SMEs “₹0–₹50 lakh Safe Zone” DPDP compliance checklist.

software

Basic Privacy Disclosure (Non-Negotiable)

☐ Privacy Policy published on website
☐ Written in plain English (or local language if used)
☐ Clearly states:

  • What data is collected

  • Why it is collected

  • How long it is kept

  • Who to contact for grievances

☐ Policy link visible on:

  • Footer

  • Contact forms

  • Lead forms

Risk if ignored: ₹10 lakh – ₹50 crore category
Safe zone effect: Strong mitigation

Consent Hygiene (Minimum Required)

☐ Consent checkbox on all forms
☐ Checkbox is not pre-ticked
☐ Simple consent language:

  • “I agree to be contacted…”
    ☐ Timestamp stored (even basic logs)

☐ Cookie banner (basic is enough)

  • Accept / Reject

  • Link to Privacy Policy

Safe zone effect: Avoids consent violation penalties

Data Minimisation (Silent Risk Reducer)

☐ Collect only essential fields

  • Name, email, phone (if required)
    ☐ Remove unnecessary fields:

  • DOB, gender, address (unless essential)

☐ No hidden tracking scripts without disclosure

Safe zone effect: Reduces severity if violation occurs

Security Safeguards (Critical)

☐ HTTPS enabled
☐ Website updated (CMS / plugins / framework)
☐ Strong admin passwords
☐ Two-factor authentication for admin panels
☐ Access limited to need-to-know staff

☐ Data stored:

  • On secure servers

  • With restricted access

⚠️ This directly protects against ₹250 crore risk

Breach Readiness (Even If You Never Had One)

☐ Simple breach response plan documented:

  • Who detects

  • Who decides

  • Who reports

☐ Contact email ready for DPBI communication
☐ Template ready for user notification (even draft)

Safe zone effect: Massive penalty reduction if breach occurs

Data Principal Rights Handling

☐ Dedicated email:

  • privacy@ / data@ / grievance@

☐ Internal process defined for:

  • Access requests

  • Correction requests

  • Deletion requests

☐ Response timeline defined (e.g., 7–14 days)

Safe zone effect: Avoids ₹50–₹100 crore slab

Children’s Data Filter (Often Missed)

☐ Statement clarifying:

  • Website not meant for children OR

  • Extra consent mechanism if children involved

☐ No ads or tracking targeting minors

Safe zone effect: Avoids ₹200 crore penalty exposure

Vendor & Tool Awareness

☐ List of third-party tools used:

  • Google Analytics

  • CRM

  • Email tools

  • Hosting provider

☐ Confirmation that vendors have:

  • Security policies

  • Data protection terms

(No need for contracts initially — awareness is enough)

Documentation Folder (Your Shield)

Create a simple folder with:
☐ Privacy Policy
☐ Consent screenshots
☐ Security checklist
☐ Vendor list
☐ Breach response note
☐ Request handling SOP

This single folder can cut penalties by 70–90% in practice.

Annual Self-Review (Very Important)

☐ Review privacy policy yearly
☐ Update tools list
☐ Check forms & consent
☐ Update contact email if changed

Cost: 1 hour per year
Benefit: Staying in safe zone

Related Articles

software

Penalties under the Digital Personal Data Protection (DPDP) Act, 2023

Jan 9, 2026

software

No Website - DPDP Compliance Is Still Mandatory For Your Business.

Jan 8, 2026

Back to All Blogs