Back to Blog
CYBER SECURITY

DPDP Enforcement Starts May 2027: The 12-Month Cybersecurity Playbook for Indian SMEs

DPDP enforcement begins May 13 2027. The 12-month cybersecurity playbook Indian SMEs need to get compliant — with budget, timeline, and what to skip.

AB
AI Blog Writer
11 Jun 2026
12 min read162 views
DPDP Enforcement Starts May 2027: The 12-Month Cybersecurity Playbook for Indian SMEs

India's Digital Personal Data Protection Act isn't a future problem. The enforcement clock starts in May 2027, and small businesses have one year to get compliant — or face penalties up to ₹250 crore.


The 12-Month Clock Every Indian SME Owner Should Know About

If your business handles customer data — names, phone numbers, Aadhaar copies, payment info, browsing history — the Indian government is about to hold you personally accountable for protecting it.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is already law. The DPDP Rules 2025 came into force on November 13, 2025. And starting May 13, 2027, the penalties begin — up to ₹250 crore per violation for failure to take reasonable security safeguards.

For India's 63 million small and medium businesses, this is the biggest compliance shift since GST. Except GST came with a year of soft rollout. DPDP gives you a hard cliff.

Here's the playbook to get your business ready in 12 months — without breaking the bank or hiring a chief security officer.


The Threat Landscape That Makes DPDP Urgent

DPDP isn't just paperwork. The reason it's getting teeth is that attacks on Indian SMEs have exploded.

The 2026 numbers tell the story:

  • 41% of small businesses reported ransomware incidents in 2026, up from 37% in 2025 (sqmagazine.co.uk)
  • 88% of small/midsize business breaches in 2025 involved ransomware
  • Average ransom demand: $102,000 — often more than the SME's annual profit
  • Average loss per breach: $254,000 (Total Assure, May 2026)
  • 43% of all cyberattacks target small businesses; only 14% are prepared (Accenture)
  • 91.8 million malware detections in India in 2026 (Seqrite India Cyber Threat Report 2026)
  • 44% of Indian ransomware victims paid the ransom (Sophos)

Most SME owners think "I'm too small to be a target." That's exactly the mindset attackers exploit. You don't have a security team, your staff reuses passwords, and your backup is on the same laptop that just got encrypted.

A breach doesn't just cost you money. Under DPDP, it can cost you your business — and your personal liability is now codified in law.


What DPDP Actually Requires From You

You don't need to become a security expert. You need to do six specific things the law will check for.

You can only collect personal data for a specific, stated purpose. That "we collect your data to improve our services" blanket clause you copied from a template? Not compliant.

You need:

  • A clear notice of what data you're collecting and why
  • Explicit, informed consent (pre-ticked boxes don't count)
  • The ability to withdraw consent as easily as it was given

2. Data Minimization

Stop collecting data you don't need. If your billing form asks for date of birth, family income, and Aadhaar number to sell a ₹500 service, you're a compliance failure waiting to happen.

3. Storage and Purpose Limitation

Personal data should be deleted when the purpose is fulfilled. If a customer unsubscribes, their data shouldn't sit in your CRM for three more years "just in case."

4. Breach Notification Within 72 Hours

If you suffer a data breach, you must notify the Data Protection Board within 72 hours of becoming aware of it. Affected individuals must also be informed if the breach is likely to harm them.

5. "Reasonable Security Practices"

This is the catch-all obligation, and it's the one most SMEs will fail on. The government hasn't yet finalized the exact technical standard, but expect it to map to:

  • ISO/IEC 27001
  • NIST Cybersecurity Framework
  • CERT-In directives (already in force)

6. Data Principal Rights

Customers can ask you to:

  • Provide a copy of all data you hold on them
  • Correct inaccurate data
  • Erase their data
  • Withdraw consent

You have 30 days to respond. No "we'll get back to you in 60 business days."


The Penalty Range You Need to Know

The penalties are not theoretical. They're in the rules.

ViolationPenalty
Failure to take reasonable securityUp to ₹250 crore
Failure to notify breachUp to ₹50 crore
Failure to fulfill data principal requestsUp to ₹50 crore
Processing children's data unlawfullyUp to ₹200 crore

For a small business doing ₹5 crore in annual revenue, a single penalty is existential.


The 12-Month Cybersecurity Playbook for Indian SMEs

Here's the month-by-month plan. If you start now (June 2026), you'll be DPDP-ready when enforcement begins on May 13, 2027.

