What does ISO 27001 certification cost in India?

ISO 27001 certification in India typically costs ₹3–8 lakhs for consulting plus certification audit, depending on company size. MYITMANAGER delivers end-to-end ISO 27001 implementation with full ownership — from gap assessment to certification — at transparent pricing.

Who needs DPDP Act compliance in India?

Every organisation that processes personal data of Indian citizens must comply with India's Digital Personal Data Protection (DPDP) Act. This includes startups, SaaS companies, fintech, healthcare, and e-commerce businesses. Non-compliance penalties can reach ₹250 crore.

What is a vCISO and does my company need one?

A vCISO (Virtual CISO) provides strategic cybersecurity leadership without the cost of a full-time hire. MYITMANAGER's vCISO service delivers board-ready risk reporting, compliance roadmaps, and security program ownership for Indian companies at a fraction of in-house cost.

What do RBI Cybersecurity Guidelines 2026 require for banks and NBFCs?

RBI's 2026 cybersecurity guidelines require banks and NBFCs to implement annual VAPT by CERT-In empanelled firms, adopt a formal ISMS, conduct third-party risk assessments, and maintain incident response plans. MYITMANAGER helps financial institutions achieve full RBI compliance end-to-end.

DPDP Act Penalties in India 2026 — What Startups & SMEs Need to Know

April 18, 2026

The DPDP Rules 2025 were notified on November 13, 2025. India’s Digital Personal Data Protection Act is no longer theoretical — it is enforceable, operational, and backed by financial penalties that can threaten business continuity. Yet most Indian startups and SMEs have no formal data protection policy in place. If you’re a founder, CTO, or compliance lead, this is your practical guide to the DPDP penalty structure — and what to do before enforcement ramps up.

The Penalty Structure: What You’re Actually Exposed To

Under Section 33 of the DPDP Act, the Data Protection Board of India (DPBI) has authority to impose penalties per contravention — not per incident. This distinction matters enormously. A single data breach can simultaneously trigger multiple penalties across different provisions of the Act.

Violation	Maximum Penalty
Failure to implement reasonable security safeguards resulting in a data breach	₹250 crore
Failure to notify breach to DPBI and affected individuals	₹200 crore
Violations involving children’s data — no parental consent, targeted advertising to minors	₹200 crore
Obligations of Significant Data Fiduciaries not met	₹150 crore
General violations of the Act or Rules	₹50 crore
Violation by Data Principal (individual)	₹10,000

Critical point: These are per-violation maximums, not fixed fines. The DPBI considers the nature, duration, scope, and impact of each violation before determining the actual penalty. But there is no size exemption — a ₹5 crore revenue startup faces the same maximum penalty as a ₹5,000 crore enterprise.

Also important: penalties are credited to the Consolidated Fund of India — not paid to victims. Data Principals who suffer harm must pursue civil remedies separately. However, the DPBI can also direct corrective actions including mandatory data deletion, system changes, and public disclosure of violations — the reputational damage from which often exceeds the financial fine.

Real Scenarios: Where Startups Get Caught

Scenario 1: The Bundled Consent Trap

A Series A fintech collects contacts, location, SMS data, and financial information during KYC onboarding. Their app has a single “I agree to Terms and Privacy Policy” checkbox covering 12 different data processing purposes.

DPDP violation: Bundled consent is explicitly invalid under the DPDP Act. Each processing purpose requires separate, specific, affirmative consent. The company is processing data without a valid legal basis — exposure up to ₹250 crore if a breach occurs on top of the consent violation.

Scenario 2: The Missed Breach Notification

A B2C EdTech platform suffers a database exposure affecting 50,000 student records. The security team patches the vulnerability within 24 hours and considers the matter resolved internally. No notification is made to the Data Protection Board or affected users.

DPDP violation: Unlike GDPR’s risk-based notification threshold, DPDP requires reporting of all breaches — regardless of severity or scale. Penalty exposure: up to ₹200 crore. Attempting to conceal a breach dramatically increases penalty severity under DPBI adjudication.

Scenario 3: Children’s Data Without Parental Consent

A gaming app’s terms state users must be 18+, but the platform has no age verification mechanism. It runs targeted in-app advertisements and collects behavioural data from all users without distinguishing between adults and minors.

DPDP violation: DPDP defines a child as anyone under 18. Without verifiable parental consent, processing any data from users who may be minors is prohibited. Targeted advertising to children is explicitly banned with no exceptions. Penalty exposure: up to ₹200 crore — one of the harshest provisions in the entire Act.

