Back to docs

Playbook · MSMEs

MSMEs — manufacturing, services, trade

A practical 30-day rollout for the MSME owner-operator who already wears five hats and just needs DPDP done — without hiring a compliance consultant or reading the full Act.

Why this matters: Your business runs on three data flows — customers, employees, vendors. The DPDP Act applies the same way it does to a bank or a hospital. A GeM audit, a corporate buyer's vendor questionnaire, or a customer complaint can turn a missing consent receipt into a contract loss or a ₹250 cr penalty.

What DPDP requires from an MSME

  • §6 (consent): separate consent for distinct purposes — service delivery, marketing, data-sharing with payment gateway, sharing with logistics partner.
  • §7 (legitimate uses): limited basis without consent — e.g., processing employee data for payroll, processing customer data to fulfil a placed order.
  • §11/§12 (rights): respond to "what data do you have on me?" and "delete my data" requests within 30 days.
  • §13 (grievance): publish a grievance officer email; respond within 30 days.
  • §16 (cross-border transfer): register every non-India SaaS or processor — Zoom, Slack, AWS-US, Stripe, Shopify-US, etc. — as a data transfer with a stated safeguard.
  • Breach reporting: CERT-In Form A within 6 hours; DPB Form B within 72 hours of confirmation.

30-day rollout

Day 1 (~30 min)

  1. Sign up at /dpo/signup with the right MSME tier — micro (<₹5 Cr), small (₹5–50 Cr), medium (₹50–250 Cr).
  2. Console pre-loads MSME defaults: 4 policies (privacy, retention, breach response, vendor management), retention table aligned to Income Tax 8y / GST 6y / employment 7y, 3 consent templates.
  3. Add yourself as DPO (small MSMEs can self-serve until you cross the SDF threshold).
  4. Enable email + magic-link auth for staff. Add the accountant / CA's contact as a read-only auditor.

Day 2–7 (~3 hrs across the week)

  1. Issue the first customer-onboarding consent via /dpo/consent/issue using the "MSME customer onboarding" template — covers KYC, order processing, optional marketing, optional data-sharing with payment gateway.
  2. Bulk-import existing customer contacts via CSV; send a re-consent campaign for "currently held data."
  3. Map your vendor data flows in /dpo/vendors: payment gateway, accounting SaaS, logistics partner, CRM. Each gets a VN-* signed registration with stated purpose + retention.
  4. Register cross-border transfers in /dpo/transfers: every non-India SaaS (Slack, Zoom, AWS-US, Stripe, Mailchimp, Shopify-US) → safeguard = SCC clause in their DPA.

Day 8–30

  1. Issue the employee onboarding consent for new hires — covers payroll, HR systems, ID-card photo, performance reviews, statutory filings (PF/ESI/IT).
  2. Install Sentinel on every Windows endpoint that touches customer data — laptop of the owner, accountant, CRM/ERP user. Sentinel's heartbeats prove encryption / patch / AV / MFA posture for vendor audits.
  3. Run one tabletop incident drill: "spreadsheet exported by ex-employee." The system generates draft Form A + Form B + customer notice templates.
  4. Generate the first monthly compliance report. File with the founder + accountant.
  5. Take a chain snapshot at month-end via /dpo/chain — immutable evidence checkpoint.

The four consent templates an MSME must run

CR-MSME-CUSTOMERCustomer onboarding (KYC + service)

When: Once at first interaction; refresh annually for active customers.

Purposes:

  • KYC verification (PAN / Aadhaar / GSTIN as applicable)
  • Order / invoice processing
  • Payment gateway data sharing (separately enumerated)
  • Customer support communication
  • Marketing communications (optional, opt-in)

Retention: 8 years from last transaction (Income Tax + GST). Marketing consent revocable at any time.

CR-MSME-MARKETINGMarketing / WhatsApp / email

When: At signup or point of capture; explicit opt-in.

Purposes:

  • Promotional emails
  • WhatsApp Business broadcasts
  • SMS / push notifications
  • Re-marketing via Meta / Google audiences (separately enumerated)

Retention: Active until withdrawn; 30-day grace period for in-flight campaigns then full purge.

CR-MSME-EMPLOYEEEmployee onboarding

When: Once at hire.

Purposes:

  • Payroll processing
  • Statutory filings (PF / ESI / IT / labour)
  • HRMS access
  • Performance review record-keeping
  • Background verification (separately enumerated)

Retention: 7 years post-exit (Industrial Disputes Act §7 + IT). Exit interview / review notes purged at 7 years.

CR-MSME-VENDORVendor / processor data-sharing

When: Per vendor relationship; renew if vendor's purpose changes.

Purposes:

  • Sharing customer data with payment gateway for transaction processing
  • Sharing shipping address with logistics partner
  • Sharing accounting data with CA / auditor
  • SaaS storage of CRM / ERP data with provider

Retention: As long as the vendor relationship exists; data-erasure clause kicks in within 90 days of termination.

