India has finally come on board with the worldwide data privacy movement. The Digital Personal Data Protection (DPDP) Act, 2023 the nation's first data privacy law to be comprehensive, detailed, and separate has become a law.

With the DPDP Rules likely to be notified and phased enforcement to begin in 202526, every business that accesses personal data of Indian citizens needs to figure out what this law requires of them and how they can get compliant with it.

This guide is for all of you startup founders who operate customer databases, SME owners who manage digital operations, Chartered Accountants who offer compliance advisory services to clients, and in, house legal teams of big corporations who develop enterprise, grade privacy frameworks.

If you are hearing about the DPDP Act for the first time or if you want to go a step further in understanding it, consider this your ultimate guide.

We explain it all: the provisions of the Act, its coverage, its specific obligations, the individual rights that it establishes, the monetary penalties for breach up to 250 crores, its comparison with international frameworks like the GDPR, industry, specific issues, and finally, a solid 10, step compliance checklist to help you start the ball rolling.

⚡Quick Stat: Under the DPDP Act, a company can be fined up to 250 crores for a data breach caused by poor security measures. To give you an idea, this is one of the biggest regulatory fines in Indian law at present.

Table of Contents

• What Is the DPDP Act? A Plain-Language Overview
• Legislative History: How India Got Here
• Who Does the DPDP Act Apply To?
• Key Definitions You Must Know
• Core Compliance Obligations for Data Fiduciaries
• 8 Rights of the Data Principal
• DPDP Act Penalties: The Full Picture
• Sector-Wise Impact: What Your Industry Needs to Know
• DPDP Act vs. GDPR: A Side-by-Side Comparison
• The Role of the Data Protection Board of India
• DPDP Act Compliance for SMEs and Startups
• Your 10-Step DPDP Compliance Checklist
• Frequently Asked Questions
• How Book My Accountant Can Help

1. What Is the DPDP Act? A Plain-Language Overview

The Digital Personal Data Protection Act, 2023 (DPDP Act or DPDPA), is India's first comprehensive, standalone legislation that details the entire lifecycle of handling personal data of individuals in digital form, i.e. collection, storage, use, sharing, and deletion. After the DPDP Act was passed by Parliament, it was given Presidential assent on August 11, 2023 and the same day it was notified in the Official Gazette.

Before the enactment of the DPDP Act, data protection in India was a rather disjointed matter with India mainly relying on Section 43A of the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Both of which were considered insufficient to handle the scale and complexity of India's contemporary digital economy.

The DPDP Act fills the void. It is grounded on four attribute principles:

1. Consent: The personal data of an individual shall be processed only if the individual has given his informed, free, specific, and unambiguous consent. 
2. Purpose Limitation: When data is collected for a particular purpose, it cannot be used for a different purpose unless fresh consent is obtained. 
3. Data Minimisation: Only such data that is indispensable for the accomplishment of the stated purpose shall be collected. 
4. Accountability: Data Fiduciaries have a legal obligation to ensure compliance and may be penalised if they fail to meet this obligation. 

The Act also creates the Data Protection Board of India as the regulatory authority which among other things will be responsible for complaint adjudication and penalty imposition.

📌 Note: At present, the DPDP Act is applicable only to 'digital personal data' data that is digitally collected or data which has been digitised after collection. An amendment in the future can broaden it to include offline data also.

2. Legislative History: How India Got Here

India's path to a comprehensive data protection law was length, filled with disagreements, and finally, influenced by some key legal and technological moments in the country.

2017 The Puttaswamy Judgment:

The Supreme Court of India, in a historic nine judge bench, unanimously held that the Right to Privacy is a fundamental right under Article 21 of the Constitution. It was this very decision that made the need for a dedicated data protection law a matter of constitutional necessity.

2018 The Srikrishna Committee Report:

The Justice B.N. Srikrishna Committee presented its report titled 'A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, ' along with a draft Personal Data Protection Bill. This document became the primary source of inspiration for all subsequent versions of India's data privacy law.

2019 Personal Data Protection Bill Introduced:

The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha and then sent to a Joint Parliamentary Committee (JPC) for further examination. The bill included stringent data localization clauses and broad government exemptions, which were criticized heavily by both industry and civil society.

2021- 22 JPC Report and Revisions:

In December 2021, the JPC handed over its report with 81 amendments to the original Bill and 12 new recommendations that extended the scope of the Bill. Nevertheless, the Bill was withdrawn in August 2022 due to its complexity and the intention to bring more balanced legislation.

August 2023 DPDP Act Enacted:

The Digital Personal Data Protection Bill, 2023 was passed by both Houses of Parliament with a record, breaking speed and the President gave his assent on August 11, 2023. Compared to its predecessors, it was a much more concise law with lots of the content left to be determined by subordinate rules.

2024- 25 Draft DPDP Rules:

MeitY (The Ministry of Electronics and Information Technology) made the draft DPDP Rules available for public consultation. It is anticipated that the Rules will be completed and officially published in 2025, following which businesses will receive formal compliance deadlines.

💡 The DPDP Act is a principle, based law it dictates very general obligations and delegates to Rules and Regulations the defining of procedural specifics. In other words, companies have to get ready for the framework right now even though the smallest details are yet to be finalized.

3. Who Does the DPDP Act Apply To?

The DPDP Act indeed has a wide range of applicability. Knowing whether and how the law applies to your organisation is basically the first step to building a compliance programme.

Territorial Scope

The Act applies to:

• Processing within India: Any processing of digital personal data that is collected within the territory of India.
• Extraterritorial Processing: (Outside India) Processing of personal data carried out outside India, if the processing is in connection with the means of offering goods or services to Data Principals located in India.

This extraterritorial clause is quite significant it means a company headquartered in Singapore, the US, or the UK which has Indian users must comply with the DPDP Act, just like GDPR does with European Union residents.

Who Is a Data Fiduciary?

A Data Fiduciary is any person, company, firm, state or a body of persons whether incorporated or not that alone or together with others, decide the purpose and means of personal data processing.

In layman's terms: if your company makes decisions about why and how personal data is collected, then you are a Data Fiduciary, and hence the full force of the Act's obligations will be imposed on you.

Who are Major Data Fiduciaries?

