DPDP Act Compliance Mumbai — Data Protection for Businesses 2026
The Digital Personal Data Protection Act 2023 applies to all Mumbai businesses collecting customer data. MICS DPDP compliance covers data audit, consent management, privacy policy, and breach response for Mumbai companies. Rs. 20,000-50,000.
MICS Team··5 min read
DPDP Act Compliance Mumbai — Data Protection for Businesses 2026
The Digital Personal Data Protection Act 2023 is India's first comprehensive data privacy law — similar in intent to Europe's GDPR. Every Mumbai business that collects, stores, or processes personal data of Indian individuals must comply. For Mumbai's NBFC sector (storing Aadhaar, PAN, bank statements), e-commerce companies (customer purchase history, delivery addresses), hospitals (patient medical records), and HR software providers (employee data) — DPDP Act compliance is not optional.
#
Who Must Comply in Mumbai
Financial Services (Highest Priority)
- NBFCs: KYC data, loan applications, bank statements, CIBIL scores of lakhs of borrowers
- Insurance: policyholder health data, claims information
- Payment companies: transaction data, bank account details
- Investment platforms: PAN, portfolio data, tax information
Healthcare
- Hospitals: patient diagnosis, treatment, prescriptions
- Diagnostic labs: test reports, medical history
- Telemedicine: online consultation records
E-Commerce and Retail
- Customer name, address, mobile number, purchase history
- Payment data (card, UPI)
- Browsing and preference data
HR and Staffing
- Employee PAN, Aadhaar, bank account details
- Salary, appraisal, health data
- Attendance, leave records
Technology Companies (B2B SaaS)
- If your SaaS product processes customer data of your clients' customers — you are a Data Processor
- DPDP Act applies to your product architecture and contractual obligations
#
Key DPDP Act Obligations
1. Consent Before Processing
- Must obtain free, specific, informed, unconditional consent before collecting personal data
- Consent request must be in plain language — not buried in 10-page terms
- Separate consent for separate purposes — one blanket consent not sufficient
- Right to withdraw consent: must be as easy as giving consent
2. Data Minimisation
- Collect only data necessary for the stated purpose
- NBFCs asking for social media passwords or unnecessary data: now specifically prohibited
- Storage limitation: delete data when purpose is fulfilled
3. Data Principal Rights
- Right to access: user can ask what data you have about them
- Right to correction: user can correct inaccurate data
- Right to erasure: user can request deletion (with limitations)
- Right to grievance: must have a grievance officer — name and contact published
4. Security Safeguards
- Implement reasonable security: encryption, access control, audit logs
- Not defined precisely — context-dependent standard
- Data breach: notify Data Protection Board and affected individuals within 72 hours
5. Cross-Border Transfer
- Personal data can only be transferred to countries the government approves
- Default: data stays in India — AWS Mumbai, Azure Pune preferred
6. Children's Data
- Parental consent required for children under 18
- No targeted advertising to children
- Verifiable parental consent mechanism required
#
MICS DPDP Compliance Services for Mumbai
Step 1: Data Audit
- Map all personal data collected by your Mumbai business
- Data inventory: what data, from whom, for what purpose, stored where, shared with whom
- Third-party vendors: assess data processors you share data with
- Risk assessment: sensitivity of data, security controls in place
Step 2: Consent Architecture
- Consent management platform: record consent with timestamp, IP, purpose
- Website consent banner: DPDP-compliant cookie and data consent
- App consent flow: mobile app data collection consent
- Marketing consent: separate from service consent
- Consent withdrawal: mechanism to withdraw and stop processing
Step 3: Privacy Policy and Notices
- Privacy policy: plain-language document listing what data collected, purpose, rights
- Data Processing Agreement (DPA): with vendors who access your data
- Employee privacy notice: inform staff of data collection in employment context
Step 4: Processes and Training
- DSR (Data Subject Request) handling: process to respond within 72 hours
- Breach response plan: who calls whom, what to document, how to notify DPB
- Employee training: every Mumbai employee who handles data must understand DPDP basics
- Grievance officer: appoint and publish contact details
Step 5: Technical Controls
- Encryption: at rest and in transit
- Access control: least privilege — only see data you need
- Audit logs: who accessed what data, when
- Data retention: automated deletion when retention period ends
- DPIA (Data Protection Impact Assessment): for new products or major changes
#
Penalties Under DPDP Act
- Failure to implement security safeguards: up to Rs. 250 crore
- Breach notification failure: up to Rs. 200 crore
- Violation of children's data provisions: up to Rs. 200 crore
- Other violations: up to Rs. 50 crore
Mumbai's financial services companies have the highest penalty exposure given data volumes.
#
Pricing
| Service | Cost |
|---|---|
| DPDP gap assessment | Rs. 20,000 |
| Full compliance programme (SME) | Rs. 35,000-60,000 one-time |
| Full compliance programme (enterprise NBFC) | Rs. 1,00,000-2,50,000 |
| Consent management platform setup | Rs. 25,000 |
| Annual compliance review | Rs. 15,000/year |
| Breach response retainer | Rs. 10,000/month |
Free DPDP assessment for Mumbai businesses: +91 9355273535 | admin@mics.asia
DPDP ActMumbaiData ProtectionPrivacy ComplianceConsent Management
Need Help Implementing This?
Talk to MICS experts — free 30-min consultation, no commitment.