India's Digital Personal Data Protection Act isn't a future problem. The enforcement clock starts in May 2027, and small businesses have one year to get compliant — or face penalties up to ₹250 crore.
The 12-Month Clock Every Indian SME Owner Should Know About
If your business handles customer data — names, phone numbers, Aadhaar copies, payment info, browsing history — the Indian government is about to hold you personally accountable for protecting it.
The Digital Personal Data Protection Act, 2023 (DPDP Act) is already law. The DPDP Rules 2025 came into force on November 13, 2025. And starting May 13, 2027, the penalties begin — up to ₹250 crore per violation for failure to take reasonable security safeguards.
For India's 63 million small and medium businesses, this is the biggest compliance shift since GST. Except GST came with a year of soft rollout. DPDP gives you a hard cliff.
Here's the playbook to get your business ready in 12 months — without breaking the bank or hiring a chief security officer.
The Threat Landscape That Makes DPDP Urgent
DPDP isn't just paperwork. The reason it's getting teeth is that attacks on Indian SMEs have exploded.
The 2026 numbers tell the story:
- 41% of small businesses reported ransomware incidents in 2026, up from 37% in 2025 (sqmagazine.co.uk)
- 88% of small/midsize business breaches in 2025 involved ransomware
- Average ransom demand: $102,000 — often more than the SME's annual profit
- Average loss per breach: $254,000 (Total Assure, May 2026)
- 43% of all cyberattacks target small businesses; only 14% are prepared (Accenture)
- 91.8 million malware detections in India in 2026 (Seqrite India Cyber Threat Report 2026)
- 44% of Indian ransomware victims paid the ransom (Sophos)
Most SME owners think "I'm too small to be a target." That's exactly the mindset attackers exploit. You don't have a security team, your staff reuses passwords, and your backup is on the same laptop that just got encrypted.
A breach doesn't just cost you money. Under DPDP, it can cost you your business — and your personal liability is now codified in law.
What DPDP Actually Requires From You
You don't need to become a security expert. You need to do six specific things the law will check for.
1. Lawful Collection With Clear Consent
You can only collect personal data for a specific, stated purpose. That "we collect your data to improve our services" blanket clause you copied from a template? Not compliant.
You need:
- A clear notice of what data you're collecting and why
- Explicit, informed consent (pre-ticked boxes don't count)
- The ability to withdraw consent as easily as it was given
2. Data Minimization
Stop collecting data you don't need. If your billing form asks for date of birth, family income, and Aadhaar number to sell a ₹500 service, you're a compliance failure waiting to happen.
3. Storage and Purpose Limitation
Personal data should be deleted when the purpose is fulfilled. If a customer unsubscribes, their data shouldn't sit in your CRM for three more years "just in case."
4. Breach Notification Within 72 Hours
If you suffer a data breach, you must notify the Data Protection Board within 72 hours of becoming aware of it. Affected individuals must also be informed if the breach is likely to harm them.
5. "Reasonable Security Practices"
This is the catch-all obligation, and it's the one most SMEs will fail on. The government hasn't yet finalized the exact technical standard, but expect it to map to:
- ISO/IEC 27001
- NIST Cybersecurity Framework
- CERT-In directives (already in force)
6. Data Principal Rights
Customers can ask you to:
- Provide a copy of all data you hold on them
- Correct inaccurate data
- Erase their data
- Withdraw consent
You have 30 days to respond. No "we'll get back to you in 60 business days."
The Penalty Range You Need to Know
The penalties are not theoretical. They're in the rules.
| Violation | Penalty |
|---|---|
| Failure to take reasonable security | Up to ₹250 crore |
| Failure to notify breach | Up to ₹50 crore |
| Failure to fulfill data principal requests | Up to ₹50 crore |
| Processing children's data unlawfully | Up to ₹200 crore |
For a small business doing ₹5 crore in annual revenue, a single penalty is existential.
The 12-Month Cybersecurity Playbook for Indian SMEs
Here's the month-by-month plan. If you start now (June 2026), you'll be DPDP-ready when enforcement begins on May 13, 2027.