The Central Government, after considering the amount and nature of data processed, the potential risk to the rights of the Data Principals, the issues related to national security, and some other factors, may declare certain Data Fiduciaries as Major Data Fiduciaries (SDFs). SDFs are required to comply with stricter rules such as:

1. Compulsory designation of a Data Protection Officer (DPO) located in India
2. Engaging an independent Data Auditor
3. Regular Data Protection Impact Assessments (DPIAs)
4. Addition of obligations as per the Government

Even though the Government has not revealed any official list of SDFs yet, large platforms, social networks, processors of healthcare data, and financial services companies are the most probable ones to be given such designation.

Exceptions Under the DPDP Act

The Act does allow for a few exceptions to its provisions. These are the scenarios:

• Personal data processing by the State for the welfare of people and national security
• Processing for research, archiving, or statistical purposes, with proper safeguards
• Personal or domestic purposes (an individual handling their own data)
• Publicly available personal data (according to the Government's conditions)

📌Important: The Government has a wide range of powers to exempt certain government agencies from provisions of the Act on national security, sovereignty, or public order grounds. This part of the law has been criticised by privacy advocates.

4. Key Definitions You Must Know

Getting the terminology right is critical for building an accurate compliance programme. Here are the most important definitions under the DPDP Act:

Personal Data: Any data about an individual who can be identified from or in connection with such data. It is a very broad category basically, it covers any kind of information such as names, phone numbers, email addresses, location data, financial records, health information, and so on.

Data Fiduciary: The person who decides the purpose and the means of the processing of personal data (basically the data controller in GDPR jargon).

Data Processor: A Data Processor is a person who processes personal data on the instruction of a Data Fiduciary. Examples of such persons can be clouding storage companies, payroll processing firms, or CRM software providers.

Data Principal: The individual whose personal data is being processed (the data subject in GDPR terminology).

Consent Manager: A registered entity that enables Data Principals to give, manage, review, and withdraw consent through a user, friendly, interoperable platform.

Processing: It means any action taken on personal data, either manually or through automated means collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

Data Protection Board of India: The adjudicatory body set up under the Act to decide complaints, conduct inquiries into breaches, and impose penalties.

5. Core Compliance Obligations for Data Fiduciaries

At the core of the DPDP Act are the obligations imposed on Data Fiduciaries. These are not mere suggestions they constitute legal requirements, and non, compliance may lead to heavy fines.

5.1 Obtaining Valid Consent

Data Fiduciaries should obtain free, specific, informed, unambiguous, and unconditional consent from the Data Principal before they process any of their personal data. The consent request should:

• Be part of a notice that is easily understandable and written in common language
• State explicitly what data will be collected and for which exact purpose it will be used
• Not be bundled with consent for any other information
• Provide the individual with a simple and straightforward way to withdraw consent

Most importantly, the responsibility for demonstrating that valid consent was obtained rests with the Data Fiduciary. If the matter comes before the Data Protection Board, you'll have to prove that you went after consent in a proper way and got it.

5.2 Lawful Bases Beyond Consent

In addition to consent, the DPDP Act allows certain 'legitimate uses' of personal data without the need for explicit consent. These uses are:

1. Voluntary Disclosure: When the Data Principal has voluntarily given data for a specific purpose.
2. State Functions: Processing by the State for welfare and law enforcement purposes.
3. Medical Emergencies: Processing necessary to respond to life, threatening medical emergencies.
4. Employment: Processing personal data of employees for legitimate employment purposes.
5. Public Interest: Processing for certain public interest functions including court proceedings and regulatory activities.

5.3 Purpose Limitation and Data Minimisation

The two principles are interdependent. Data Fiduciaries may only acquire personal data that is essential for the declared, clearly defined purpose and such data can only be used for that purpose. When the purpose is achieved, the data should be deleted unless the law requires keeping it.

On the ground, organisations are required to review their current data collection operations. Using the tactic of 'collecting data that might be useful in the future' like email addresses, phone numbers, or demographics without any clear present use is against the DPDP Act.

5.4 Data Accuracy and Completeness

Data Fiduciaries are expected to take reasonable steps to verify that the personal data they handle are accurate and complete, particularly when such data are used to make decisions about the Data Principal or are shared with other entities. If incorrect or outdated data causes harm, that business could be in receipt of a grievance complaint.

5.5 Security Safeguards

All Data Fiduciaries are required to carry out technical and organisational safeguards that are fit to the purpose of protecting the personal data of a person from breach, loss, unauthorised access, or misuse. The Act does not specify the security standards that must be followed it only refers to 'reasonable security safeguards' however, the requirement is that the security safeguards must match the amount and nature of the data held.

Examples of security and practical measures that can be used to demonstrate compliance with the security requirements are:

• Encrypting personal data both when it is being transmitted and when it is stored
• Using access control based on the roles in the organisation to restrict the viewing of personal data
• Security audits and vulnerability assessments carried out on a regular basis
• Systems containing personal data to be protected by multi, factor authentication
• Third, party processors to be subject to vendor security assessments

Employees to be given regular training on data privacy and security

5.6 Breach Notification

In case of a personal data breach Data Fiduciary is required to notify the Data Protection Board of India and the Data Principals concerned without undue delay once he becomes aware of the breach. The period within which the notification is to be done is a matter that will be set out in the DPDP Rules. Also, the format of the written notification is to be in accordance with that which has been prescribed.

However, the most important thing is that the notification shall be done even if the Data Fiduciary thinks that the breach does not have a damaging effect. The current version of the Act has no materiality threshold.

5.7 Processing children's personal data

The DPDP Act considers anyone under 18 as a special category whose data needs extra protection. A data fiduciary must not process the data of a child or a minor without first:

• Getting a verifiable consent from the parent or the guardian of the child
• Making sure the identity and age of the child have been confirmed before processing
• Avoiding any processing that would harm the child's welfare
• Not tracking or monitoring children's behaviour
• Not doing targeted advertising aimed at children.

The government may, through rules, exempt certain categories of data fiduciaries from these requirements, for example, healthcare providers who are processing children's health data during an emergency, but generally, these obligations apply broadly.

5.8 Cross, border data transfers

Personal data collected in India may only be sent to other countries or territories that have been notified by the Central Government as permissible transfer destinations. The government has not yet released its list, but it is expected to follow a risk, based assessment similar to GDPR's adequacy decisions.

Companies that at the moment are routing data through servers, cloud providers, or analytics platforms located in foreign jurisdictions must thoroughly analyse these data flows and be ready to limit them if the country of destination is not included in the approved list.