Months 1-2: Audit and Risk Assessment

What to do:

  • List every system that holds personal data (CRM, billing, HR, email, website forms, mobile app)
  • Identify what data you collect, where it goes, who can access it
  • Map your data flows — which vendors, which cloud providers, which countries
  • Document your current security controls (even if the answer is "we have antivirus")

Deliverable: A one-page "Data Inventory and Risk Register" — not 200 pages, just one page that tells you where you're exposed.

Cost: ₹0 if you do it yourself. ₹15,000-50,000 if you hire a consultant.

Months 3-4: Identity and Access Controls

What to do:

  • Enable multi-factor authentication (MFA) on every business account — email, banking, CRM, cloud, admin panels
  • Implement role-based access — your billing clerk doesn't need access to customer Aadhaar scans
  • Force password manager usage for all employees (Bitwarden Teams is ₹80/user/month)
  • Revoke access immediately when employees leave

Quick win: The single biggest thing you can do this month. 91% of breaches start with stolen or weak credentials.

Months 5-6: Endpoint and Network Security

What to do:

  • Deploy endpoint detection and response (EDR) — not just antivirus
  • Enable full-disk encryption on all laptops and phones
  • Set up a business VPN for remote work
  • Configure automatic OS and software updates
  • Restrict admin privileges — most staff should run as standard users

Recommended stack for Indian SMEs:

  • Laptops: Microsoft Defender for Business (₹530/device/month) or Quick Heal Total Security
  • Mobile: Microsoft Intune or Jamf for company phones
  • Network: UniFi or TP-Link Omada business-grade access points

Months 7-8: Data Classification and Encryption

What to do:

  • Classify data as Public, Internal, Confidential, Restricted
  • Encrypt sensitive data at rest (database encryption) and in transit (TLS 1.3, HTTPS everywhere)
  • Implement data loss prevention (DLP) for email and file sharing
  • Set up automated data retention and deletion policies
  • Get a Data Processing Agreement (DPA) signed with every vendor that touches customer data

Tools to consider:

  • AWS KMS / Azure Key Vault for key management
  • Virtru or Seclore for email encryption
  • Standard contractual clauses in vendor contracts

Months 9-10: Incident Response Planning

What to do:

  • Write a one-page incident response plan: who calls whom, in what order, within what timeframe
  • Set up a security contact email (security@yourcompany.com) that forwards to multiple people
  • Run a tabletop exercise — pretend you got hacked at 2 AM on a Sunday
  • Pre-draft your breach notification template
  • Identify external support: a forensics firm, a legal contact, a PR consultant

The 72-hour clock starts when you first suspect a breach, not when you confirm it. Have a plan ready.

Months 11-12: DPDP Documentation and Training

What to do:

  • Publish your privacy policy (DPDP-compliant version, not a template)
  • Train every employee — one session, two hours, mandatory
  • Document your reasonable security practices (this is your defense if audited)
  • Set up a process for handling data principal requests — who reads them, who responds, how
  • Schedule your first annual DPDP review

What to teach your team:

  • How to spot phishing emails (still the #1 entry point)
  • What to do if they click a suspicious link
  • How to handle customer data access requests
  • The consequences of non-compliance (for them AND the company)

The Biggest Mistakes Indian SMEs Make With DPDP

We see these patterns over and over:

Mistake 1: "We're too small to be audited." The Data Protection Board hasn't started enforcement yet, but customer lawsuits and class actions are already a thing. One customer's complaint can trigger an investigation.

Mistake 2: Copying a foreign compliance template. GDPR and DPDP are not the same. Cross-border transfer rules, consent requirements, and penalty structures differ. Use an India-specific template.

Mistake 3: Treating it as an IT problem. DPDP is a legal and operational issue. IT can implement controls, but the policy decisions (what data to collect, how long to keep it, who has access) are business calls.

Mistake 4: Buying tools before understanding risks. Most SMEs buy a fancy SIEM or EDR tool, then never configure it. Start with the basics (MFA, backups, patching) before spending on enterprise security software.

Mistake 5: Ignoring vendor risk. Your cloud provider, payment gateway, HR software, and CRM are all part of your attack surface. A breach at your vendor is a breach at your company under DPDP.


