The DPDPA and Your SaaS: What Indian Founders Need to Know

What Is the DPDPA and Why Does It Matter Now

India's Digital Personal Data Protection Act (DPDPA) was passed in 2023 and its implementation is being rolled out through 2025–2026. It's India's first comprehensive data protection law, inspired by GDPR but with distinctly Indian characteristics. If you're building any SaaS that collects data from Indian users, you need to understand what it requires.

The good news: the compliance burden for early-stage startups is manageable. The bad news: ignoring it entirely is no longer an option, especially as enterprise customers and investors start asking about DPDPA compliance.

Key Concepts

What counts as "personal data"

Any data that can identify an individual directly or indirectly. This includes: name, email, phone number, IP address, location data, device identifiers, biometrics, and inferred attributes. Most SaaS products collect at least several of these.

Data Fiduciary vs Data Processor

If your SaaS collects data from end users and determines why and how it's processed — you're a Data Fiduciary. Most SaaS products are Data Fiduciaries. If you process data on behalf of another company (like a backend provider) — you're a Data Processor. The DPDPA places more obligations on Fiduciaries.

Significant Data Fiduciaries (SDF)

Companies handling particularly sensitive or large-scale data may be designated as SDFs by the government. SDFs face additional obligations including data localization (keeping data in India) and mandatory audits. Most early-stage SaaS products won't qualify initially, but it's worth monitoring.

What the DPDPA Requires (Practical Summary)

1. Consent

You must obtain free, specific, informed, unconditional, and unambiguous consent before collecting personal data. For a SaaS product, this means:

• Your signup flow must clearly explain what data you collect and why
• Pre-ticked checkboxes are not valid consent
• Users must be able to withdraw consent as easily as they gave it
• Consent for one purpose (e.g., account creation) doesn't automatically cover other purposes (e.g., marketing)

2. Purpose Limitation

Collect only what you need for the stated purpose. Retaining data "just in case" is not compliant. Build a data minimization principle into your product from day 1 — it's easier than retrofitting it.

3. Data Accuracy

Take reasonable steps to ensure personal data is accurate and updated. For most SaaS products, providing users the ability to edit their profile data satisfies this.

4. Storage Limitation

Don't retain personal data longer than necessary. Define your data retention policy explicitly. For most SaaS products: retain account data for the duration of the subscription + 30–90 days post-cancellation. Then delete or anonymize.

5. Security

Implement reasonable security measures. The DPDPA doesn't mandate specific technical standards, but encryption at rest and in transit, access controls, and audit logging are reasonable baselines.

6. Data Breach Notification

You must notify the Data Protection Board of India and affected users of a personal data breach "as soon as possible." Build a breach response plan even if you're early stage.

7. User Rights

Indian users have the right to: access their data, correct inaccurate data, erasure (in certain circumstances), and grievance redressal. Build user-facing tools for these or have a process for manual handling.

Practical Compliance Steps for a SaaS Startup

1. Audit what data you collect — Map every piece of personal data you collect, where it's stored, how long you keep it, and who has access.
2. Update your privacy policy — It must explain your data collection, purpose, retention periods, and user rights in plain language. Use free templates but customize them to match your actual practices.
3. Add a cookie consent banner — For web apps with analytics cookies. A basic banner that gives users a choice satisfies most requirements.
4. Create a data deletion process — When a user asks to delete their account, know exactly what data gets deleted and when.
5. Designate a Data Protection Officer (DPO) — Required for Significant Data Fiduciaries. For early-stage startups, the founder can informally act as DPO.
6. Document your compliance — Keep records of your consent processes, data mapping, and any data processing agreements with third parties.

Penalties

The DPDPA penalties can reach ₹250 crore for significant violations. For a startup that ignores basic compliance requirements and has a data breach, the financial and reputational consequences are severe. The practical risk for most early-stage products is low — the Data Protection Board is still being set up and enforcement will start with larger companies. But building compliant habits now is far cheaper than retrofitting compliance after a breach.

The DPDPA is new enough that interpretation and enforcement are still evolving. Following it in good faith — genuine consent, purpose limitation, user rights — is the right approach even before every detail of the rules is settled.