Who Does DPDPA Apply To?

The DPDPA applies broadly to any entity that processes personal data of Indian citizens. Understanding whether you are covered is the essential first step in your compliance journey.

The Short Answer

If your business collects, stores, or processes any personal data of individuals located in India — including just a name, email address, or mobile number — the DPDPA likely applies to you. Size does not matter. Whether you are a 5-person startup or a 5,000-person enterprise, if you handle personal data of Indian residents, you are in scope.

Data Fiduciaries vs Data Processors

The Act distinguishes between two key roles:

Data Fiduciary — Any person (including a company, firm, or individual) who alone or jointly determines the purpose and means of processing personal data. If you decide what data to collect, why to collect it, and how to use it, you are a Data Fiduciary.

Data Processor — Any person who processes personal data on behalf of a Data Fiduciary. For example, a cloud storage provider, payroll processor, or marketing automation tool.

Most businesses are Data Fiduciaries for at least some of their data processing activities. Some may also be Data Processors in their relationship with clients.

Does Size Matter?

No. The DPDPA does not provide a blanket exemption for small businesses or startups. A 10-person business collecting customer contact details, running a newsletter, or storing employee records is processing personal data — and is covered by the Act.

The government may introduce graduated compliance requirements for smaller businesses through future notifications, but no such exemption has been notified. Until then, assume you are fully in scope.

Who Is Covered — Business-Type Examples

| Business Type | Typical data collected | Covered? |

|--------------|----------------------|----------|

| D2C ecommerce brand | Customer names, addresses, phone numbers, purchase history | Yes |

| Recruitment agency | Candidate CVs, contact details, interview notes | Yes |

| CA firm | Client PAN, financial records, employee payroll data | Yes |

| Training institute | Student enrolment data, fees, contact details | Yes |

| SaaS company | User account data, behavioural data, support history | Yes |

| Freelancer (professional services) | Client contact information, project files | Yes |

| WhatsApp-only business | Saved contacts used for marketing | Yes |

Are There Exemptions?

The Act provides four categories of exempt processing:

• Personal or domestic use — Processing by an individual purely for personal purposes (e.g., a personal contact list) is exempt. Business use is not.
• Government instrumentalities — Certain processing by the central and state governments for specific public functions is exempt.
• Law enforcement purposes — Processing for prevention, detection, investigation, or prosecution of offences.
• Publicly available data — Personal data that has been made publicly available by the Data Principal themselves (e.g., they published it on a public platform).

None of these exemptions apply to standard commercial business operations.

Territorial Scope

The DPDPA applies to:

• Processing within India — Any business operating in India that processes personal data, regardless of where the data is stored.
• Processing outside India — If a foreign company processes data in connection with offering goods or services to individuals in India, the Act applies to them too.

This extraterritorial reach mirrors the approach taken by GDPR and means global companies serving Indian customers cannot simply ignore Indian data protection law because they are incorporated elsewhere.

The Significant Data Fiduciary Tier

Above the standard compliance threshold, the government can designate certain businesses as Significant Data Fiduciaries (SDFs) based on:

• Volume or sensitivity of personal data processed
• Risk to rights and interests of Data Principals
• Potential impact on sovereignty, security, or public order
• Risk to electoral democracy

SDFs face additional obligations: appointing a Data Protection Officer, conducting Data Protection Impact Assessments, auditing their algorithms, and meeting enhanced accountability standards. Most SMBs will not be designated as SDFs initially, but the designation can expand over time.

Practical Scope Test — 5 Questions

Ask these five questions about your business. If you answer yes to any of them, DPDPA applies to you:

• Do you collect names, email addresses, phone numbers, or other contact details from customers, prospects, or employees?
• Do you store or process any documents containing personal information (CVs, ID copies, financial records)?
• Do you run email, SMS, or WhatsApp marketing to a list of individuals?
• Do you use any SaaS tools (CRM, HRMS, payroll, ATS) that hold personal data?
• Do you share personal data with third parties — vendors, partners, agencies, or clients?

If you answered yes to even one question, you are a Data Fiduciary under DPDPA.

What Happens If You Ignore It?

Penalties for non-compliance can reach ₹250 crore per instance. The Data Protection Board has the power to conduct inquiries and impose financial penalties after due process. Individuals can file complaints directly with the Board. Compliance is not optional — and the phased implementation window is the right time to build your foundation before scrutiny begins.