The most common question from Indian startup founders: does the DPDP Act even apply to us? For the vast majority of businesses in India's digital economy โ yes. But the specifics depend on your role, your data, and who your users are.
The Basic Applicability Test
You are in scope if either of these is true:
Any size threshold. No SME exemption. A 5-person startup is in scope exactly as much as a 5,000-person enterprise. The DPDP Act does not care about your revenue, headcount, or stage of funding.
The Applicability Checklist
One "Yes" puts you in scope:
| Question | In Scope? |
|---|---|
| Do you collect names, emails, phone numbers, or addresses from Indian users? | โ |
| Do you process payment data or financial information of Indian individuals? | โ |
| Do you collect health, biometric, or precise location data? | โ |
| Do you run an app or website accessed by Indian residents? | โ |
| Do you process employee personal data in any digital system? | โ |
| Are you a vendor processing data on behalf of an Indian company? | โ |
| Are you a foreign company with Indian customers or users? | โ |
| Do you process only truly anonymised data where re-identification is impossible? | โ |
Your Role Determines Your Obligations
For the full definitions, see Part 1 of this series on DPDP roles.
| Role | Who You Are | Key Obligations |
|---|---|---|
| Data Fiduciary | You decide what to collect and why. Every company with a product. | Consent, notice, rights, security, breach notification |
| Data Processor | You process on another company instruction. Cloud, SaaS tools, agencies. | DPAs with clients, security, assist with rights requests |
| Both | Most SaaS โ Fiduciary for own users, Processor for enterprise clients. | All of the above โ simultaneously |
Industry Snapshots
| Sector | Primary Role | Watch Out For |
|---|---|---|
| SaaS | Fiduciary + Processor | Dual obligations; DPAs with every enterprise client |
| Fintech | Fiduciary | KYC data + RBI overlay + credit bureau sharing |
| Healthtech | Fiduciary or Processor | Highest scrutiny; health data = strictest obligations |
| EdTech | Fiduciary or Processor | Most users are minors โ verifiable parental consent required |
| HR Software | Processor for clients | Employee data often overlooked; salary + health in scope |
Once you know you are in scope, the next question is: what exactly counts as personal data? The answer is broader than most teams expect. Read our detailed breakdown on what counts as personal data under the DPDP Act.
Frequently Asked Questions
Yes, as a Data Processor. You need DPAs with every client, clear security obligations, and systems to help clients respond to user rights requests. Being a Processor changes the shape of your obligations, not whether they exist. In practice, many enterprise clients will also flow down specific DPDP obligations in their contracts with you.
Only if the anonymisation is genuine and irreversible. If there is any realistic pathway to re-identify individuals from the data, it is still in scope. Pseudonymised data โ where you hold the reverse-lookup key โ is explicitly in scope. Test your anonymisation claim against modern re-identification techniques before relying on this exemption.
Probably not first. Enforcement will prioritise higher-risk operators early. But being low enforcement priority is not the same as being out of scope โ and building foundations now costs a fraction of remediating later. Most importantly, contractual and commercial pressure from enterprise clients will likely force DPDP compliance long before regulatory enforcement reaches you.
Yes. The DPDP Act applies to any 'person' processing digital personal data, and 'person' includes companies, firms, associations, and other bodies โ regardless of profit motive. NGOs, educational trusts, and charitable organisations processing personal data of Indian individuals are equally in scope.
Yes. A work email address like name@company.com identifies a specific individual and is personal data under the DPDP Act. The fact that it is professional or issued by the employer does not change that it relates to an identifiable natural person. Employee data is one of the most commonly overlooked areas of DPDP scope.