If you run a small business, startup, or MSME in India and handle customer or employee data, there’s a new rulebook you cannot ignore — the Digital Personal Data Protection (DPDP) Rules, 2025. These rules are now law and spell out how personal data must be collected, used, stored, protected and eventually deleted. Wikipedia
But here’s the twist: most MSMEs still haven’t realised this reality yet. That’s not opinion — that’s what Tally Solutions Managing Director Tejas Goenka said in a recent Moneycontrol interview.
“There’s a lot of effort that’s going to be needed. I don’t think people are even aware… DPDP is not even a subject in many conversations. There’s a lot that government, industry bodies and agencies will have to do to spread this knowledge.” — Tejas Goenka, MD, Tally Solutions Moneycontrol
This tells you one thing: DPDP Rules compliance isn’t an abstract legal concept anymore — it’s a real business challenge and opportunity.
In this post, we explain DPDP Rules in plain language, why they matter, what MSMEs should worry about, practical compliance steps, real penalties, and the tools you can adopt right now.
related post: DPDP Act vs DPDP Rules Difference — A Practical Guide for MSMEs & Startups
The DPDP Rules, 2025 were notified by the Government of India on November 14, 2025 under the Digital Personal Data Protection Act. Wikipedia
They add detail to how businesses must:
Think of the DPDP Rules as the operational playbook for data privacy in India — especially for digital businesses.
Even if your business is small, if you:
✔ collect customer phone numbers or emails
✔ save data in CRMs, Excel, WhatsApp
✔ use cloud tools or third-party apps
✔ have employee records
…then DPDP Rules apply to you.
Yet, as Tally MD Tejas Goenka warned:
“Most MSMEs aren’t even aware of DPDP compliance yet.” Moneycontrol
This poses two big risks:
So the early birds who act now will avoid costly mistakes later.
Myth: “Data protection laws only hit big tech and MNCs.”
Reality: Any business handling digital personal data needs to follow DPDP Rules.
Myth: “Penalties are unlikely.”
Reality: Penalties exist if negligence or breach occurs — especially if you ignore consent rules or data security. Moneycontrol
related post: How MSMEs Can Collect Customer Data Legally Under the DPDP Act — A Practical Guide for Small Businesses
Here’s a practical checklist you can start with today:
Tell users:
Example language:
“We collect your phone number to send invoices and delivery updates only.”
Verifiable and informed consent — not hidden pre-ticks.
If you use customer numbers for marketing, get explicit opt-in.
Avoid:
❌ shared public spreadsheets
❌ storing unsecured files on phones
Use secure cloud services with access restrictions.
If a customer wants:
You must respond within a reasonable time.
Older or irrelevant data?
Delete it.
Records should only be kept as long as needed.
Small steps = big compliance impact.
❌ Sending marketing texts without consent
❌ Sharing customer lists with external agencies
❌ Storing sensitive data in open files
❌ Ignoring employee data safety
These can draw enforcement attention faster than you think.
Yes — if you handle personal data digitally, you must follow the basic principles.
Yes — DPDP Rules cover all digital personal data collection and use.
Penalties generally target repeated negligence or harmful misuse, but showing good-faith compliance matters.
You still need transparent purpose notices and basic consent.
DPDP Rules aren’t designed to kill business growth. They are a framework to:
✔ protect customer trust
✔ formalise responsible data handling
✔ align Indian businesses with global data privacy norms
And the fact that leading software providers like Tally Solutions are sounding the alarm means it’s time to pay attention and act. Moneycontrol
Tabrez is a first-generation entrepreneur, tea trader, exporter and business writer from Assam. Through BusinessZindagi.com, he shares practical insights, ground-reality perspectives and entrepreneurial lessons for MSMEs, exporters, startup founders and small business owners in India.
This article explains DPDP Rules from a business and awareness perspective. It is not a legal opinion. For case-specific compliance interpretation, consult a qualified legal or data privacy professional.
Digital payments are no longer just a support function for businesses—they are a core growth…
Why Women Entrepreneurship Platform (WEP) Is a Game Changer Starting a business is never easy.…
Yesterday, like most of us, I casually checked my phone and saw an SMS from…
As Indian startups, exporters, D2C brands and digital businesses go global, one question becomes extremely…
In today’s business world, your brand identity is one of your biggest assets. Whether you…
Many Indian entrepreneurs begin their journey as sole proprietors because it is simple, low-cost and…