5.9 Obligations of Data Processors

In cases where a Data Fiduciary hires a third, party Data Processor to deal with personal data on its behalf, a Data Fiduciary remains accountable for the Processor's compliance with the DPDP Act. Agreements with Data Processors should include suitable data protection clauses, and Processors should only process data following the instructions given by the Fiduciary.

6. The 8 Rights of the Data Principal

Among the most important features of the DPDP Act is the array of rights it bestows upon individuals concerning their personal data. As a Data Fiduciary, it is your legal obligation to develop processes, systems, and reaction mechanisms that facilitate the fulfilment of each of these rights.

Right 1: Right to Access Information

All Data Principals possess the right that a Data Fiduciary shall provide them with a brief of what personal data is being processed and the processing activities that are being undertaken. Such information must be given on request and in a manner that is easy to understand.

Right 2: Right to Correction and Updating

Data Principals have the right to ask for correction or updating of personal data if they find it inaccurate, incomplete, or outdated. Data Fiduciaries should comply with such requests without delay and also ensure that downstream processors or recipients are informed of the corrections.

Right 3: Right to Erasure

It is the right that people can ask for their personal data to be deleted when it is no longer necessary for the purpose it was collected, or when they withdraw their consent. This is also called the "Right to be Forgotten."

The right is not absolute, retention required by law takes precedence, but companies must have a clear process to evaluate and implement erasure requests.

Right 4: Right to Grievance Redressal

Every Data Principal has the right to have their grievances addressed by the Data Fiduciary. The Data Fiduciary must publish clear contact information and establish an accessible, timely process for handling data, related complaints. Unsolved grievances can be taken up with the Data Protection Board.

Right 5: Right to Nominate

This is a uniquely Indian innovation that is introduced through the DPDP Act. Data Principals may nominate another person to exercise their data rights on their behalf if they die or become incapable. The same would have the rights to access the healthcare data, financial records and digital assets of the Data Principal.

Right 6: Right to Withdraw Consent

The DPDP Act recognizes the right for a person to give, refuse, or withdraw his/her consent. Consent given under the DPDP Act can be withdrawn at any time, as easily as it was given. Upon the withdrawal of the consent, the processing of the data for purposes related to that consent must be stopped by the Data Fiduciary. Also, the Data Fiduciary can stop providing services if the services are dependent on the processing of data. However, processing that occurred prior to the withdrawal of the consent remains lawful.

Right 7: Right to Know About Breach

Essentially, Data Principals have a right to be informed if the breaches occur which expose their personal data even if this has not been explicitly identified as a separate right in some interpretations. Since Data Fiduciaries become aware of the obligation to have breach detection, assessment, and notification capabilities, a notification of the Data Principal must be inevitably issued accordingly.

Right 8: Right to Approach the Data Protection Board

The Data Protection Board of India is the final forum where Data Principals can approach with their complaints if not resolved satisfactorily by the Data Fiduciary. Moreover, the Board is empowered to investigate, direct, and impose penalties against the Data Fiduciary.

📌Business Implication: The exercise of one Data Principal right translates into an operational obligation for your business. Thus, your business should have documented processes, appointed staff, established response time frames, and maintain audit trails for each category of rights request

7. DPDP Act Penalties: The Full Spectrum

The Data Protection Board of India possesses extensive adjudicatory powers. It can initiate inquiries Suo, motu or on a complaint made by a Data Principal, thereby issuing directions and levying financial penalties. The fines under the DPDP Act rank among the highest in Indian regulatory law.

Some of the key things about penalties:

Per Contravention: Penalties are meted out for the violation, not a business. A company that experiences multiple breaches or contravenes a number of provisions could be subject to multiple penalties for each occurrence.

Factors Considered: The Board, while determining the fine, looks into the nature, seriousness, and period of the breach; the kind and sensitivity of data involved; the number of people affected; whether the violation was repetitive; and the measures taken to lessen the damage.

No Criminal Liability: Unlike some earlier proposals, the DPDP Act does not impose criminal liability (imprisonment) for violations. Penalties are civil/financial in nature. Perspective

💡 Perspective: A 250 crore fine may just be a small figurative error for a global tech giant but may mean the demise of an Indian SME or mid-size company. The DPDP Act's penalties are thus intended to be proportionate but 'proportionate' still means serious.

8. Sector Wise Impact: What Your Industry Needs to Know

The DPDP Act formally covers all sectors; however, the actual impact is very different from one sector to another. So, a sector, wise examination of the most challenging compliance issues is provided below:

A Detailed Look: Fintech and BFSI

Financial services companies, including banks, NBFCs, payment gateways, insurance companies, and wealth management platforms, have access to some of the most sensitive personal and financial data in the economy. For these organizations, compliance with DPDP is combined with adherence to, amongst others, RBI, SEBI, and IRDAI regulations. The main issues are KYC data handling, sharing credit bureau data, processing fraud detection data, and the flow of cross, border payment data.

A Detailed Look: Healthcare

Among them are hospitals, clinics, telemedicine platforms, health insurance companies, and wellness apps that deal with highly confidential health data. While the DPDP Act does not currently establish a separate category of 'sensitive personal data' as its predecessors did, health data is inherently treated as highly confidential because processing it in a harmful way could lead to serious harm to the individuals. Consent is required at a very high level, and data minimisation is essential.

A Detailed Look: EdTech and Schools

On the one hand, educational institutions and EdTech platforms are in a very complicated situation due to the DPDP Act. Student data is not only personal data but also often children's data thus, parental consent is necessary, tracking is prohibited, and targeted advertising is restricted. Those platforms that used to collect large amounts of student behavioural data for personalization will have to greatly change their data architecture.

9. DPDP Act vs. GDPR:

A Side, by, Side Comparison the Indian DPDP Act has often been compared to the European Union's General Data Protection Regulation (GDPR) which became effective in 2018 and is considered the world standard for data privacy law. Here's a brief comparison of the two:

The DPDP Act carries the imprint of the GDPR especially on the fundamental principles consent, purpose limitation, data minimisation and individual rights. Nonetheless, there are some significant differences: it is much less detailed in the aspects of execution, it allows the Indian Government wider powers to grant exemptions and enforce data localisation, and the fines are smaller in absolute terms (however, they can be considered substantial in the Indian business context).