Retention schedule (IT + GST + employment law aligned)

Record typeRetentionSource
Customer KYC + invoices8 years from last transactionIT Act §44AA + GST
Sales books / accounting8 yearsIT + Companies Act
Tax returns + ITR proofs8 yearsIT Act
Payroll + statutory filings7 years post-exitID Act §7 + EPF
Performance reviews7 years post-exitID Act §7
Customer support tickets3 years from closureInternal — minimisation
Marketing audience listsUntil withdrawn / 18 months idleInternal — DPDP §8
Vendor / processor agreements3 years post-terminationLimitation Act + DPDP
CCTV (factory / shop)30 days unless incidentInternal — POSH / safety

Edit at /dpo/retention. Each row is a signed RS-* artifact with the legal source recorded.

Cross-border transfers — the MSME blind spot

Every cloud / SaaS tool you use that processes Indian customer data outside India is a §16 cross-border transfer. The DPB hasn't blacklisted any country yet (as of 2026), but you must register the transfer and state your safeguard. A vendor audit will ask for this list.

Common MSME transfers to register:

  • Zoom / Google Meet: meeting recordings → US/EU. Safeguard: vendor's DPA standard contractual clauses.
  • Slack / Teams: chat data including customer names → US. Safeguard: DPA + SOC 2.
  • Mailchimp / SendGrid: customer email lists → US. Safeguard: DPA.
  • Shopify / Stripe: customer order + payment data → US. Safeguard: DPA + PCI-DSS.
  • HubSpot / Zoho-International: CRM data → US/EU. Safeguard: DPA.
  • AWS-US / Azure-US / GCP-US regions: any data hosted there → US. Safeguard: regional commitment + DPA.
  • WhatsApp Business API (via BSP): if BSP routes via non-India servers → declare. Safeguard: BSP-attested India region or DPA.

In /dpo/transfers/new the "MSME / SaaS vendor" scenario template pre-fills these one-by-one.

Incident scenarios — what the playbook does

Customer database exported by ex-employee

An ex-sales employee is suspected of having taken the customer list to a competitor.

  1. Within 6 hours, file CERT-In Form A in /dpo/incidents (sector: services, asset class: customer database).
  2. Within 72 hours, file the DPDP Form B with affected categories (count, types of fields exposed).
  3. Issue customer notice via the breach-template (mandatory if the data includes contact info or financial info).
  4. Begin technical mitigation: revoke ex-employee's CRM credentials, audit access logs, send legal notice if exfiltration is confirmed.
  5. Update the exit-process: enforce 90-day MFA + IP-restriction on outgoing employees' final access window.

Phishing → spoofed PAN cards uploaded by fake customer

Investigation reveals 12 customer accounts were registered with fraudulent PAN cards by an attacker; KYC data is now polluted.

  1. Log as a §27 incident — unauthorised access / data integrity event.
  2. Notify the 12 victims whose PAN+name combinations were stolen for the spoof — they have a right to know per §11/§12.
  3. Add MFA + email OTP to KYC submission. Add a 30-day fraud watch on the affected fields.
  4. If the fraud was tied to a payment-gateway tokenisation, notify the gateway provider as a processor-side incident.

WhatsApp broadcast sent to opted-out customers

Marketing team accidentally sent a Diwali offer to a list that included 200 customers who had withdrawn marketing consent.

  1. For each affected customer, log a §12 right-of-correction request (consent state was incorrect at send time).
  2. Internal incident: process gap. The system records IR-* with category 'Unauthorised processing'.
  3. Process fix: enforce that the WhatsApp BSP integration filters against the live consent table in Sanad before send. Document the gate as an attested control.
  4. If repeated more than once, escalate to a §27 reportable event.

What to show an auditor / corporate buyer / GeM evaluator

MSMEs face audits from three sides: their own corporate buyers (vendor questionnaires), GeM listings, and increasingly the DPB. All three want the same evidence.

"Show me your privacy notice + grievance officer."

Public link to /privacy or /dpo/policies. The grievance officer's name + email are in /dpo/governance — both are on signed PL-* artifacts.

"Show me consent for my data (as a buyer's customer)."

/dpo/consent — filter by customer email, download the signed CR-* receipt PDF.

"What's your retention policy and have you done deletions?"

/dpo/retention shows the schedule. /dpo/erasure-jobs shows scheduled / executed deletions with proof of completion.

"Show me your vendor list and cross-border transfers."

/dpo/vendors and /dpo/transfers. Each entry is a signed VN-* / TN-* artifact.

"Have you had a breach? How did you handle it?"

/dpo/incidents — Sanad shows count by severity, MTTR, and signed IR-* artifacts proving the timeline.

"Are your endpoints encrypted, patched, and AV-protected?"

/dpo/sentinel/dashboard — live posture from Sentinel-equipped endpoints with signed heartbeats.

Ready to start?

Sign up, pick the MSME tier matching your turnover, and your console arrives with templates + retention + sector dashboard pre-loaded.

Start an MSME tenant

Sector-specific question? Email us.