City · Kolkata

DPDPA Compliance in Kolkata

The Digital Personal Data Protection Act (DPDPA), 2023 sets new rules for how organisations collect, store, and process personal data in India. With the compliance deadline set for May 2027, businesses in Kolkata must put consent processes, breach protocols, and data governance in place well before enforcement begins.

Why DPDPA compliance matters in Kolkata specifically

Kolkata's economy rests heavily on trading houses and export businesses around Burrabazar and Canning Street, a long-standing jute and engineering manufacturing base, and a growing base of NBFCs and financial services firms carrying forward the city's legacy as an eastern banking hub. This mix means DPDPA compliance in Kolkata is largely an SME-driven challenge: thousands of family-run trading and manufacturing firms handle customer and vendor data with little formal consent infrastructure, while regional NBFCs face closer scrutiny given the sensitivity of financial data they hold.

What Kolkata businesses should prepare first

  • Put basic consent and retention in place for Burrabazar / trading SME customer and vendor ledgers.
  • Document lawful grounds and consent records for each processing purpose.
  • Build a breach response SOP aligned to CERT-In's 6-hour and DPB's 72-hour clocks.
  • Review vendor contracts for processor-grade security and escalation clauses.

Frequently asked questions

Do small trading firms in Burrabazar need to comply with DPDPA, or only large companies?

DPDPA applies to any entity processing personal data, regardless of size. Small trading and export firms in Kolkata must still meet baseline obligations like consent and reasonable security safeguards, even though only larger, high-risk entities face the extra Rule 13 requirements for Significant Data Fiduciaries.

Are Kolkata's regional NBFCs likely to be classified as Significant Data Fiduciaries?

It depends on factors like data volume and sensitivity, as notified by the government under Rule 13. Given that NBFCs handle KYC documents, loan histories, and financial data, many regional players are plausible candidates for SDF status and its added audit obligations.

What's the breach notification timeline for a Kolkata-based trading or finance business?

The dual-clock applies uniformly: CERT-In must be notified within 6 hours of discovering a breach, and the Data Protection Board within 72 hours, along with details of the personal data affected and the remedial measures taken.

Get a DPDPA readiness walkthrough for your Kolkata business

Book a 30-minute call to map your consent architecture, vendor exposure, and breach posture against DPDPA.

Book a demo Free Gap Analysis

Disclaimer: Privigo is not a law firm. This page provides operational compliance guidance only. For institution-specific obligations, work with qualified Indian legal counsel.