From Paper to Proof: Navigating DPDPA for Indian Enterprises

By Rishi Agrawal Ceo and Co founder of Teamlease Regtech

India has moved from a landscape of fragmented and sector-specific privacy requirements to a comprehensive, uniform and enforceable data protection framework with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025. For the first time, every organisation, regardless of size or sector, is being asked not just to “say” they protect personal data, but to prove it through logs, notices, access records, retention trails, audit reports and breach documentation.

This transition has different meanings for startups, MSMEs and large enterprises. Each group carries its own resource constraints, operational capabilities and realities. The Act and the Rules acknowledge these differences through a graded approach, but the lived experience of compliance will vary sharply across the ecosystem.

Startups, for instance, thrive on experimentation and short feedback loops. Their engineering teams optimise for shipping features, not architecting controls ...