Months 1-2: Audit and Risk Assessment
What to do:
- List every system that holds personal data (CRM, billing, HR, email, website forms, mobile app)
- Identify what data you collect, where it goes, who can access it
- Map your data flows — which vendors, which cloud providers, which countries
- Document your current security controls (even if the answer is "we have antivirus")
Deliverable: A one-page "Data Inventory and Risk Register" — not 200 pages, just one page that tells you where you're exposed.
Cost: ₹0 if you do it yourself. ₹15,000-50,000 if you hire a consultant.
Months 3-4: Identity and Access Controls
What to do:
- Enable multi-factor authentication (MFA) on every business account — email, banking, CRM, cloud, admin panels
- Implement role-based access — your billing clerk doesn't need access to customer Aadhaar scans
- Force password manager usage for all employees (Bitwarden Teams is ₹80/user/month)
- Revoke access immediately when employees leave
Quick win: The single biggest thing you can do this month. 91% of breaches start with stolen or weak credentials.
Months 5-6: Endpoint and Network Security
What to do:
- Deploy endpoint detection and response (EDR) — not just antivirus
- Enable full-disk encryption on all laptops and phones
- Set up a business VPN for remote work
- Configure automatic OS and software updates
- Restrict admin privileges — most staff should run as standard users
Recommended stack for Indian SMEs:
- Laptops: Microsoft Defender for Business (₹530/device/month) or Quick Heal Total Security
- Mobile: Microsoft Intune or Jamf for company phones
- Network: UniFi or TP-Link Omada business-grade access points
Months 7-8: Data Classification and Encryption
What to do:
- Classify data as Public, Internal, Confidential, Restricted
- Encrypt sensitive data at rest (database encryption) and in transit (TLS 1.3, HTTPS everywhere)
- Implement data loss prevention (DLP) for email and file sharing
- Set up automated data retention and deletion policies
- Get a Data Processing Agreement (DPA) signed with every vendor that touches customer data
Tools to consider:
- AWS KMS / Azure Key Vault for key management
- Virtru or Seclore for email encryption
- Standard contractual clauses in vendor contracts
Months 9-10: Incident Response Planning
What to do:
- Write a one-page incident response plan: who calls whom, in what order, within what timeframe
- Set up a security contact email (security@yourcompany.com) that forwards to multiple people
- Run a tabletop exercise — pretend you got hacked at 2 AM on a Sunday
- Pre-draft your breach notification template
- Identify external support: a forensics firm, a legal contact, a PR consultant
The 72-hour clock starts when you first suspect a breach, not when you confirm it. Have a plan ready.
Months 11-12: DPDP Documentation and Training
What to do:
- Publish your privacy policy (DPDP-compliant version, not a template)
- Train every employee — one session, two hours, mandatory
- Document your reasonable security practices (this is your defense if audited)
- Set up a process for handling data principal requests — who reads them, who responds, how
- Schedule your first annual DPDP review
What to teach your team:
- How to spot phishing emails (still the #1 entry point)
- What to do if they click a suspicious link
- How to handle customer data access requests
- The consequences of non-compliance (for them AND the company)
The Biggest Mistakes Indian SMEs Make With DPDP
We see these patterns over and over:
Mistake 1: "We're too small to be audited." The Data Protection Board hasn't started enforcement yet, but customer lawsuits and class actions are already a thing. One customer's complaint can trigger an investigation.
Mistake 2: Copying a foreign compliance template. GDPR and DPDP are not the same. Cross-border transfer rules, consent requirements, and penalty structures differ. Use an India-specific template.
Mistake 3: Treating it as an IT problem. DPDP is a legal and operational issue. IT can implement controls, but the policy decisions (what data to collect, how long to keep it, who has access) are business calls.
Mistake 4: Buying tools before understanding risks. Most SMEs buy a fancy SIEM or EDR tool, then never configure it. Start with the basics (MFA, backups, patching) before spending on enterprise security software.
Mistake 5: Ignoring vendor risk. Your cloud provider, payment gateway, HR software, and CRM are all part of your attack surface. A breach at your vendor is a breach at your company under DPDP.
