The Digital Personal Data Protection Act 2023 is now enforceable, and CERT-In's 6-hour incident reporting mandate has been active for over a year, yet the majority of Indian startups we audit have neither a data protection officer nor an incident response plan. This is not negligence — it is a knowledge gap. Most founding teams are focused on product-market fit and growth, and security feels like a concern for later. But a single data breach can result in penalties up to 250 crore rupees under the DPDP Act, and the reputational damage can be fatal for an early-stage company.
Start with the basics that cost nothing. Enable multi-factor authentication on every service your team uses — GitHub, AWS, Google Workspace, Slack. Use a secrets manager like Doppler or AWS Secrets Manager instead of .env files committed to repositories. Implement role-based access control from day one, even if your team is just three people. Set up automated dependency scanning with tools like Snyk or GitHub Dependabot to catch vulnerable packages before they reach production. These four steps alone would have prevented over 80% of the breaches we have investigated.
For applications handling personal data — which is virtually every consumer-facing product — you need encryption at rest and in transit, data minimisation policies that ensure you only collect what you need, consent management flows that comply with the DPDP Act's notice and purpose limitation requirements, and a data deletion pipeline that can honour erasure requests within the mandated timeframe. We build these as reusable modules in our NestJS backend so every client project starts with compliance built in rather than bolted on.
Incident response is where preparation pays the highest dividends. Draft a one-page runbook that answers four questions: who is the incident commander, how do we contain the breach, who do we notify and in what order (CERT-In within 6 hours, affected users within 72 hours), and how do we preserve evidence for forensic analysis. Run a tabletop exercise once a quarter where your team walks through a simulated breach scenario. The startups that survive security incidents are not the ones with the best firewalls — they are the ones that practiced their response.