DPDP applies to you even if you're a small business or startup
There is no blanket small-business or startup exemption in the DPDP Act. If you decide how and why personal data is processed, you're a 'data fiduciary' regardless of your size or revenue.
What the law says
The DPDP Act, 2023 (Act No. 22 of 2023, assented 11 August 2023) defines a data fiduciary (s.2(j)) as anyone who, alone or with others, determines the purpose and means of processing personal data. There is no size, turnover, or revenue qualifier in that definition.
The only size-related relief — section 17(3) — lets the government notify certain classes (which may include some DPIIT-recognised startups) for lighter obligations. It is discretionary and depends on a government notification; it is not an automatic exemption.
Why it matters
A common myth is "compliance laws are for big companies." For DPDP, that's wrong. A two-person SaaS, a D2C store, a clinic, a coaching centre — if you hold customers' personal data, the core obligations reach you.
What this means for you
Assume the Act applies to you unless and until a government notification clearly says a lighter regime covers your business. Plan for consent, notice, security and deletion like everyone else.
What to do now
ProjectDon't assume you're exempt. Treat the core DPDP obligations as applying to you; the section 17(3) relief is discretionary and needs a government notification.
- you're a small business, solo founder or startup
- you assumed data-protection law doesn't apply at your size
- you're a DPIIT-recognised startup
DPDP Act, 2023 (India Code) · DPDP Act 2023, s.2(j) & s.17(3)
Don't just read it — find out where you stand.
A free scan shows what your live site is exposing today. When you're ready to be audit-ready, our Compliance Sprint gets you DPDPA-ready in 30 days.
General information, not legal advice. Verify against the cited primary source and confirm specifics with a qualified advisor before acting.