Photo: Unsplash
What the DPDP Act Actually Says (In Plain Terms)
The Digital Personal Data Protection Act, 2023 is India's first comprehensive data privacy law. It came into force in August 2023, and its enforcement provisions will apply once the Data Protection Board is constituted and rules are notified — expected in 2025-26. For Kerala businesses, this is not a future problem. Building compliance now is significantly easier than scrambling after enforcement begins.
The law applies to any business that collects, stores, or processes 'personal data' of Indian residents — digitally. This includes: customer names, phone numbers, email addresses, Aadhaar numbers, purchase history, health information, location data, browsing history on your website, and any data collected through your app or WhatsApp Business number.
Which Kerala Businesses Are Affected
The honest answer is: almost every Kerala business with a website, app, WhatsApp Business account, or online store. If you collect a customer's phone number for a loyalty programme, you are processing personal data. If your website has a contact form, you are collecting personal data.
High-risk categories (strict obligations)
- Private hospitals and clinics — patient data is sensitive personal data with stricter rules
- Schools and coaching centres — children's data has the highest protection requirements
- Financial services (gold loan companies, NBFCs, chit funds) — financial data is sensitive
- HR-intensive businesses collecting employee Aadhaar, PAN, bank details
- E-commerce stores with purchase history and address data
- Any business targeting or serving children (under 18)
Standard-risk categories (basic obligations)
- Retail stores with customer phone numbers for WhatsApp marketing
- Restaurants with online ordering
- Tourism businesses with booking data
- Real estate companies with enquiry forms
The Four Core Obligations for Kerala SMEs
1. Consent before collection
You must get clear, specific consent before collecting personal data. A pre-ticked checkbox or burying consent in terms and conditions is not valid. Your website contact form, app signup, or WhatsApp opt-in must have an explicit, unambiguous consent statement in plain language. Customers must be able to withdraw consent and you must delete their data on request.
2. Purpose limitation
You can only use data for the purpose you told the person when collecting it. If someone gives you their phone number for an order confirmation, you cannot add them to a promotional WhatsApp broadcast without separate consent.
3. Breach notification
If your customer data is breached (hacked, leaked, accidentally shared), you must notify the Data Protection Board and affected individuals within a prescribed period (rules pending, but international standard is 72 hours). This means you need to know exactly what data you hold and where.
4. Data deletion on request
Customers have the right to request deletion of their personal data. You must be able to comply. If your data is scattered across spreadsheets, a WhatsApp group, a Tally database, and a Google Sheet, you currently cannot comply with this.
What the Penalties Look Like
The DPDP Act prescribes penalties up to ₹250 crore per breach for significant data fiduciaries (large companies). For smaller businesses, penalties are lower but still significant. The biggest risk for Kerala SMEs is not the maximum penalty — it is the reputational damage and the disruption of a Data Protection Board investigation if a customer files a complaint against you.
Early compliance also protects you against civil liability if a customer's data is misused. This is increasingly relevant as more Kerala consumers become aware of their data rights.
Practical Steps for a Kerala SME to Get Compliant
- Data mapping — list every type of customer data you collect, where it is stored, and who has access
- Update your privacy policy — it must be in plain language, mention what data you collect, why, and customer rights
- Add consent mechanisms — update your contact forms, app signups, and WhatsApp opt-in flows
- Appoint a Data Protection Officer if you are in a high-risk category (hospitals, schools, fintech)
- Set up a data deletion process — know how to delete a specific customer's data from all your systems within a reasonable timeframe
- Secure your data storage — customer data in unencrypted spreadsheets is both a compliance and security risk
Frequently Asked Questions
Does the DPDP Act apply to very small Kerala businesses — a single-person shop or a small restaurant?
Yes, but the obligations are proportional. A small restaurant that collects phone numbers for delivery orders must get consent and not misuse that data, but is unlikely to face enforcement action unless a customer complains. The practical priority for small businesses is updating contact forms to include a clear consent statement and not sending unsolicited marketing to collected numbers — both of which are straightforward to fix.
What is the difference between the DPDP Act and GDPR for a Kerala business serving European customers?
GDPR (European data protection law) applies when you process data of EU residents. The DPDP Act applies when you process data of Indian residents. If your Kerala business serves both Indian and European customers, you technically have obligations under both laws. In practice, a Kerala exporter or tourism business serving European clients should comply with whichever law is stricter for a given data processing activity — which is typically GDPR. Being GDPR-compliant usually means you are also substantially DPDP-compliant.
How long does it take for a Kerala SME to achieve basic DPDP Act compliance?
A focused compliance effort for a small-to-medium Kerala business typically takes 4–8 weeks: 1–2 weeks for data mapping and inventory, 1–2 weeks for policy and consent mechanism updates, 2–3 weeks for technical implementation (form updates, data deletion procedures, access controls). Businesses with complex data environments (hospitals, schools with large student databases, fintech) should budget 3–6 months for comprehensive compliance.