India's DPDP Act in 2026: a plain-English guide for small businesses

India now has its first dedicated data-privacy law, the Digital Personal Data Protection Act, and in 2026 it stopped being theoretical. The DPDP Rules were notified in November 2025, and the obligations are phasing in through 2027. If you collect any personal data from people in India, this applies to you.
Does it apply to a small business?
Yes. The Act does not scale penalties by company size. Whether you are a solo freelancer, a shop or a SaaS startup, the same rules and the same penalty structure apply if you process the digital personal data of people in India.
The timeline that matters
The Rules were notified on 13 November 2025. Provisions for consent managers are set to take effect around November 2026, and the main substantive obligations by May 2027. That gives smaller businesses a real window to get ready rather than scramble.
Seven things you will need to do
In plain terms, compliance comes down to: get clear consent, give a clear privacy notice, keep data secure, report breaches, do not keep data longer than needed, keep it accurate, and honour deletion requests. Collecting less data in the first place makes every one of these easier.
The quiet advantage of tools that do not collect data
The simplest way to reduce DPDP risk is to handle less personal data. Tools that run in the browser and never upload your files mean there is no stored copy to secure, breach or delete. That is the model BeginThings is built on.
Collect less, worry less
BeginThings tools process files in your browser, so nothing is stored. See the free tools →
This article is general information, not legal advice. For your specific obligations, consult a qualified professional.
Frequently asked questions
Does DPDP apply to a one-person business?
Yes. The DPDP Act applies to any organisation that processes the personal data of people in India, regardless of size, and penalties are not reduced for small businesses.
When are the DPDP deadlines?
The Rules were notified in November 2025. Consent-manager provisions are expected around November 2026 and the main obligations by May 2027.
What are the penalties?
Penalties for non-compliance can range from around fifty crore to two hundred and fifty crore rupees per violation, with no discount for small businesses.