Let's start with something most small business owners don't expect to hear from a compliance advisor: storing personal data in Excel is not illegal.
There. We said it.
But here's what is a problem — and increasingly, a legal one.
The way most small businesses manage those spreadsheets is quietly setting them up for penalties, reputational damage, and in some cases, serious regulatory scrutiny under India's Digital Personal Data Protection Act, 2023 (DPDP Act) — the most significant data privacy legislation India has ever passed.
If your business collects names, phone numbers, email addresses, customer details, employee records, or even a list of leads in a spreadsheet and so on. This matters more than you think.
What Exactly Is the DPDP Act?
The Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023. With the DPDP Rules notified in early 2025, India now has a comprehensive legal framework governing how businesses collect, store, use, and delete personal data — modelled loosely on the principles of Europe's GDPR but tailored for the Indian context.
* INR 250 Cr - Maximum penalty per instance for a significant data breach
* INR 50 Cr - Penalty for failing to implement reasonable security safeguards
These aren't numbers reserved for large corporations. The Act applies to any entity that processes digital personal data within India — from a multinational bank to a local clinic that keeps patient records in a shared Google Sheet.
"The DPDP Act does not distinguish between a Fortune 500 company and a small business.
If you collect personal data digitally, you are a Data Fiduciary — and the law applies to you."
So What's Wrong With Spreadsheets?
Nothing — in principle. The problem is what typically happens to them in practice.
Think about the last time you shared a spreadsheet. Did you email it? Did a colleague download it to their personal laptop? Was it uploaded to WhatsApp? Did it sit in someone's Google Drive with "Anyone with the link can view" turned on?
That's not a hypothetical. According to IBM's Cost of a Data Breach Report 2023, 82% of data breaches involve data stored in cloud environments — and a significant share of those originate from misconfigured or improperly shared files. Spreadsheets are one of the most common culprits.
Why Spreadsheets Create DPDP Risk?
* Easy to copy, forward, and share without tracking — the file leaves your control the moment it's emailed
* No access controls — anyone who has the file can read, modify, or extract all data in it
* No audit trail — you have no way of knowing who opened it, when, or what they did with it
* Data sits indefinitely — spreadsheets are rarely deleted, which violates the DPDP requirement to erase data when it is no longer needed
* No encryption in most cases — a plain .xlsx file on a laptop or USB drive is completely exposed if the device is lost or stolen
* Higher insider threat risk — a disgruntled employee, departing sales executive, or third-party vendor with access can walk away with your entire customer database
What the DPDP Act Actually Requires From You?
Under the DPDP Act, any business that collects personal data is called a Data Fiduciary. Your customers, employees, and leads are Data Principals — and the Act gives them rights over their own data that you are legally obligated to honour.
Here's what the law expects, in plain language:
Your DPDP Obligations as a Small Business
* Obtain valid consent before collecting personal data — and document that consent
* Tell people why you're collecting their data — and only use it for that stated purpose
* Implement reasonable security safeguards appropriate to the volume and sensitivity of data
* Restrict access to personal data — only authorised personnel should be able to see it
* Delete data when it's no longer needed for the purpose it was collected
* Report breaches to the Data Protection Board and affected individuals if personal data is exposed
* Respond to Data Principal requests— if a customer asks what data you hold on them, you must tell them. If they ask you to delete it, you must act.
Now ask yourself honestly: Can your current spreadsheet setup support all of this?
Can you tell a customer exactly what data you hold on them, where it is stored, who has accessed it, and delete it completely on request?
If the answer involves opening several different files across multiple email threads — you have a problem.
Who Is Actually at Risk?
Almost every small business that interacts with customers. But a few sectors are particularly exposed:
Clinics and healthcare providers maintaining patient records in Excel. Real estate agents keeping buyer and seller databases in shared sheets. Schools and coaching centres storing student and parent information. Hotels and hospitality businesses managing guest data. Retailers and e-commerce sellers handling customer orders and delivery details. HR and recruitment firms holding candidate CVs and personal details.
In each of these cases, the data is sensitive, the volumes are significant, and the typical management practices — a shared folder, an emailed sheet, a WhatsApp group with an attachment — fall well short of what the DPDP Act expects.
Does This Mean You Need to Abandon Spreadsheets Entirely?
Not necessarily. Small internal operational spreadsheets that don't contain personal data are perfectly fine. A budget tracker, a project timeline, a vendor comparison — none of that is in scope.
The issue arises specifically when you are storing large volumes of personal data in unmanaged, uncontrolled spreadsheet files — and most small businesses doing this don't even realise it constitutes a compliance gap.
The good news is that DPDP compliance doesn't have to be expensive or complicated to start.
It begins with a simple data audit — understanding what personal data you hold, where it lives, who can access it, why you have it, and how long you plan to keep it. From there, appropriate safeguards can be implemented incrementally and proportionately.
CONCLUSION
India's DPDP Act is not just a large-corporate concern. It is a business reality for every organisation — regardless of size — that collects, stores, or processes personal data digitally. The penalties for non-compliance are significant. But more importantly, the reputational damage from a data breach or a customer complaint reaching the Data Protection Board can be far more costly than the fine itself.
The businesses that act now — before enforcement ramps up — will be far better positioned than those that wait for a notice to arrive. Compliance is not a one-time checkbox. It's an ongoing practice. And like most good practices, it's far less painful to build in from the start than to retrofit after something goes wrong.
Not Sure Where Your Business Stands on DPDP?
ILLUME Intelligence offers a practical, jargon-free DPDP compliance assessment for small and medium businesses — covering data mapping, gap analysis, and a prioritised action plan you can actually implement. No unnecessary complexity. No one-size-fits-all templates. Just honest, expert guidance.
