The Digital Personal Data Protection Act stopped being a policy headline the moment your product collected its first phone number. For a two-person team, the good news is that the core obligations are short, concrete, and doable in an afternoon — if you do them before your thousandth user, not after.
Why it’s your problem now
You are a “data fiduciary” the instant you decide why and how personal data gets processed — which is to say, from your first sign-up. The law does not wait for you to raise a Series A to apply.
The five-item list
- 01Consent that is specific and readable. No pre-ticked boxes, no burying it in a wall of terms. Say what you collect and why, in language a human would use.
- 02A stated purpose — and stick to it. Data collected to deliver an order is not yours to repurpose for a cold-marketing blast.
- 03A deletion path. A user must be able to withdraw consent and have their data erased; build the button before you are asked for it.
- 04A named person who owns this. Even at two people, one of you is accountable. Write the name down.
- 05A breach plan in one page. Who you tell, how fast, what you say. You will be glad it exists on the worst day.
“Compliance at two people is not a legal project. It is five decisions you make once and design around.”
What can wait
Data Protection Impact Assessments, a formal grievance officer, audits — these scale in with you. Do not let the enterprise-grade checklist paralyse the two-person one. Ship the five items; revisit the rest at your next stage.1
Notes
- 1Not legal advice — a founder-side starting point. Have counsel review before launch; see the Founders’ Playbook, decision 9 (“Compliance, minimum viable”).