Before you can build a DPDP compliance programme, you need to know what you are protecting. The Act's definition is deliberately broad โ if you are assuming only Aadhaar numbers or medical records are in scope, you are going to have serious gaps. Here is the breakdown your product and engineering teams need โ including the grey zones where most companies get it wrong.
The Legal Definition
"Any data about an individual who is identifiable by or in relation to such data."
The key phrase: "identifiable by or in relation to". Personal data does not need to identify someone on its own. It is in scope if it can identify someone when combined with other data you hold.
A user ID alone might mean nothing. Linked to a name and email in your database โ both become personal data.
Data in electronic form, or data originally collected offline and subsequently digitised. Pure paper records outside any digital workflow are outside the DPDP Act โ but in practice, very little remains genuinely non-digital in any modern organisation.
What Is In Scope vs Out of Scope
โ IN SCOPE โ Personal Data
- Identity: Name, DOB, Aadhaar, PAN, Passport
- Contact: Email, phone, address, IP address
- Financial: Bank details, card numbers, UPI IDs
- Health: Medical records, prescriptions, fitness data
- Biometric: Fingerprints, facial data, iris scans
- Behavioural: Browsing history, purchase patterns
- Location: GPS coordinates, location history
- Employment: Salary, performance reviews, leave records
โ OUT OF SCOPE
- Truly anonymised data (genuinely irreversible)
- Company data: CIN, GST number, company name
- Aggregate stats: "60% users from Maharashtra"
The Grey Zones โ Where Your Team Gets Confused
| Data Type | The Question | The Answer |
|---|---|---|
| Device IDs / IMEIs | Not a name โ can it identify someone? | Yes, when linked to a user account |
| IP Addresses | Just a number โ personal data? | Yes, in most contexts โ treat as in scope |
| Pseudonymised data | We replaced names with user IDs | Still in scope โ you hold the lookup key |
| ML / inferred data | Credit scores, predicted health risk we generated | In scope if linked to an identifiable individual |
| Photos / videos | Profile pics, CCTV, call recordings | In scope if individuals are identifiable |
| Work email addresses | It is a company email, not personal | Still personal data โ identifies a natural person |
Replacing names with user IDs in analytics while keeping the reverse-lookup table in your database is pseudonymisation, not anonymisation. It remains fully in scope under the DPDP Act. True anonymisation requires that re-identification is not reasonably possible using any data you hold โ a much higher bar than most teams assume.
What Your Product Team Should Do Now
| # | Action | What It Catches |
|---|---|---|
| 1 | Run a field-by-field data inventory for your product | Hidden data collection you forgot about |
| 2 | Audit your analytics stack โ Mixpanel, Amplitude, Google Analytics | Vendor tools processing personal data without DPAs |
| 3 | Check what vendors collect independently (client-side) | Identifiers grabbed without explicit configuration |
| 4 | Apply data minimisation โ delete fields with no clear purpose | "Just in case" fields are compliance liability |
Once you have a full inventory of your personal data, the next step is understanding who the obligations sit with โ that is a question of your role under the DPDP Act. And for the consent architecture that must sit on top of this inventory, read our guide on consent under the DPDP Act.
Frequently Asked Questions
Yes. sanil@company.in identifies a specific individual and is personal data under the DPDP Act. The fact that it is professional or issued by an employer does not matter โ it still relates to an identifiable natural person. Work emails processed by your HR system, CRM, or email marketing tools are all in scope.
Yes. If you can link that ID back to an individual โ which you almost certainly can since it is tied to a user account โ it is personal data. This is pseudonymisation, not anonymisation. The test under the DPDP Act is what is possible using all data you hold, not whether the ID is identifiable in isolation.
Most companies focus on customer data and forget HR. Salary, attendance, performance reviews, health information, payroll bank details โ all in scope. HR systems, payroll software, and background verification vendors all need to be in your compliance inventory. Employee data is one of the most commonly overlooked areas of DPDP scope.
In most practical contexts, yes. An IP address can identify a specific individual when combined with other information โ browsing logs, account activity, geolocation. The DPDP Act's 'identifiable by or in relation to' standard treats IP addresses as personal data in the vast majority of commercial processing scenarios. Treat them as in scope unless you can demonstrate genuine non-identifiability.
Inferred or derived data โ credit scores, predicted health risk, churn probability โ is personal data if it is linked to an identifiable individual. It does not matter that you generated it rather than collected it. Under the DPDP Act, you hold it, you are the Data Fiduciary for it, and all obligations (including access, correction, and erasure rights) apply.