What "Reasonable Security" Actually Means

The Rules 2025 reference "reasonable security practices" without defining the exact standard. Until the government publishes a benchmark, here's what's defensible:

For an SME doing under ₹50 crore annual revenue:

ControlStatus
MFA on all business accountsRequired
Endpoint protection on all devicesRequired
Encryption at rest and in transitRequired
Daily backups (offline + cloud)Required
Annual security awareness trainingRequired
Documented incident response planRequired
Vendor risk assessment (top 5 vendors)Required
ISO 27001 certificationRecommended but not required for SMEs
24/7 SOC monitoringOut of scope for most SMEs — use a managed service

For an SME doing ₹50-250 crore revenue:

Same as above, plus:

  • Dedicated security lead (even if outsourced)
  • Quarterly vulnerability assessments
  • Annual penetration testing
  • CERT-In compliance (incident reporting within 6 hours for certain incident types)

CERT-In directive is already in force since April 2022 and requires Indian businesses to report cybersecurity incidents within 6 hours of detection. Most SMEs don't know this.


How to Budget For This

You don't need to spend crores. Here's a realistic annual security budget for a 50-person SME:

ItemAnnual Cost
MFA / Identity (Microsoft 365 Business Premium)₹1,50,000
Endpoint protection (Defender for Business, 50 users)₹3,18,000
Password manager (Bitwarden Teams, 50 users)₹48,000
Business VPN (Perimeter 81 or similar)₹1,20,000
Backup (Backblaze B2 + Veeam)₹60,000
Email security (Proofpoint Essentials or Avanan)₹1,80,000
Security awareness training (KnowBe4 or Hoxhunt)₹1,00,000
Annual penetration test₹2,00,000
Total₹11,76,000 / year

That's roughly ₹2,000 per employee per month. Less than your office chai budget.

If ₹12 lakhs is too steep, the non-negotiable minimum is:

  • MFA on everything
  • Endpoint protection
  • Daily backups
  • Phishing training

Those four cost less than ₹3 lakhs/year and prevent 80% of common attacks.


How Mejona Helps

We build DPDP-ready systems for Indian SMEs. Not just security tools — the underlying business software, websites, mobile apps, and customer data platforms that handle personal data correctly from day one.

What we do:

  • Audit your current setup — identify where personal data lives and where you're exposed (free 30-minute assessment)
  • Implement the 12-month playbook — phased rollout that fits your budget, with a working system at every step, not a 200-page report that sits in a drawer
  • Build DPDP-compliant software — websites, apps, and internal tools that bake consent management, data subject rights, and audit logging into the design
  • Manage your security stack — 24/7 monitoring, monthly reports, quarterly reviews. Starting at ₹20,000/month for our Cybersecurity service.

Why us:

  • We've been DPDP-compliant by default since 2025 — we built our own systems first
  • We work in your timezone, in your language, at SME budgets
  • No 200-page audit reports. Working controls you can see, in production, in 2 weeks
  • We won't sell you a SIEM you don't need

Your First 7 Days

Don't try to do everything. Start here:

Day 1-2: Turn on MFA for every business-critical account (email, banking, CRM, admin panels). 80% of SME breaches would have been prevented by this single step.

Day 3-4: Run a free dark web scan on your company domain (haveibeenpwned.com/business). See what credentials are already exposed.

Day 5-7: Back up everything. Test that you can actually restore from the backup. 80% of businesses that suffer a major data loss without a working backup close within 18 months.

After that, call us. We'll do the rest.


Conclusion

DPDP enforcement is 12 months away. The threats are real, the penalties are existential, and the playbook above is the minimum viable path to compliance.

The three things to remember:

  1. DPDP is now law, not a future problem. May 13, 2027 is the enforcement date, not the start date.
  2. You don't need enterprise budgets. A ₹3 lakh/year security stack prevents 80% of common attacks.
  3. Start with the basics. MFA, backups, patching, and training come before fancy tools.

Your next step: Audit where your customer data lives. If you can't answer that question in 10 minutes, you have work to do this month.


Ready to get DPDP-ready without the complexity? Talk to Mejona — we'll do a free 30-minute compliance assessment and tell you exactly what to fix first. Cybersecurity audits and DPDP implementation start at ₹20,000 with phased rollout available.


Meta description: DPDP enforcement begins May 13 2027. Here's the 12-month cybersecurity playbook Indian SMEs need to get compliant — with budget, timeline, and what to skip.

Want To Learn More?

Explore more articles in our library or get in touch with our team for personalised guidance on your next project.

Chat with us