Data Principals) is considered a Data Fiduciary under the DPDPA. This includes:

  • Small enterprises and start-ups;
  • NGOs and educational institutions;
  • Multinational and large organizations.

So, even a small firm processing limited customer or employee data must follow core obligations such as lawful processing, security safeguards, and grievance handling.

2. Possible Exemptions for Start-ups and MSMEs

Under Section 17(3) of the DPDPA:

“The Central Government may, having regard to the volume and nature of personal data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including start-ups, as Data Fiduciaries to whom the provisions of Section 5, sub-sections (3) and (7) of Section 8, and Sections 10 and 11 shall not apply.”

This means the Government can officially relax some obligations (like publishing detailed notices, performing audits, or appointing a Data Protection Officer) for smaller firms whose operations pose minimal privacy risks.

3. Definition of “Start-up”

The same section clarifies that:

A “start-up” means a private limited company, partnership firm, or LLP incorporated in India, recognized as a start-up by the department handling start-up affairs in the Central Government (currently, the Department for Promotion of Industry and Internal Trade – DPIIT).

4. What Small Entities Still Must Do

Even if exempted from advanced requirements, small businesses must still:

  • Obtain valid and informed consent before processing personal data.
  • Protect data through reasonable security safeguards.
  • Report data breaches to the Data Protection Board of India.
  • Erase data once the purpose of collection is fulfilled or consent withdrawn.
Key Insight

Every organization that processes personal data falls within the DPDPA’s scope, but the level of compliance is proportional to the scale and sensitivity of data processing. Start-ups and small businesses may receive official relaxations from some complex duties — but not from core principles of privacy and security.

Referenced Provision:

  • Section 17(3) – Power of Central Government to exempt certain classes of Data Fiduciaries, including start-ups, from specific obligations.
  • Explanation to Section 17(3) – Defines what qualifies as a “start-up.”