For multinationals that are already GDPR, compliant, DPDP compliance can be realized with a few changes mainly, appointing a Grievance Officer in India, making consent withdrawal mechanisms available for Indian users, and re, examining the restrictions on cross, border transfers.

10. The Role of the Data Protection Board of India.

The Data Protection Board of India (DPBI) is the principal authority that coordinates the implementation and enforcement of the DPDP Act. It is crucial to have a clear understanding of its operations not only to ensure compliance but also to know what to expect when things go awry.

Structure and Composition

The Board is comprised of a chairperson along with other persons that the Central Government may appoint. The appointed members should be experts in data governance, information technology, law, or related disciplines. The Government has not yet officially constituted the Board, which among other reasons explains the delay in enforcement.

Powers of the Board

The Board has the following main powers:

Inquiry Initiation: The Board may Suo motu initiate an inquiry if it has reason to believe that there has been a personal data breach or that a provision of the Act has been violated.

Complaint Adjudication: The Board receives and hears complaints from Data Principals whose rights have been violated.

Penalty Imposition: Following an inquiry, the Board may impose monetary penalties up to the maximum limits set out in the Act.

Directions: The Board may issue binding directions to Data Fiduciaries, including directions to stop processing, erase data, or take specific security measures.

Reference to Courts: Major cases may be referred to the appropriate High Court.

Appeals

Decisions of the Data Protection Board may be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and subsequently to the Supreme Court of India on questions of law. This creates a formal judicial review mechanism for businesses that disagree with the penalty imposed on them.

11. DPDP Act Compliance for SMEs and Startups

Many Indian business owners still believe that the DPDP Act is mainly a concern of large corporations and tech giants which is wrong and may be quite costly for them.

There is no size or turnover threshold under which the DPDP Act becomes inapplicable. If your business collects, stores, or processes the personal data of Indian individuals in digital form irrespective of your revenue, number of your employees, or your business stage you are a Data Fiduciary under the Act.

Reasons Why SMEs Are Particularly Vulnerable

Small and medium enterprises often run into greater risk of DPDP non, compliance for reasons such as:

Legacy Systems: A lot of SMEs still use spreadsheets, WhatsApp groups, and informal databases to handle customer data and no one of these tools is equipped with managing consent or security.

Vendor Reliance: SMEs tap into a great number of SaaS tools, CRMs, and marketing platforms. Naturally, each of these vendors becomes a Data Processor under the DPDP Act, which creates compliance obligations in vendor contracts.

 Lack of Compliance Staff: Whereas large enterprises usually have a legal or privacy department, the majority of SMEs don't. Often the founders or owners are completely unaware of their obligations until they receive a complaint.

Marketing Practices: Traditional SME marketing methods such as cold calling, bulk SMS, and email marketing, should now be re, conceived in terms of obtaining valid consent or legitimate use.

The Good News for SMEs

One of the positives is that even baseline DPDP compliance, from the viewpoint of SMEs, is often not as complicated or costly as the majority initially imagine. The normal path for the small and medium, sized enterprises may only include five major steps: identifying data through audit, refreshing privacy notices, constructing consent mechanisms, educating staff, and checking vendor contracts. An expert's help can turn the process into a systematic and cheap one.

12. Your 10, Step DPDP Act Compliance Checklist

Here's a practical, prioritised schedule of tasks to kick off your DPDP compliance journey. Each element of the plan is meant to be executable no matter what the size of your organisation is.

1. Data Audit

The basis of DPDP compliance. Identify and document each type of personal data your organisation gathers, the reason for the collection, the place of storage, the people with access, the duration of retention, and confirm if you have got the proper consent for its collection and use.

2. Refresh Your Privacy Notice

Do away with your old legalese privacy policy and write it up in clear and simple language. The policy should disclose what data you collect, why, how long you keep it, with whom you share it, and how individuals can carry out their rights. Ordinary users will not be able to understand legal jargon, so get it removed.

3. Establish a consent management system

Create a system that gives people the freedom to grant, view, manage, and revoke their consent anytime.

Having a portal, a settings page, or using a third, party Consent Manager are some of the options.

4. Assign a Grievance Officer

Identify a person (or team) who will be the contact point for customer and user complaints about data. This person's or team's contact details should be easily found on your website and app.

5. Develop Rights Request Workflows

Identify internal processes that are well, documented and used to respond to requests for access, correction, and erasure within the timeframes specified in the DPDP Rules.

6. Review and Update Vendor Contracts

Examine the audit done of all the third, party vendors who handle personal data on your behalf. Add Data Processing Agreements (DPAs) with DPDP, compliant clauses to contracts with CRM providers, cloud platforms, marketing tools, payroll processors, and other data, touching vendors.

7. Carry out Security Safeguards

Make a security assessment. Put in place encryption, access controls, multi, factor authentication, and regular vulnerability scans. Keep a record of your security measures as proof of reasonable care.

8. Build a Breach Response Plan

Create a comprehensive data breach response plan that outlines: how breaches are identified, who is in charge of investigating, how the Board and the individuals affected will be informed, and within what time limit.

9. Implement Children's Data Controls

In case your site currently serves or potentially could serve children under 18, establish age verification and parental consent methods that can be verified. Stop tracking, profiling, and targeted advertising for children who are verified users.

10. Review Cross, Border Data Flows

Identify every international data transfer your business makes: cloud storage locations, analytics platforms, email service providers, and CRMs. Be ready to limit transfers to non, approved jurisdictions once the Government announces its list of approved countries.

13. Frequently Asked Questions About DPDP Act Compliance

Q1: Is the DPDP Act enforceable at present?

The DPDP Act is a law that has been passed but enforcement depends on the announcement of DPDP Rules and the creation of the Data Protection Board. Both are expected to happen in 2025. Nonetheless, companies should already start preparing for compliance, once the Rules are notified, it is unlikely that there will be a long period allowed for implementation.

Q2: Will DPDP Act be applicable to B2B businesses that only use business contact information?

The Act covers 'personal data' of individuals. Corporate email addresses and phone numbers, when used for professional purposes, could be considered a borderline case. However, any information that can identify a person, such as their name, work email, or professional role, is personal data. B2B businesses should not take it for granted that they are out of the scope of the law.

Q3: How does 'verifiable parental consent' for children's data work?

