Data protection and MSMEs
This article is authored by Akshaya Suresh, partner and Tharusha Selvanambi, associate at JSA Advocates & Solicitors.
Micro, small, and medium enterprises (MSMEs) have become a crucial part of the Indian economy. They are pushing India to be more self-reliant by contributing to increased employment and entrepreneurship opportunities, innovations and exports and decreasing the economic disparity in the country. Considering their crucial role in India’s economy, it becomes important to analyse the challenges and opportunities it may have in the context of India’s data protection law, the Digital Personal Data Protection Act (DPDPA), coming into effect with the recent notification of the Digital Personal Data Protection Rules, 2025 (Rules). Enacted in 2023, the DPDPA regulates the collection of personal data, its use, further transmission, storage, retention, security, and individual rights. Its implementation is still a maze, and is expected to particularly impact MSMEs, requiring them to have new or revised SOPs and policies aligning with the DPDPA.

Under the DPDPA, personal data can only be collected on the basis of consent or on certain other legitimate uses listed, such as when personal data is voluntarily provided, for employment purposes, compliance with laws or court orders. MSMEs, due to their nature, size, and lack of prior regulatory requirement, may not have a systematic process in place to record the legality of collecting personal data and the uses it is put to. Understanding and recording the lifecycle of personal data is the first step to identify the obligations under the DPDPA. Creating records of processing activities can potentially result in operational overheads for the MSMEs, exceeding the limited capacity and resources of most MSMEs.
The DPDPA grants individuals, the data subjects, rights concerning their data, like the right to access, correct, and erasure of their data, and the right to grievance redressal. What this means is that, as data fiduciaries, MSMEs need to build organisational capacity to address this, and could involve setting up an internal mechanism to handle individuals’ requests and complaints. MSMEs need to ensure that these processes are simple and easily accessible by individuals, and also have backend processes and resources to verify these requests, provide the right response, and solve the requests or grievances efficiently.
An important compliance requirement under the DPDPA is the responsibility of organisations to protect the personal data that they process from breach. Some technical measures prescribed under the Rules include obfuscation of personal data, maintaining access logs, etc. Many MSMEs may not have the budget or resources to comply with this. For example, it is common to see a small retail shop collecting customers’ data and logging it in unencrypted spreadsheets. Even these shops will now be required to implement the mandated security measures. Lack of awareness about the effect of these new legal obligations amongst the MSMEs is also an area of concern.
MSMEs rely on external vendors such as cloud storage providers and email marketing platforms, for their operation. In case of a data breach or non-compliance by vendors processing data on MSMEs’ behalf, it would be the MSMEs who are data fiduciaries, subject to penalties under the DPDPA. To mitigate risks, the MSMEs would need to consider due diligence before onboarding them, entering into well-negotiated agreements to pass on responsibility, and conducting periodic audits. The challenge here is that the MSMEs may not have much leverage to negotiate agreements with these external vendors. Vendor due diligence and audit are also an expensive undertaking.
What is the way forward then? Data protection authorities in many countries, like the UK or Canada, have free and easily accessible resources and tools to help smaller organisations manage their compliance. They also provide simple and practical guidance periodically. Various cost-efficient compliance tools in the market could also provide tailored solutions for MSMEs. With the help of such resources and tools, the path to compliance would become easier for MSMEs.
Another ray of light is the possibility of exemption from some requirements under the DPDPA. The central government has the power to exempt certain categories of data fiduciaries from a few specific obligations, which could include MSMEs. Irrespective of legal exemptions, we could see different asks from the market. With the premium placed on data and the growing importance of its protection globally, we can presume that individuals and customers would prefer to associate with an organisation that has a robust data protection posture, legal exemptions notwithstanding.
DPDPA compliance is not just about avoiding penalties. A good privacy and data protection posture enhances customer trust, provides a competitive edge in securing partnerships or large clients, and minimises the risks of reputational damage. MSMEs can not only reduce risk but also unlock new business opportunities by embedding data protection practices into their daily operations.
This article is authored by Akshaya Suresh, partner and Tharusha Selvanambi, associate at JSA Advocates & Solicitors.

E-Paper