What "Reasonable Security" Actually Means
The Rules 2025 reference "reasonable security practices" without defining the exact standard. Until the government publishes a benchmark, here's what's defensible:
For an SME doing under ₹50 crore annual revenue:
| Control | Status |
|---|---|
| MFA on all business accounts | Required |
| Endpoint protection on all devices | Required |
| Encryption at rest and in transit | Required |
| Daily backups (offline + cloud) | Required |
| Annual security awareness training | Required |
| Documented incident response plan | Required |
| Vendor risk assessment (top 5 vendors) | Required |
| ISO 27001 certification | Recommended but not required for SMEs |
| 24/7 SOC monitoring | Out of scope for most SMEs — use a managed service |
For an SME doing ₹50-250 crore revenue:
Same as above, plus:
- Dedicated security lead (even if outsourced)
- Quarterly vulnerability assessments
- Annual penetration testing
- CERT-In compliance (incident reporting within 6 hours for certain incident types)
CERT-In directive is already in force since April 2022 and requires Indian businesses to report cybersecurity incidents within 6 hours of detection. Most SMEs don't know this.
How to Budget For This
You don't need to spend crores. Here's a realistic annual security budget for a 50-person SME:
| Item | Annual Cost |
|---|---|
| MFA / Identity (Microsoft 365 Business Premium) | ₹1,50,000 |
| Endpoint protection (Defender for Business, 50 users) | ₹3,18,000 |
| Password manager (Bitwarden Teams, 50 users) | ₹48,000 |
| Business VPN (Perimeter 81 or similar) | ₹1,20,000 |
| Backup (Backblaze B2 + Veeam) | ₹60,000 |
| Email security (Proofpoint Essentials or Avanan) | ₹1,80,000 |
| Security awareness training (KnowBe4 or Hoxhunt) | ₹1,00,000 |
| Annual penetration test | ₹2,00,000 |
| Total | ₹11,76,000 / year |
That's roughly ₹2,000 per employee per month. Less than your office chai budget.
If ₹12 lakhs is too steep, the non-negotiable minimum is:
- MFA on everything
- Endpoint protection
- Daily backups
- Phishing training
Those four cost less than ₹3 lakhs/year and prevent 80% of common attacks.
How Mejona Helps
We build DPDP-ready systems for Indian SMEs. Not just security tools — the underlying business software, websites, mobile apps, and customer data platforms that handle personal data correctly from day one.
What we do:
- Audit your current setup — identify where personal data lives and where you're exposed (free 30-minute assessment)
- Implement the 12-month playbook — phased rollout that fits your budget, with a working system at every step, not a 200-page report that sits in a drawer
- Build DPDP-compliant software — websites, apps, and internal tools that bake consent management, data subject rights, and audit logging into the design
- Manage your security stack — 24/7 monitoring, monthly reports, quarterly reviews. Starting at ₹20,000/month for our Cybersecurity service.
Why us:
- We've been DPDP-compliant by default since 2025 — we built our own systems first
- We work in your timezone, in your language, at SME budgets
- No 200-page audit reports. Working controls you can see, in production, in 2 weeks
- We won't sell you a SIEM you don't need
Your First 7 Days
Don't try to do everything. Start here:
Day 1-2: Turn on MFA for every business-critical account (email, banking, CRM, admin panels). 80% of SME breaches would have been prevented by this single step.
Day 3-4: Run a free dark web scan on your company domain (haveibeenpwned.com/business). See what credentials are already exposed.
Day 5-7: Back up everything. Test that you can actually restore from the backup. 80% of businesses that suffer a major data loss without a working backup close within 18 months.
After that, call us. We'll do the rest.
Conclusion
DPDP enforcement is 12 months away. The threats are real, the penalties are existential, and the playbook above is the minimum viable path to compliance.
The three things to remember:
- DPDP is now law, not a future problem. May 13, 2027 is the enforcement date, not the start date.
- You don't need enterprise budgets. A ₹3 lakh/year security stack prevents 80% of common attacks.
- Start with the basics. MFA, backups, patching, and training come before fancy tools.
Your next step: Audit where your customer data lives. If you can't answer that question in 10 minutes, you have work to do this month.
Ready to get DPDP-ready without the complexity? Talk to Mejona — we'll do a free 30-minute compliance assessment and tell you exactly what to fix first. Cybersecurity audits and DPDP implementation start at ₹20,000 with phased rollout available.
Meta description: DPDP enforcement begins May 13 2027. Here's the 12-month cybersecurity playbook Indian SMEs need to get compliant — with budget, timeline, and what to skip.



