The most common question we get from Indian businesses engaging with the DPDP Act for the first time is simple: does this even apply to me? Its application depends on a few key variables โ where you are incorporated, where your users are located, what type of data you collect, and what you do with it. Work through these 7 questions in order. By the end, you will know your compliance tier.
Q1 โ Is the data you process "digital personal data"?
Digital personal data = data about a natural person in digital form, or data originally non-digital but subsequently digitised.
โ YES Scenarios (In Scope)
- Customer names, phone numbers, email IDs stored in a CRM
- Employee attendance records in an HR system
- Patient health records in a hospital management system
- Purchase histories and behavioural data on an e-commerce app
- Photos, voice recordings, or biometric data stored digitally
โ NO Scenarios (Out of Scope)
- Purely anonymised data (re-identification not reasonably possible)
- Aggregated statistical data (e.g., "60% of users prefer Product A")
- Data about legal entities โ only natural persons are covered
If NO: The DPDP Act does not apply to this dataset. But be careful โ even aggregated data may contain identifiable subsets. If YES: Proceed to Q2.
Q2 โ Is the data of Indian individuals?
- Scenario A โ Users in India: DPDP applies. Irrespective of where your company is incorporated.
- Scenario B โ Incorporated in India, users exclusively outside India: DPDP may apply only to the extent MeitY notifies applicability. Watch for Rules-level clarification.
- Scenario C โ Foreign company with Indian users: DPDP applies if you offer goods or services to individuals in India or profile them, regardless of server location.
- Scenario D โ BPO model (processing in India for overseas principal): The DPDP Act exempts such processing, but your contractual obligations under DPDP may still apply.
Proceed to Q3 if you are in Scenarios A or C.
Q3 โ Does any exemption apply?
- Personal / domestic purposes: Processing for purely personal use. Very unlikely if you are a registered business.
- Publicly available data: Narrow exemption โ does not justify bulk scraping. Must be genuinely and legitimately in the public domain.
- State security, law enforcement, or courts: Only if you are a Government entity exercising statutory functions.
- Research, archiving, statistical purposes: Only for research / statistical functions with adequate safeguards and no individual identification.
If no exemption applies, proceed to Q4.
Q4 โ What type of personal data are you processing?
General Personal Data
Names, email addresses, phone numbers, preferences, purchase history, browsing behaviour. Standard DPDP obligations apply.
Sensitive Personal Data (High Risk)
Health and medical data, financial data (bank accounts, credit cards, loans), biometric data, data revealing religious beliefs, political opinions, caste, or sexuality, children data. All standard obligations apply plus you are more likely to be assessed as a potential SDF.
Q5 โ What is your processing volume?
| Volume | Likely Classification |
|---|---|
| Less than 1 lakh Data Principals | Standard Data Fiduciary โ lower regulatory attention |
| 1 lakh to 10 lakh | Standard Fiduciary โ begin building mature compliance |
| 10 lakh to 1 crore | High SDF risk โ start SDF-level programme preparation |
| Over 1 crore | Very high SDF risk โ act as if SDF notification is imminent |
Volume is one factor. A platform with 5 lakh users processing health data may be at higher SDF risk than a general platform with 50 lakh users.
Q6 โ Are you a Data Fiduciary, Processor, or both?
Refer to Part 1 of this series on DPDP roles for full definitions.
- Data Fiduciary: Full DPDP obligations apply โ consent, Grievance Officer, breach management.
- Data Processor: Fewer direct obligations, but contractual obligations from the Fiduciary impose compliance requirements.
- Both: Apply Fiduciary-level obligations for data where you set the purpose; Processor-level for client data you process under contract.
Q7 โ Do you transfer personal data outside India?
The DPDP Act (Section 16) restricts transfer to countries the Central Government may notify as permitted or restricted. The permitted / restricted list has not yet been published, but the framework is in place.
- Do you use US or EU-based cloud providers (AWS, Azure, GCP) for Indian user data?
- Do you share Indian user data with overseas parent companies, analytics firms, or ad networks?
- Do you have offshore development teams accessing production data?
If yes: monitor Government notifications, implement data localisation for sensitive data proactively, and review data processing agreements with international vendors.
Your Compliance Tier โ Where You Sit
Immediate Action Plan โ Regardless of Tier
- Data Inventory: Map every personal data category you collect, the purpose, storage location, and sharing. You cannot comply with what you have not mapped.
- Consent Audit: Review existing consent mechanisms against the five-pillar standard (free, specific, informed, unconditional, unambiguous).
- Appoint a Grievance Officer: Publish name and contact details in your privacy notice. Mandatory for ALL Data Fiduciaries.
- Update Privacy Notice: Review for DPDP compliance โ data categories, purposes, rights, Grievance Officer, in plain language.
- Vendor Chain Assessment: For each third-party vendor processing Indian personal data, review the contract for DPDP-compliant data processing terms.
- Breach Response Plan: Defined, tested incident response procedure including Board notification timelines and Data Principal communication.
"Do I need to comply?" is the right question โ but it is only the beginning. For most Indian businesses collecting personal data of Indian individuals, the answer is yes. The degree, timeline, and investment depend on your tier.
Frequently Asked Questions
Yes. The DPDP Act has no size threshold, no SME exemption, and no minimum user count for basic applicability. A 5-person startup collecting personal data of Indian individuals is in scope exactly as much as a 5,000-person enterprise. The volume of users affects whether you are likely to be designated a Significant Data Fiduciary โ it does not affect whether the Act applies at all.
Only if the anonymisation is genuinely irreversible โ meaning there is no realistic pathway to re-identify individuals from the data, even when combined with other data you hold. Pseudonymised data, where you retain a reverse-lookup key, is explicitly in scope. Most real-world 'anonymisation' is actually pseudonymisation and remains subject to the Act.
Yes. The DPDP Act applies extraterritorially if you offer goods or services to individuals in India, or profile individuals in India. Your place of incorporation, the location of your servers, and the nationality of your management are irrelevant. If Indian individuals use your product, you are in scope.
The DPDP Act provides a specific exemption for personal data processed in India by a Data Processor on behalf of a Data Fiduciary located outside India. However, your contractual obligations under the DPDP Act with the overseas principal may still impose compliance requirements. This exemption is narrow and the scope of contractual obligations should be reviewed case-by-case.
Cross-border data transfers are restricted under Section 16 to countries the Central Government may notify as permitted or restricted. The permitted / restricted country list has not yet been published, but the framework is in place. Transfers remain possible in the interim, but organisations should prepare for eventual restrictions โ particularly for sensitive data categories โ and consider proactive data localisation.