Scenario 4: No Grievance Redressal Mechanism

A SaaS startup’s privacy policy has a generic “contact@company.com” for data requests. No named Grievance Officer. No defined response timeline. No structured DSAR process. User requests for data access or deletion go unanswered for weeks.

DPDP violation: The Act requires a readily available and effective grievance redressal mechanism with a named officer. A buried email address does not meet this standard. Repeated unaddressed requests are a direct enforcement trigger — users can escalate to the DPBI.

Scenario 5: Weak Security + Breach + No Notification = Maximum Exposure

A D2C brand stores 200,000 customer records — names, addresses, purchase history, and payment data — in an unencrypted database with default cloud storage settings. A credential stuffing attack exposes the entire dataset. The company delays notification by 10 days while assessing the situation.

DPDP violation: Two simultaneous penalties: failure to implement reasonable security safeguards (up to ₹250 crore) AND failure to notify breach in a timely manner (up to ₹200 crore). Combined maximum exposure: ₹450 crore — for a company that may have under ₹10 crore in annual revenue.

The Enforcement Timeline: When Does It Actually Bite?

The DPDP Rules were notified on November 13, 2025. Full compliance is expected by May 13, 2027 — an 18-month implementation window. Here is what that timeline looks like in practice:

Now – June 2026: Data mapping, gap analysis, privacy notice updates, consent mechanism audit. Start here — this is your baseline.
July – December 2026: Implement consent infrastructure, breach notification protocols, DSAR workflows, vendor DPA reviews, Grievance Officer appointment.
January – May 2027: Final controls hardening, staff training, audit trail documentation, enforcement readiness review.
Post May 13, 2027: No grace period. Enforcement applies from Day 1 post-deadline with no leniency for companies that haven’t started.

The Data Protection Board is currently building enforcement capacity. Initial enforcement will be complaint-driven — but expect high-profile early cases in EdTech, FinTech, and HealthTech to set precedent and signal the Board’s approach to penalties.

What Startups and SMEs Must Do Right Now

You don’t need to build a full compliance team overnight. Focus on these five high-impact actions first:

Map your data: Know exactly what personal data you collect, why you collect it, where it is stored, and which vendors or third-party tools process it. You cannot protect what you haven’t inventoried.
Fix your consent: Replace any bundled or implied consent with purpose-specific, affirmative consent for each data processing activity. Add a clear, easy consent withdrawal mechanism.
Update your privacy notice: It must be standalone, plain language, purpose-specific, and available in regional languages if your users include non-English speakers.
Build a breach response playbook: Assign ownership, define internal escalation steps, and create a 72-hour notification workflow to the DPBI. The Board’s breach reporting portal is digital — register and test your process before you need it.
Appoint and publish a Grievance Officer: Name a specific person, publish their contact details on your website, and define a response SLA. This is non-negotiable and auditable.

The Business Case for Compliance

Smart founders treat DPDP compliance as a growth enabler, not just a regulatory obligation:

Enterprise sales: B2B customers — especially BFSI, healthcare, and multinational companies — now require data protection evidence in vendor due diligence. Compliance documentation directly accelerates deal closure.
Investor readiness: VC and PE firms are adding DPDP compliance to their due diligence checklist. Non-compliance is flagged as operational and regulatory risk that affects valuation.
Cyber insurance: Demonstrating DPDP compliance alongside annual VAPT can reduce cyber insurance premiums by 30–50%.
International expansion: DPDP compliance combined with ISO 27001 or SOC 2 positions you for GDPR alignment — opening EU market access without starting from scratch.

How MYITMANAGER Helps Startups and SMEs Get Compliant

We’ve designed a lean, outcome-focused DPDP compliance program specifically for startups and SMEs — covering the essentials without over-engineering or unnecessary cost.

Our engagement covers: data discovery and mapping, privacy notice and consent architecture, breach notification playbook, DSAR workflows, Grievance Officer setup, vendor DPAs, and security controls aligned to CERT-In and DPDP Act requirements.

Most startups can achieve audit-ready DPDP compliance in 6–8 weeks with our structured approach — before enforcement begins and while the cost of compliance is still manageable.

Don’t wait for an enforcement action to force your hand. Talk to our team today — the first consultation is complimentary.

MYITMANAGER

Cyber Security & Risk Advisory

Digital Trust & Privacy

IT Compliance