DPDP Act requires parents to provide verifiable consent for their child's data, but the details are left to the DPDP Rules. Probably, the ways will include OTP or digital signature confirmation linked to a parent's Aadhaar or PAN, but the Rules will bring clarity in this matter. Meanwhile, companies should think of ways to implement systems that allow age checking and obtaining parental consent.

Q4: We already comply with GDPR. Do we automatically comply with the DPDP Act?

By being GDPR, compliant, you are very much on track since the basic principles are almost the same. That said, you will still have to make some DPDP, specific changes such as designating a Grievance Officer in India, creating consent withdrawal mechanisms tailored to Indian users, checking cross, border transfer limitations as per Indian law, and making sure your privacy notices comply with DPDP disclosure requirements.

Q5: How long can we retain personal data under the DPDP Act?

The DPDP Act mandates that Data Fiduciaries should hold personal data only for as long as it is necessary for the purpose for which the data was obtained. After the purpose has been served, and there is no legal requirement for retention, the data must be deleted. Companies need to establish and record data retention policies for each type of personal data they possess.

Q6: Are there any penalties for accidental data breaches?

Indeed. The Act treats all breaches without a distinction between those that are malicious and those that are accidental. In a situation where a Data Fiduciary has not implemented reasonable security safeguards, the breach can lead to a penalty of up to 250 crores, intent notwithstanding. This is a clear reminder that security measures should not be left to chance.

Q4: We already comply with GDPR. Do we automatically comply with the DPDP Act?

By being GDPR, compliant, you are very much on track since the basic principles are almost the same. That said, you will still have to make some DPDP, specific changes such as designating a Grievance Officer in India, creating consent withdrawal mechanisms tailored to Indian users, checking cross, border transfer limitations as per Indian law, and making sure your privacy notices comply with DPDP disclosure requirements.

Q5: How long can we retain personal data under the DPDP Act?

The DPDP Act mandates that Data Fiduciaries should hold personal data only for as long as it is necessary for the purpose for which the data was obtained. After the purpose has been served, and there is no legal requirement for retention, the data must be deleted. Companies need to establish and record data retention policies for each type of personal data they possess.

Q6: Are there any penalties for accidental data breaches?

Indeed. The Act treats all breaches without a distinction between those that are malicious and those that are accidental. In a situation where a Data Fiduciary has not implemented reasonable security safeguards, the breach can lead to a penalty of up to 250 crores, intent notwithstanding. This is a clear reminder that security measures should not be left to chance.

Q7: What should be our course of action upon receiving a data access request of a customer?

You should comply with the individuals request by giving them a concise statement of their personal data that you have, and what you are doing with it. The reply must be issued within the period stipulated in the DPDP Rules (the notification is yet to be made, but the 30, day period of GDPR can to be used as a reasonable reference). Develop an internal workflow now so that you are ready when requests are made.

14. How Book My Accountant Supports DPDP Act Compliance

We at Book My Accountant, have years of experience in assisting Indian businesses to manoeuvre through the country's most complicated regulatory frameworks from GST, income tax compliance, ROC filings, FEMA, and corporate law.

DPDP Act compliance is the next big challenge for us, and we are geared up to take you along with us.

Our DPDP compliance services are not only practical and cost, effective but also customized to the size of your business and your industry:

Data Audit & Gap Analysis: We perform an in, depth review of your present procedures for collecting data, point out the discrepancies that exist against DPDP requirements, and give you a prioritized remediation roadmap.

Consent Management Consultation: We assist you in setting up and carrying out the right consent framework that fits your business model. A part of our service includes deciding whether to use a third, party Consent Manager or develop an in, house consent portal

Vendor Contract & DPA Preparation: We analyse your vendor contracts and prepare or modify Data Processing Agreements for a supply chain that complies with DPDP.

Security Advisory: We collaborate with your IT team to conduct a security check, up and suggest adequate technical and organizational measures that align with DPDP requirements.

Employee Training: We provide customized DPDP training to your team members at all levels from top management to ground staff so that everyone recognizes the importance of their compliance roles.

Compliance Maintenance Retainer: As the DPDP Rules are issued and the regulatory environment changes, we extend continuous advisory support to adapt your compliance programme.

Are you a startup that needs a privacy, framework from scratch or a big company that wants to update its policies for DPDP? Book My Accountant is a professional team that offers you the right expertise and tools to achieve compliance in a speedy and cost, effective way.

Conclusion:

Compliance with the DPDP Act Is Not a Choice but It Is Very Much Within Your Reach Digital Personal Data Protection Act, 2023 is a defining moment for India's digital economy. It is the first time that Indian citizens have been given comprehensive and enforceable rights over their personal data. Secondly, it is the first time that Indian businesses regardless of their size and sector have well, defined legal obligations to respect those rights.

The legislation is passed. The Rules are coming. Enforcement will be inevitable. The companies that seize this opportunity to create strong, sincere DPDP compliance strategies will not only stay clear of penalties they will earn customer trust, enhance their data governance infrastructure, and be ahead of the game as data privacy becomes a criterion for Indian consumers.

Those companies that just stand by and watch will get cornered when they try to catch up, they will have to pay more, be under closer watch by regulators, and have their reputation harmed beyond repair.

When Income Tax filing season is coming near 2025, companies and practitioners in India need to make sure they are compliant with audits. One of the necessary characteristics that are causing confusion is Form 3CD applicability. Whether it is business, profession, or operating presumptive scheme, one needs to understand when and why to file Form 3CD pursuant to Section 44AB of Income Tax Act.

Here in this blog, we demystify all about Form 3CD—its applicability, threshold limit, presumptive tax effect, and penalties. Let us take a close look at this valuable tax audit form.

What is Form 3CD?

Form 3CD is a comprehensive audit report submitted by a Chartered Accountant (CA) during a tax audit as required by Section 44AB of the Income Tax Act, 1961. It contains 44 clauses dealing with:

• Gross receipts and turnover
• Deductions claimed
• Compliance of TDS, GST, and statutory payments
• Related party transactions
• Depreciation and capital expenditure details

Imagine it as a financial MRI scan. It provides a clear, methodical snapshot of your business or professional account to the Income Tax Department.

---

When is Form 3CD Applicable?

1️⃣ Businesses: Section 44AB(a)

Whether you are in business, the applicability of Form 3CD is based on your turnover and mode of payment.

