.svg){kind=small}
.avif)
The DPDP Rules have been notified and the deadline for compliance is 13 May, 2027. The compliance clock is ticking.
But before you can comply, you need to know if the law applies to you.
In this blog, we cover the applicability of the DPDP Act and Rules - what data is covered, who bears the compliance burden, and when obligations actually kick in.
Overview
What does the DPDP Act apply to?
The DPDP Act applies to digital personal data which involves two parts:
Digital data means the data that is either collected in digital form, or was collected physically and then digitised. For eg: a loan agreement form that gets scanned and stored is classified as digital data since it got digitised after being collected physically.
Personal data refers to any data used to identify a person. It could be a person’s name, mobile number, email address, Aadhaar details, bank account number, photograph, and signature as well as website cookies, if they can be tied back to an identifiable individual.
What does it not apply to?
DPDP Act does not apply to non-personal data (data that cannot identify anyone) and data that remains in purely physical, non-digitised form. Both sit outside the DPDP framework entirely.
Whom does the Act apply to?
DPDP law applies to any individual or organisation that processes personal data.
Data Principal: the individual to whom the personal data relates. Your borrower, your policyholder, your app user. The DPDP Rules expand this definition: for a child (anyone under 18), the Data Principal includes the parent or lawful guardian and for a person with a disability who cannot independently exercise legal decision-making, it includes their lawful guardian.
Data Fiduciary: the entity that decides the purpose and means of processing personal data. Banks, NBFCs, insurance companies, telecom providers, e-commerce platforms, hospitals — if you decide why and how personal data is processed, you are a Data Fiduciary. The compliance burden sits on the Data Fiduciary. The Data Fiduciary remains responsible for ensuring processors handle data correctly.
Data Processor: any entity that processes personal data on behalf of a Data Fiduciary. A cloud vendor, a KYC service provider, a third-party analytics firm. The DPDP Act does not require Data Processors to independently comply; their obligations flow through their contract with the Data Fiduciary.
One point worth noting: Processors are not directly accountable to the Data Protection Board. If your vendor who is a Data Processor mishandles your customer's data, you — the Data Fiduciary — are the one facing the regulator.
Significant Data Fiduciaries (SDFs): a different compliance tier
Not all Data Fiduciaries are treated equally. The Central Government can designate certain entities or classes of entities as Significant Data Fiduciaries based on:
- Volume and sensitivity of data processed
- Risk to the rights of Data Principals
- Potential impact on national security or public order
- Risk to electoral democracy
SDFs face obligations that go well beyond the standard Data Fiduciary requirements:
- Annual Data Protection Impact Assessment (DPIA)
- Annual independent audit
- Algorithmic risk assessment
- Appointment of a Data Protection Officer (DPO)
- Data localisation restrictions for categories of personal data notified by the Central Government
For BFSI entities specifically: large lenders, insurers, and payment platforms processing high volumes of sensitive financial data are strong candidates for SDF designation.
The government has not yet published the list of SDFs — that notification is expected before the May 2027 deadline. Waiting for that list before starting a DPIA programme is a mistake. If your data volumes and sensitivity profile fit the criteria, prepare as if the designation is coming.
Where does the DPDP Act apply?
The DPDP Act applies in two scenarios:
- Personal data processed within the territory of India.
- Personal data processed outside India, but the processing is connected to offering goods or services to individuals within India.
What about Indian companies using foreign cloud infrastructure or offshore data processing vendors?
The DPDP Act still applies to them as the location of the server does not determine the applicability of the law — the location of the Data Fiduciary and the Data Principal does.
Is cross border transfer of personal data permitted?
Cross-border data transfer of personal data is permitted under law, except to countries blacklisted by the government through a notification.
SDFs may face additional localisation restrictions for categories of personal data specifically notified by the Central Government.
When does the DPDP Act apply?
The DPDP Rules were notified on 13 November 2025, marking the full operationalisation of the DPDP Act, 2023. However, the obligations do not all switch on at once. Implementation is phased across three stages.
Phase I — Immediate (from 13 November 2025) Provisions related to constituting the Data Protection Board of India take effect immediately. Data Protection Board is being set up by the government, with member applications currently underway.
Phase II — 13 November 2026 Consent Manager provisions become operative. Any Data Fiduciary that intends to rely on a Consent Manager for managing user consents must have its integration in place by this date.
Phase III — 13 May 2027 All core compliance obligations kick in: consent and notice requirements, data retention and erasure obligations, breach reporting timelines, children's data protections, rights of Data Principals, and SDF-specific obligations.
Until the core operational provisions of the DPDP Act are fully effective in May 2027, the IT Act and the Privacy Rules will continue to govern the privacy regime in India.
The 18-month window to May 2027 looks reasonable on paper but might be a challenge for most large organisations. The data mapping exercise alone - identifying what personal data you hold, where it flows, who processes it, and on what basis - typically takes 3 to 6 months for a mid-sized BFSI entity. Organisations will also have to redesign consent flow, draft notices, establish breach response protocols, and undertake vendor contract renegotiations stretching the timeline further.
When does the DPDP Act not apply?
The DPDP Act carves out some narrow exemptions that most organisations can rely on only in specific scenarios.
Personal or domestic use. An individual processing personal data for purely personal or household purposes — taking a friend's phone number to meet for dinner — is outside the DPDP Act's scope. This exemption does not extend to businesses or professional activity of any kind.
Publicly available data. Data that has been voluntarily made public by the Data Principal, or made public under a legal obligation, is exempt. If a user posts a photograph of themselves on a public social media profile, a business can use that photograph without triggering DPDP obligations. The key qualifier is "made public" — data that has leaked or been exposed without the individual's consent does not fall into this exemption.
Legitimate uses (exception to consent). The Act allows processing without explicit consent in specific situations such as:
- employment-related processing (payroll, HR functions)
- compliance with a legal obligation or court order
- medical emergencies
- state functions (subsidies, benefits, licences, permits)
These are not a licence to bypass consent wherever inconvenient. Each applies only to the specific purpose listed.
General Exemptions: There are specific scenarios where most DPDP obligations are waived entirely such as:
- processing data for investigation of an offence
- research, archival, and statistical purposes
- BPO and offshore processing
What should you do now as a business?
You are required to do three things, in this order.
1. Map your data. Identify every category of personal data your organisation collects, the purpose for each, where it flows, and who touches it. This is the foundation of every subsequent compliance step.
2. Determine your fiduciary category. Are you a standard Data Fiduciary, or are you likely to be designated an SDF? Assess your data volumes, the sensitivity of data you process (financial records, health data, biometrics), and your user base. If the SDF criteria apply to you, begin your DPIA programme now - not after the government publishes the designation list.
3. Begin consent and notice redesign. The DPDP Rules require standalone privacy notices in plain, itemised language — separate from terms and conditions, with clear mechanisms for consent withdrawal. If your current consent flow is buried in a terms-of-service scroll, it will not comply.
The framework and deadlines are in place. The real question is whether your organisation treats this as a May 2027 problem or a today problem.
