Does India's DPDP Act Apply to Your Business? [2026 Guide]
Free applicability checker with statutory citations — covers India DPDP scope, obligations, and penalties.
About India DPDP
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data protection legislation. It received Presidential assent on 11 August 2023. The DPDP Act introduces a framework governing the processing of digital personal data within India and, in certain cases, outside India.
Territorial scope: The DPDP Act applies to: (1) the processing of digital personal data within India where such data is collected online, or is collected offline and subsequently digitised; and (2) the processing of digital personal data outside India if it relates to offering goods or services to data principals in India (s.3 DPDP Act 2023). This extraterritorial reach mirrors GDPR's approach.
Enforcement timeline: The DPDP Act received Presidential assent in August 2023, but full enforcement depends on the central government notifying implementing rules. The Data Protection Board of India will be established once the rules are in place. Full mandatory compliance is anticipated progressively from 2025 onwards, with complete implementation expected by mid-2027. Businesses should begin preparing now.
Key concepts: The DPDP Act distinguishes between "Data Fiduciaries" (equivalent to data controllers) and "Data Processors" (processors). "Significant Data Fiduciaries" — large-scale processors designated by the government — face additional obligations including Data Protection Impact Assessments, Data Audits, and appointment of a Data Protection Officer based in India.
Key obligations under India DPDP
Frequently asked questions
Does India's DPDP Act apply to foreign companies?
Yes. The DPDP Act applies to any entity processing digital personal data outside India where the processing relates to offering goods or services to data principals in India (s.3(b) DPDP Act 2023). A US, EU, or Australian company with Indian customers is therefore subject to the DPDP Act for that processing.
When will India DPDP Act be enforced?
The DPDP Act received Presidential assent in August 2023. The central government must issue implementing rules before the law becomes enforceable. The Data Protection Board of India must also be established. Enforcement is expected progressively from 2025 onwards, with full compliance obligations anticipated by mid-2027. The government has indicated it will provide a phased implementation timeline.
What are the penalties under the DPDP Act?
The DPDP Act provides for financial penalties up to ₹250 crore (approximately USD $30 million) per instance for serious violations, imposed by the Data Protection Board of India. The Schedule to the Act provides different penalty tiers for different types of breaches, ranging from ₹50 crore to ₹250 crore.
What is a Significant Data Fiduciary under India's DPDP Act?
The central government may designate certain Data Fiduciaries as "Significant Data Fiduciaries" based on the volume of personal data processed, sensitivity of data, risks to data principals, or national security considerations. Significant Data Fiduciaries must appoint a Data Protection Officer based in India, conduct periodic Data Audits, and undertake Data Protection Impact Assessments.
What is the data breach notification requirement under the DPDP Act?
Under s.8(6) of the DPDP Act 2023, a Data Fiduciary must notify the Data Protection Board of India and each affected Data Principal of any personal data breach in such form and manner as may be prescribed. The government is expected to specify the notification timeline in the implementing rules — with 72 hours being widely expected based on global standards.
Not sure if India DPDP applies?
Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.
Start free assessment →Not legal advice — educational information only