Condition	Turnover Limit	Form 3CD Filing Required?
Normal Business	More than ₹1 crore	✅ Yes
95% or more transactions via digital modes	More than ₹10 crore	✅ Yes

Note: From AY 2021–22, the threshold limit became ₹10 crore if you receive 95% or more of all business income (receipts) and payments digitally through modes like NEFT, IMPS, UPI, credit/debit cards, net banking, etc.

2️⃣ Professionals: Section 44AB(b)

If you are a doctor, lawyer, architect, CA, or consultant, and your gross receipts are more than ₹50 lakh in a year, you will have to go for a tax audit, and your CA will have to file Form 3CD.

3️⃣ Presumptive Taxation Scheme Cases

a. Section 44AD – Small Businesses

For small firms with turnovers of up to ₹2 crore. You can report profits presumptively at:

• 8% of turnover on cash dealings
• 6% on digital dealings

However, if you:

• Declare profit below 8% or 6%
• And your total income exceeds the basic exemption limit (₹2.5 lakh for individuals below 60 years in AY 2025–26)

Your books will need to be audited and Form 3CD to be submitted under Section 44AB(e).

b. Section 44ADA – Professionals

Can be availed by professionals with gross receipts up to ₹50 lakh. Presumptive profit cannot be less than 50% of gross receipts.

You:

• Report profit less than 50%
• And total income is over the exemption limit

Then Form 3CD is required.

c. Lock-in Period under Section 44AD

If a taxpayer exits the presumptive plan for some time, say during the lock-in period of 5 years, then the taxpayer will not be permitted to join it again within the next five years. During the lock-in period, if turnover is above the basic exemption limit, submission of Form 3CD and tax audit are obligatory even if turnover is less than ₹1 crore.

4️⃣ Business or Profession Loss

Even when business is in loss, tax audit can be still applied if:

• Turnover is more than ₹1 crore, and        
• You have not chosen presumptive taxation

Or

• You have shown loss, but aggregate income is more than exemption limit due to other incomes (such as rent, salary, or interest)

Then Form 3CD under Section 44AB is required.

---

Quick Summary Table – Form 3CD Applicability in 2025

Category	Condition	Form 3CD Filing?
Business	Turnover > ₹1 crore	Yes
Business (Digital 95%)	Turnover > ₹10 crore	Yes
Professional	Gross receipts > ₹50 lakh	Yes
Presumptive (44AD)	Profit < 8%/6% + Income > Exemption	Yes
Presumptive (44ADA)	Profit < 50% + Income > Exemption	Yes
Opted Out of 44AD	Within 5-year lock-in + Income > Exemption	Yes
Business Loss	Turnover > ₹1 crore or Income > Exemption	Yes

Penalty for Failure to File Form 3CD

Failure to file Form 3CD is punishable under Section 271B of the Income Tax Act:

• 0.5% of gross turnover or total receipts
• Maximum fine: ₹1,50,000

This fine is levied if the assesses doesn't arrange the audit of accounts and file Form 3CD within the due date (ordinarily 30th September or 31st October, as the case may be).

Latest AY 2025–26 (FY 2024–25) Due Dates

• 31st October 2025: Due date for filing Form 3CD along with Tax Audit Report and ITR in cases of audit
• 30th September 2025: Deadline for audit completion

Ensure that your books of accounts are well in advance ready. Delays may invite penalties and added scrutiny.

Professional Tip: Track Turnover through Digital Resources

As digital transactions impact audit limits, keep proper records of:

• Mode of receipts and payments
• Bank statements
• UPI/Wallet transactions
• GST returns (particularly GSTR 3B and GSTR-1)

A GST portal summary often helps your CA reconcile turnover figures for Form 3CD.

Why Business Owners Shouldn't Take Form 3CD Lightly

Form 3CD is no formality box. It is a highly useful document at the time of the risk assessment of the Income Tax Department.

It is due to non-filing or incorrect filing of Form 3CD for the majority of the GST notices, TDS mismatches, and departmental scrutiny.

Proper filing brings transparency and less litigation.

Final Thoughts

Form 3CD is an exhaustive report card of your business or profession. Whether you are a retail trader, an e-business person, or a seasoned consultant, it is vital to know when Form 3CD applies so that you are on the right side of the law and avoid substantial fines.

If your turnover is over ₹1 crore, or if you earn professional income of more than ₹50 lakh, consult a Chartered Accountant forthwith. Do not wait. Put your books of accounts in order to make them audit-worthy, and submit Form 3CD under Section 44AB within time.

---

✍️ Need Help Filing Form 3CD?

---

Let our expert Chartered Accountants at Book My Accountant (BMA) assist you with:

• Tax audit
• Form 3CD preparation
• GST reconciliation
• Income tax filing

---

📞 Call us now: +91-7890002000
🌐 Visit: www.bookmyaccountant.in

---

⚠️ Disclaimer

This blog is intended for informational purposes only. The contents are based on the provisions of the Income Tax Act, 1961 as applicable for the Assessment Year 2025–26. Tax laws are subject to change, and individual circumstances may vary. Readers are advised to consult a qualified Chartered Accountant or tax professional before making any financial or compliance decisions. Book My Accountant (BMA) shall not be held responsible for any liability arising from the use of this information.

Timely filing of your income tax return is such a euphoric feeling, isn't it? You have made the disclosure, availed the deductions, and filed your return on time. And then, out of the blue, you get a notice in your mailbox — a notice that states your return has been selected for scrutiny under section 143 2 of income tax act.

Now what?

If you hear this before, don't panic. You're not alone. Thousands of taxpayers, both companies and individuals, receive the same income tax notices annually. And the majority of them also panic at first. But the good news is: if you play smart and within the time frame, there's absolutely nothing to fear.

This blog, courtesy of Book My Accountant (BMA), will take you through what the notice is about, why it occurs, and the precise steps to follow—particularly if you do not wish to incur penalties or tax issues down the road.

What Does a Section 143(2) Notice Mean?

Let's make it easy. Notice under section 143 2 of income tax act indicates the Income Tax Department needs to examine your return in more detail. It doesn't indicate that you are in trouble. It only means that something in your return puzzled them and they require clarification.

It might be because:

• You have reported a high amount of income or deducted large amounts.
• There is inconsistency between your Form 26AS/AIS and your ITR.
• You had significant transactions—namely, selling a property or investing a large sum.
• Your return was arbitrarily picked up by the system for scrutiny.

