Login

u/Chance_Working2229

▲ 3 r/IndiaStartups

The DPDP Rules 2025 are live, and core compliance kicks in May 13, 2027. Here is what needs to be built or fixed — not legal theory, just practical requirements:

1. Consent flow — every data collection point needs explicit, purpose-specific consent. No pre-ticked boxes, no bundled consent.

2. Erasure workflow — users can request data deletion. You must respond within 90 days. A manual process won't scale.

3. Breach notification—data breach? You have 72 hours to notify the Data Protection Board. Most startups have zero incident response plans.

4. Children's data — any users under 18? Verifiable parental consent required. No profiling. No targeted ads to minors. Penalty: up to ₹200 Cr.

5. Vendor contracts—every third-party tool (analytics, CRM, cloud) needs a compliant Data Processing Agreement.

reddit.com
u/Chance_Working2229 — 16 hours ago
▲ 1 r/IndiaStartups

Indian startups are underestimating DPDP

If your startup collects:
• emails
• phone numbers
• onboarding data
• WhatsApp leads

…DPDP compliance already matters to you.

Most startups still have:

  • copied privacy policies
  • weak consent flows
  • no compliance monitoring

The real problem:
Enterprise compliance tools are too complex for startups.

Founders just want:
“What’s risky and what should we fix first?”

reddit.com
u/Chance_Working2229 — 3 days ago