DPDPA Myth vs Fact

Misinformation about DPDPA is widespread — particularly among SMEs and non-legal professionals. Here are the most common myths, corrected.

Myth 1: "DPDPA only applies to big companies"

Fact: The DPDPA does not include a small business exemption in its current text. It applies to any entity processing personal data of Indian residents digitally, regardless of company size. A 3-person recruitment agency storing candidate CVs in Google Drive is a Data Fiduciary with compliance obligations.

The government *may* notify exemptions for specific categories of businesses through Rules — but until such exemptions are formally notified, all businesses collecting personal data should plan for compliance.

Myth 2: "We already have a Privacy Policy, so we are compliant"

Fact: Having a Privacy Policy (Privacy Notice) is one element of DPDPA compliance — but it is far from sufficient. Compliance requires: valid consent flows, a notice at the point of data collection, security safeguards, a data rights request process, a breach response plan, data retention and deletion processes, and Data Processing Agreements with vendors. A Privacy Policy alone does not cover any of these.

Myth 3: "We can wait for enforcement before doing anything"

Fact: The DPDP Rules, 2025 have been notified, with phased commencement underway. The compliance work required takes significant time — months, not days. Businesses that act during the transition window will be far better positioned than those that wait for enforcement pressure. The cost of retrofitting compliance under regulatory scrutiny is substantially higher than building it proactively now.

Myth 4: "Our customers agreed to our Terms and Conditions, so we have consent"

Fact: Bundled consent in Terms and Conditions is explicitly non-compliant under DPDPA. Consent must be specific, separate, and tied to a defined purpose. A generic "by using this site you agree to our T&Cs" does not constitute valid consent for any specific data processing activity. Pre-checked boxes are similarly invalid.

Myth 5: "We don't collect sensitive data, so the Act doesn't really apply to us"

Fact: DPDPA applies to all personal data — not just sensitive categories. Even collecting a person's name, email address, and mobile number for a newsletter subscription makes you a Data Fiduciary with compliance obligations. Sensitivity affects the level of scrutiny required, but it does not determine whether the Act applies.

Myth 6: "We use a third-party CRM/ATS, so the vendor is responsible for compliance"

Fact: If you decide what data to collect, why to collect it, and how to use it — you are the Data Fiduciary. Your CRM or ATS vendor is a Data Processor acting on your instructions. The primary compliance obligations remain with you. You must also ensure your vendor has signed a Data Processing Agreement and meets appropriate security standards.

Myth 7: "DPDPA only applies to customer data"

Fact: DPDPA applies to all personal data of individuals — including employee data, candidate data, contractor data, and partner contact data. HR departments processing employee PAN, Aadhaar, bank accounts, performance records, and health data are processing personal data under DPDPA.

Myth 8: "We are a B2B company and don't deal with consumers, so DPDPA doesn't apply"

Fact: DPDPA applies whenever you process personal data of individuals — regardless of whether your business model is B2B or B2C. If you collect data of your clients' employees (for payroll, HR, or professional services), you are processing personal data. If you hold contact data of individuals at your client organisations, that is personal data.

Myth 9: "Compliance with GDPR means we are automatically DPDPA-compliant"

Fact: DPDPA and GDPR share principles but differ in structure, definitions, and specifics. GDPR compliance provides a useful foundation, but Indian DPDPA compliance requires separate, India-specific assessment. Key differences include: the consent framework, the rights regime, the cross-border transfer mechanism, and the enforcement structure.

Myth 10: "Penalties only apply if there is a data breach"

Fact: Penalties under DPDPA can be imposed for various violations — not only breaches. Non-compliant consent flows, failure to respond to rights requests, failure to provide notice, and failure to sign Data Processing Agreements with processors are all potential compliance failures. The Data Protection Board can investigate and penalise any violation of the Act.