Briefly, this is routine scrutiny by the tax department. You just have to reply correctly and in time.

How Does Section 144B Relate to This?

You may have also heard of section 144B. It addresses faceless assessment.

Are those days gone when you used to have to go to an IT office? Now all of this is done online — safely, openly, and without any human bias. If your return is selected for assessment, all correspondence will be through the income tax portal.

So yes, even if you receive a notice under section 143(2), the assessment will probably follow the procedure under 144B.

Why Did You Receive a Notice?

• Folks will wonder, "But I didn't do anything wrong. Why me?"
• The truth is, here are some of the usual triggers:
• Enormous refunds received
• Donations or deductions that don't make sense based on your income
• Transactions flagged by banks or third parties but not included in your return
• Business expenses appearing to be exaggerated
• Technical discrepancies in income or tax credits

Even if you've been completely above board, certain patterns or numbers can trigger your return for audit.

Step-by-Step: What You Should Do Immediately

Let's go into action mode. Here's your plan:

Step 1: Read the Notice Carefully

1. The assessment year (e.g. AY 2024–25)
2. The date of issue
3. The deadline for response
4. Whether it’s under 143(2) or also mentions 144B

Don't freak out. Just know what they're looking for.

Step 2: Collect Your Documents

Before you reply, you'll need to substantiate your claims with appropriate documents. Start with:

• PAN & Aadhaar copies
• ITR Acknowledgement
• Bank statements
• Salary slips / Form 16
• Form 26AS, AIS, and TIS reports
• Deduction proofs (80C, 80D, home loan, etc.)
• Capital gain statements
• Business records, if applicable

In essence, you need to construct a solid, fact-based reply.

Step 3: Log into the e-Filing Portal

Go to https://www.incometax.gov.in.

Proceed to "e-Proceedings" under "Pending Actions".

Locate the notice and click on "Submit Response".

Here you can attach supporting documents and reply in writing as needed.

Step 4: Respond Before the Deadline

Suppose the notice was published on 23rd June 2025 with a deadline to respond of 8th July 2025. If you happen to miss this date, the department can go ahead with a best judgment determination. That is, they will determine your case in your absence — and that might not be favorable for you.

What If You Need More Time?

If you are really not able to file on time, you can get an income tax extension through the portal. Simply state your reason clearly. Extensions are issued in actual cases.

But it's always best to be prepared and proactive. Answer early if you are able to.

Why a Tax Expert Can Make a Huge Difference

Even if you’re comfortable handling your taxes, scrutiny notices can get technical. If you’re a salaried person with multiple income streams, a business owner, or someone who has claimed heavy refunds, consulting a Chartered Accountant (CA) is wise.

Here’s how professionals like the team at BMA can help:

• Identify errors or mismatches in your ITR vs. AIS/Form 26AS
• Draft a legally strong response under the correct tax provisions
• Upload clear and complete documentation
• Handle follow-ups or departmental queries on your behalf
• You wouldn’t want to lose a refund or face penalties because of an innocent mistake.

Tips to Avoid Notices in the Future

Want to stay off the department’s radar? Here’s how:

• File your income tax return before the income tax return last date
• Reconcile Form 26AS, AIS, and your actual income before filing
• Don’t overclaim deductions
• Disclose all sources of income, including crypto, rent, dividends
• For businesses, keep books current and tidy
• Think about getting a professional tax review prior to filing

And if you fear that you need extra time to file, get an income tax extension ahead of time instead of waiting until the very last minute.

What Happens if You Don't Respond?

Seriously? It's just not worth taking the chance.

If you don't respond:

• The department might think that you're concealing something
• Penalties and interest could be charged
• Your income tax refund could be withheld
• It may lead to further investigation

If it's a company tax return, the risk is even higher — your history of compliance counts for loans, tenders, audits, and reputation.

Dos and Don'ts of Tax Notice Handling

✅ Do This	❌ Avoid This
Check portal regularly	Ignoring the notice
Respond on time	Waiting till the last minute
Submit full documents	Uploading incomplete files
Keep records safe	Misplacing old returns
Ask a professional	Trying to wing it alone

Final Thoughts

Receiving a notice under section 143 2 of income tax act can be alarming, but it doesn't have to be an issue. It's a normal part of the tax system these days. Remain calm, remain truthful, and react intelligently.

And don't forget, if it's your first time receiving a notice or you are getting the notice every income tax this year, BMA is a call away. We are experts at solving both individual and company tax filing, with one-on-one care.

The GST regime in India has altogether rewritten the indirect taxation landscape. In this scheme
of things, with such a multitude of compliance, GSTR-9 still remains one of the most crucial
annual returns that assimilate data from GSTR-1 and GSTR-3B. Book My Accountant takes
you through the nitty-gritty of filing GSTR-9, mandatory documents, and finer aspects of
applicable provisions related to GSTR-9C, all in this post.

Understanding GSTR-9

GSTR-9 is an annual return that every registered taxpayer under the GST framework is liable to
file. The taxpayer includes all outward and inward supplies in GSTR-9 for the fiscal year.
Filing GSTR-9 is important because it reflects all the sales, purchases, output tax liabilities, and input tax credits availed during the fiscal year in comprehensive detail.

Required Document for Filing GSTR-9:

Taxpayers must collect and prepare a lot of documentation to file GSTR-9 correctly. We list all the important documents required in detail below:

1. GSTR-1 Returns: Collect all the details from the monthly or quarterly GSTR-1 returns, including all sales made during the financial year.
2. GSTR-3B Returns: All the GSTR-3Bs filed throughout the year shall be collated as they will
   contain information about the taxes paid in GST.
3. Invoices: Maintain sufficient sales invoices to substantiate the entries made in GSTR-1 and GSTR-3B.
4. Purchase Invoices: Collection of purchase invoices to validate the input tax credits availed.
5. Credit/Debit Notes: Provide all the credit and debit notes generated in a fiscal year, as they reflect the liability input credits associated with the same account.
6. Stock Registers: These stock registers shall provide them with the required reconciling
7. outward supplies disclosed and input credited.
8. Receipts of Payments: Records relating to the payment of GST must be made for the
   purpose of displaying the proper record of compliance.
9. Other Relevant Documents: In addition to these, the other relevant documents that would
   support the figures provided in the annual return of a taxpayer are kept properly clean. These include agreements, delivery challans, and all records that statutes prescribe.

