DPDP for startups (India): lean integrity playbook
- Connect day-to-day workflows to what you collect, disclose, and retain—on real user journeys.
- Review forms, integrations, and vendor access on a real journey.
- Document decisions so sales and product do not contradict support.
- When stakes are high, verify wording against official resources.
- Use the compliance portal to pick the next operational drill.
Startups optimize for speed; DPDP rewards bounded honesty—know what you collect, where it lives, and how you will respond when someone asks. This playbook targets commercial-intent queries (readiness, diligence, “what first”) and routes into startup readiness, founder mistakes, and founder-led governance.
30-day playbook
- Week 1 — Single map: One spreadsheet: systems, owner, data categories, Indian users? yes/no.
- Week 2 — Hot fixes: Top three leaks—usually analytics, CRM, support—tie to fields to stop collecting.
- Week 3 — Grievance path: Published contact + ticket route—see escalation matrix.
- Week 4 — Diligence stub: Subprocessor page draft + answers starter for enterprise questions.
Lifecycle
- Scrappy BD: Founder inboxes and personal tools as accidental systems of record.
- Growth: Waitlists, referrals, PLG—identifiers before formal CRM policy.
- Hiring: HRIS and payroll—suddenly government IDs and compensation inference.
- Scale sales: Security reviews exposing shadow SaaS.
Stack grid
| Layer | Govern | Questions |
|---|---|---|
| Core product | Auth, DB, files | Deletion vs soft-delete; tenant isolation if B2B |
| GTM | CRM, mail, enrichment trials | Who approved each trial vendor? |
| Contractors | Offshore design, VAs | Data processing addendum + access expiry |
| Observability | Logs, errors | PII in traces; retention vs marketing promises |
Disclosure: Illustrative categories—not endorsements. Future affiliate mentions will be labeled; see editorial policy.
Consent & notice
- Template mismatch: US-centric policies that ignore India-facing reality.
- PLG coupling: Onboarding that sneaks users into marketing.
- “Legitimate interest” folklore: Replace with counsel-approved narratives.
Failure modes
- Founder-only grievance inbox that goes dark.
- Backup retention contradicting “we delete immediately.”
- Shared analytics across experimental products.
Illustrative hypothetical (fiction, not factual): “Circuitloom,” a six-person devtool, emails diagnostic bundles on failed builds—sometimes with employee emails embedded in paths. A prospect asks about metadata retention; the team has tickets for features but none for log TTLs. The lesson: one-page data impact notes before launch for anything that touches customer identifiers.