Common DPDP Act Mistakes Startups Make in the First 90 Days
Five recurring mistakes we've seen across SaaS, fintech, and HR tech — and the inexpensive fixes that close roughly 60% of your real regulatory exposure.
After walking dozens of Indian startups through their first Digital Personal Data Protection (DPDP) Act, 2023 sprint, the same five mistakes keep appearing. Each one is cheap to fix if you catch it in the first quarter, and expensive to unwind later.
Mistake 1: Treating consent as a legal artifact instead of a product decision
The most common failure mode: legal drafts a consent notice, engineering hides it behind a modal, and nobody revisits the withdrawal path. Section 6(4) of the DPDP Act requires withdrawal to be as easy as giving consent, and the second-order effects — cascading deletions, downstream processor notification, marketing suppression — never get wired up.
The fix: treat consent as a first-class product surface. Design the preference centre before you write the notice. Model consent state alongside user state in your data model. Wire cascade deletion into your ETL pipelines the same sprint you ship the modal.
Mistake 2: A data inventory that stops at production databases
Founders proudly show us a data map covering their Postgres primary. Then we ask about the CRM (HubSpot), the support tool (Zendesk), the analytics stack (Mixpanel, PostHog), the marketing platform (Mailchimp), the ATS (Greenhouse), and the finance system (Zoho or QuickBooks). Silence.
Personal data lives in every SaaS you've ever adopted. If it isn't in the map, it isn't in the vendor register, and it isn't covered by a DPA.
The fix: do the inventory by invoice. Pull every SaaS spend line for the last 12 months and ask the owning team what personal data flows through it. This takes an afternoon and finds 80% of the gap.
Mistake 3: Copy-pasted DPAs from GDPR templates
We see European DPA templates lightly find-and-replaced with "DPDP Act" in Indian contracts. These almost always miss the Section 8(2) processor obligations, the Section 8(6) breach notification cascade to the Data Fiduciary, and the (forthcoming) Consent Manager registration references.
The fix: maintain a canonical DPDP-native DPA template that your legal team uses as the baseline. GDPR DPAs are a starting point, not a substitute. Our vendor risk assessment engagement rebuilds this from scratch.
Mistake 4: Ignoring employee data
Employee data is in scope. Recruiting data, background checks, performance reviews, salary information, health disclosures — all personal data. Section 7(i) provides a legitimate use for processing "necessary for employment", but that basis is narrower than most HR teams assume. Wellness programs, engagement surveys, and "voluntary" internal communications platforms usually need consent.
The fix: run a mini-inventory for HR. Map every HR system, decide the lawful basis for each processing activity, and update the offer letter and employee handbook to include a proper Section 5 notice.
Mistake 5: Confusing "we don't have a breach yet" with "we're ready for one"
Nine out of ten breach response plans we review are copy-pasted from a compliance framework and have never been tested. When a real incident happens — usually a phishing compromise of a support agent's account — the plan doesn't map to who actually holds decision authority in the company at 11pm on a Saturday.
The fix: run a two-hour tabletop exercise this quarter. Use a scenario as ordinary as "our support agent's laptop was stolen and they were logged into the CRM". Watch what breaks. Fix the plan.
What "60% of exposure" actually means
Regulators do not levy penalties for imperfect policies. They levy penalties for demonstrably harmful failures — undisclosed breaches, non-existent consent architecture, unfulfilled rights requests, and cross-border transfers with no diligence. Fixing the five items above closes the failures that regulators can see.
If you want a structured 90-day sprint, our full DPDP Act compliance program is built around exactly these fixes in exactly this order.
Get help implementing this
Turn this reading into a compliance plan.
Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.
Book a free 30-minute consultation