What is personal data under the DPDP Act?
Under India’s Digital Personal Data Protection Act, personal data is any data about an identifiable individual. In plain business terms: if a record can be tied back to a real person — a customer, a patient, a candidate, a student, an employee or a vendor’s staff — it counts. That includes the obvious fields like names, phone numbers, email addresses and government IDs, and the less obvious ones like cookie IDs, WhatsApp chats, abandoned-cart trails and CCTV footage.
Most businesses underestimate how much they hold. The data sitting in your CRM is only the start. The spreadsheet exports on a laptop, the candidate CVs in an inbox, the payment references in your gateway dashboard and the delivery addresses shared with a courier partner are all digital personal data too.
DPDPA personal data examples by category
This tool groups personal data the way a business actually experiences it, in three layers:
- Core personal data — the identity and contact information you almost certainly hold: names, phone numbers, email addresses, account or membership IDs, and billing addresses.
- Operational personal data — the data generated as you run the business: orders and invoices, payment and refund references, delivery details, support tickets, and marketing consent records.
- Hidden or often-missed personal data — the data most owners forget they hold: website tracking and pixel IDs, behavioural and abandoned-cart data, WhatsApp and social-commerce chats, old exports, and CCTV or device identifiers.
The hidden layer is where exposure usually concentrates, because it is collected automatically, shared with third parties, and rarely covered by a clear notice or retention rule.
A practical DPDPA compliance checker for India
A useful readiness check does three things: it shows you the personal data you handle, it highlights where safeguards are thin, and it gives you a short, prioritised list of what to do next. That is exactly the shape of the snapshot above — pick your industry, confirm your data, answer three questions about consent, vendor sharing and breach readiness, and read your result. It works for diagnostic labs, D2C brands, CA and consulting firms, recruitment agencies, schools, clinics, SaaS companies and more.
How DPDPA penalty risk actually arises
It helps to be calm and specific here. Penalty risk does not come from holding data — every business holds data. It tends to arise where reasonable security safeguards are weak, where people were never given a clear notice or a genuine choice, where there is no documented way to respond to a breach, or where children’s data is processed without the right protections. The aim of a readiness check is to surface those gaps early, while they are cheap to fix.
What “reasonable security safeguards” means in practice
For most small and mid-sized businesses, reasonable safeguards are operational, not exotic. They look like: limiting who can open the customer database; keeping payment credentials with the gateway instead of in a spreadsheet; writing down how long you keep inactive records and actually deleting them; having a named person and a simple plan for the day something goes wrong; and knowing exactly which vendors and platforms your data flows to. None of that requires a legal team — it requires a clear map and a few documented habits.
From snapshot to a full DPDPA readiness assessment
The discovery tool is a fast, free starting point. A full readiness assessment goes further: it scores your gaps across consent, notices, retention and vendor flow; produces an industry-specific verdict; and ranks the fixes by business risk so you know what to do first. The goal is not fear — it is operational control and a trust signal you can show customers and enterprise buyers.
This tool provides a practical, educational snapshot of personal-data risk. It is not legal advice, and your result is a starting point for action rather than a determination of compliance.