Elements of GSTR-9

GSTR 9 comprises a list of elements, and each element will depict one characteristic of a
taxpayer's business activity

• Details of Outward Supplies: Sales made and the amount received against different tax
• rates.
• Details of Inward Supplies: All purchases with available input tax credit.
• Input Tax Credit: The input tax credits available during the year.
• Tax Paid: All tax liabilities and taxes paid during the financial year.
• HSN Summary: Summary of all purchases and sales made during the year under HSN Code

GSTR-9C and Its Applicability

GSTR-9C is the reconciliation statement, and all taxpayers of such specific categories must file
this statement. This GSTR-9C is filed only on the basis of annual turnover. All taxpayers are
required to file GSTR-9 along with GSTR-9C, which has a consolidated turnover of INR 2 crore
and more. GSTR-9C is the consolidated version of GSTR-9 as it reconciles the financial
statements audited by a Chartered Accountant.

Key Provisions and Guidelines to File GSTR-9C

1. The said return is required by taxpayers whose turnover has crossed the prescribed
   threshold. It thus only suggests that proper financial reporting would be necessary in cases of
   turnover business.
2. Reconciliation of annual returns with audited annual taxpayer accounts is a mandate in such
   a return to confirm whether the GST compliances have been accurate and, if true, the figures so
   reported.
3. Professional support: Considering the complexity of reconciliation, professional help is the
   way for taxpayers to get it. It is of utmost importance to seek help from tax professionals to make sure all documents are prepared accurately so that discrepancies are minimized to the make sure all documents are prepared accurately so that discrepancies are minimized to make sure all documents are prepared accurately so that discrepancies are minimized to the fullest.

Common Errors to Be Avoided While GSTR-9 Filing:

Taxpayers should be vigilant about common mistakes they commit while filing GSTR-9.

They are :

• There are discrepancies between the details coming under GSTR-1 and the figures in
• GSTR 3B.
• Numbers being miscalculated also raise a mismatch, leading to tax consequences.
• Sales or purchases not noted down.
• Missing attachments with any document under the audit process

Conclusion

Filing GSTR 9 is one of the critical components of taxpayer compliance in terms of goods and
services tax. Thus, knowing the documentation, as well as the GSTR 9C effect that comes with
it, goes a long way in improving the filing process. These services can be availed at Book My
Accountant to make compliance smooth, and all the documentation will be in check, along with
the risks mitigated accordingly.
This way, knowing the GST regime changes the filing requirements and the attendant
documents on the part of the taxpayer would enable it to fulfil them in a more efficient and
accurate manner.

The PAN cards, or Permanent Account Number Cards, issued by the income tax department, is now in everyone's hands in a new-look version carrying a QR code, which should help identify a person's PAN more reliably and curb its misuse while easing taxpayer compliance. Let's see what this upgrade means for individuals and businesses, among its wider implications for the economy.

FAQs on the new PAN Card QR Code:

1. Are QR codes mandatory in all PAN cards? An old PAN card is valid. The new PAN card will include the QR code facility as it will be updated.

2. Can I get my PAN card printed with a QR code? You can apply for a reprint of the PAN card to have the QR code.

3. How does that help in preparing your tax? The QR code has streamlined the process of identity proofing during tax filing, making it quicker and more secure.

4. Is an e-PAN containing a QR Code valid? The e-PAN replete with the QR code shall be valid and accepted by all wings for official purposes only.

Book My Accountant (BMA) serves as your trusted tax partner, guiding you through the constantly changing tax landscape. Our team stays well-informed about all the latest developments to ensure you receive accurate guidance.

Conclusion

Introducing a new tax administration with QR codes on PAN cards makes it even safer and falls into the vision of having a digital economy for Indians. Upgrade your PAN card and experience this easy, paperless, efficient method of verification.

Get more information and book now at Book My Accountant

Call at +91 78 9000 2000.

Can't wait to see you all in the great tax world that's changing.

When it comes to the business environment, the effective and proper use of the GST input is critical to the stability and legal requirements of the environment. Another factor that we often overlook is vendor loyalty. Vendor management is not only effective in the area of efficiency but also in the realization of the maximum GST input credits. In this guide, we consider how you can optimize your GST input in light of the vendor loyalty and more specifically the Vendor Loyalty Check Report provided by Book My Accountant.

What Vendor Loyalty is and Why it is Important?

Vendor loyalty is the long-term cooperation between the business and the vendor where both the parties benefit. Loyal vendors also offer better terms, delivery is always on time and they have better payment terms than the others. All these are operational effectiveness benefits and may thus have a positive impact on your GST input.  

Vendor loyalty is therefore based on the communication, ethical behavior and trust between the vendor and the buyer. Those organizations who are ready to develop such a relationship will be provided with better price, more stable service and more preferable conditions during the bargaining. Vendor commitment like this can lead to significant savings that directly impact your GST input optimization.

Vendor loyalty in relation to GST Input The following recommendations are made:

Therefore, optimizing GST input involves not only accurately accounting for the GST input but also filing the returns. It also entails ensuring that your vendors are also GST compliant and that they provide the necessary documentation. A loyal vendor will be in a position to understand the requirements of your business and will be in a position to support you in presenting the necessary documents such as tax invoices and other records as and when needed.

That is why, if the vendors are loyal and trustworthy, the chances of encountering such issues as wrong invoices, non-compliance or delayed GST input credits are low. This has a direct impact on your profitability because fewer issues are raised during the course of the transaction and therefore the GST input credit.

In what way does Vendor Loyalty Check Report by Book My Accountant assist?

Book My Accountant designed the Vendor Loyalty Check Report (VLCR) to help businesses evaluate the level of loyalty and dependability of their vendors. This report not only assesses your current vendor relations but also offers suggestions on how to enhance those relations.

The Vendor Loyalty Check Report will give you an idea of which of your vendors are assisting you to claim the maximum amount of GST input and which of the vendors may need some attention. The team makes the report based on many factors connected with vendor performance, including GST compliance, payment behavior, and others.

With these insights, you can identify which vendors are worth targeting, which ones you should negotiate with, or which ones you should replace. Last but not least, the Vendor Loyalty Check Report helps companies maintain better and more credible relationships with vendors, which are essential for improving GST input.