Who Should Comply with the DPDP Act?

One of the most common questions businesses ask about India's Digital Personal Data Protection Act 2023 is straightforward: does this apply to me? The short answer is that if your business collects, stores, or processes the personal data of individuals in India in digital form, you almost certainly need to comply.

This guide breaks down exactly who the DPDP Act applies to, what your obligations are based on your role, and how to determine where your organization falls.

The Scope of the DPDP Act

The DPDP Act applies to the processing of digital personal data where:

1. Data is collected in digital form within the territory of India
2. Data is collected in non-digital form and subsequently digitized
3. Data is processed outside India if the processing is in connection with offering goods or services to Data Principals in India

This extraterritorial scope means that a SaaS company based in the United States or a European e-commerce platform with Indian customers must also comply. For a comprehensive overview of the law, see our complete guide to the DPDP Act.

Data Fiduciaries — The Primary Obligation Holders

A Data Fiduciary is any person or entity that alone or jointly determines the purpose and means of processing personal data. If your organization decides what data to collect and why, you are a Data Fiduciary.

Examples of Data Fiduciaries

• An e-commerce company collecting customer names, addresses, and payment details
• A SaaS platform storing user account information, usage data, and billing details
• A mobile app collecting device identifiers, location data, or contact information
• A bank or NBFC processing customer KYC documents and financial records
• A hospital or healthtech startup handling patient health records
• An employer maintaining employee HR data in digital systems

Key Obligations of Data Fiduciaries

Under the DPDP Act, Data Fiduciaries must:

• Obtain lawful consent (Section 6) before processing personal data, with clear notice about the purpose
• Honor withdrawal requests (Section 11) and stop processing when consent is withdrawn
• Respond to rights requests (Sections 12-14) for access, correction, erasure, grievance redressal, and nomination within 30 days (Section 13(3))
• Implement reasonable security safeguards to protect personal data from breaches
• Delete personal data when it is no longer necessary for the stated purpose or when consent is withdrawn
• Report data breaches to the Data Protection Board and affected Data Principals

Significant Data Fiduciaries

The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries based on the volume and sensitivity of data processed, risk to Data Principal rights, and potential impact on national security or public order.

Significant Data Fiduciaries face additional obligations including:

• Appointing a Data Protection Officer based in India
• Appointing an independent data auditor
• Conducting periodic Data Protection Impact Assessments
• Complying with additional measures prescribed by the government

Large enterprises, major tech platforms, and financial institutions operating in India should prepare for potential designation as Significant Data Fiduciaries.

Data Processors — Indirect but Real Obligations

A Data Processor processes personal data on behalf of a Data Fiduciary. While the primary legal obligations fall on the Data Fiduciary, Data Processors have contractual and practical obligations:

• Process data only as instructed by the Data Fiduciary
• Implement appropriate security measures
• Assist the Data Fiduciary in fulfilling rights requests
• Delete data at the end of the processing relationship

Common Data Processor Examples

• Cloud infrastructure providers (AWS, Azure, GCP)
• Payment gateways processing transactions on behalf of merchants
• Email service providers sending communications on behalf of businesses
• Analytics platforms tracking user behavior for their clients

If you are a Data Processor, your clients (Data Fiduciaries) will increasingly require contractual assurances of DPDP compliance. Getting ahead of this requirement gives you a competitive advantage.

Small Businesses and Startups

The DPDP Act does not exempt small businesses. If your startup collects user emails for a newsletter, stores customer information for an online store, or processes any personal data in digital form, you need to comply.

However, the Act is designed to be proportionate. The government may exempt certain categories of Data Fiduciaries or specify simplified compliance requirements for smaller entities. Until such exemptions are notified, all businesses should assume full compliance is required.

The good news is that compliance does not have to be expensive or complex. Platforms like DPDP Comply are built specifically to make compliance accessible for businesses of all sizes — from solo founders to enterprise teams.

Foreign Companies With Indian Users

The DPDP Act's extraterritorial application is clear: if you offer goods or services to individuals in India, you must comply regardless of where your business is incorporated.

This affects:

• Global SaaS companies with Indian subscribers
• International e-commerce platforms shipping to India
• Mobile apps available on Indian app stores
• Social media platforms with Indian users
• EdTech companies serving Indian students

For SaaS companies specifically, read our detailed guide on why SaaS companies need DPDP compliance.

Government and Public Sector

The DPDP Act applies to government entities processing personal data, though the government may exempt certain instrumentalities for reasons of national security, public order, or prevention of offenses. However, these exemptions are narrowly defined and do not constitute a blanket exclusion.

How to Determine Your Compliance Requirements

Step 1: Data Mapping

Identify every instance where your organization collects or processes personal data. Include websites, mobile apps, APIs, CRM systems, HR tools, and third-party integrations.

Step 2: Role Classification

For each data flow, determine whether you are acting as a Data Fiduciary (you decide the purpose) or Data Processor (you act on instructions).

Step 3: Gap Analysis

Compare your current practices against DPDP requirements: consent mechanisms, privacy notices, rights request processes, security measures, and data retention policies.

Step 4: Implement Compliance Tools

Deploy a consent management solution, establish a rights request workflow, update your privacy policy, and create audit trails for all data processing activities.

Getting Started With Compliance

If you have determined that the DPDP Act applies to your business — and for most digital businesses operating in India, it does — the next step is implementation. DPDP Comply provides an end-to-end compliance platform including consent banner management, rights request tracking, privacy policy hosting, and immutable audit logs.

Get Started Free and begin your compliance journey today. You can also explore our guide on how to get DPDP compliant in 15 minutes for a step-by-step walkthrough.