The DPDP Act applies more broadly than most legal teams initially assess. The 2 most common misreadings: assuming the Act only applies to Indian-registered companies, and assuming it only applies to organizations above a certain size. Both are wrong — and both are expensive mistakes to discover after enforcement begins.
This guide maps exactly who the DPDP Act applies to, what is genuinely exempt, and which tier of obligation applies to your organization.
What you will master in this guide:
- The 3 applicability tests that determine whether your organization is in scope
- The genuine exemptions — and why most organizations cannot rely on them
- The 2 obligation tiers (Standard Data Fiduciary vs. Significant Data Fiduciary) and what separates them
- The cross-border applicability rule that catches foreign organizations processing Indian data
For the full obligations breakdown, read the DPDP Act 2023 requirements and commencement timeline.
Who Does the DPDP Act Apply To in 2026?
The DPDP Act, 2023 applies to the processing of digital personal data where:
- The data is collected within India (regardless of where it is processed or stored), OR
- The data is collected outside India in connection with offering goods or services to individuals in India
This is the cross-border hook. A Singapore-headquartered SaaS company with Indian customers processes their personal data under DPDP jurisdiction. A US-based analytics firm running behavioral models on Indian user data is subject to the Act. Geography of incorporation is irrelevant. Geography of the data principal is what matters.
The entity responsible for compliance is the Data Fiduciary — any person, company, government body, or other entity that determines the purpose and means of processing personal data. This is functionally equivalent to a GDPR Data Controller.
The key question your legal team must answer: does your organization determine what personal data of Indian residents is collected and why it is processed? If yes, you are a Data Fiduciary, and you are in scope.
What Are the DPDP Act Exemptions — And Who Can Actually Use Them?
The Act specifies 4 categories of exemption. These are narrow. Most commercial enterprises cannot rely on any of them.
| Exemption Category | Scope | Condition | Commercial Enterprise Applicability |
|---|---|---|---|
| State security and sovereignty | Central/state government bodies processing data for national security, public order, or sovereignty | No additional conditions — full exemption | None |
| Research, archiving, and statistics | Processing for research, archival, or statistical purposes | Data must not be used for any decision affecting the data principal | Narrow — cannot be used to exempt commercial analytics |
| Personal or domestic use | Processing by an individual for purely personal or household activities | No commercial element — strict personal use only | None |
| Journalistic purposes | Processing by journalists for reporting, editorial, or public interest purposes | Subject to journalistic ethics standards | Media organizations only |
Here’s the thing: the research and statistics exemption is the one most enterprises attempt to invoke for analytics workloads. It does not apply if the output of that analysis is used in any decision-making that affects individual data principals — pricing decisions, credit scoring, marketing targeting, fraud detection. Those are not research activities. They are commercial processing activities that require consent.
If your analytics output touches individual decision-making, you are not exempt. You are a Data Fiduciary with full compliance obligations.
What Are the 2 Obligation Tiers Under DPDP?
The DPDP Act creates 2 distinct tiers of Data Fiduciary obligation. Every entity in scope sits in one of these tiers.
Tier 1 — Standard Data Fiduciary
All organizations that process digital personal data of Indian residents, subject to the standard obligation set:
- Obtain valid consent before processing
- Provide notices in the data principal’s preferred language
- Fulfill all 5 data principal rights within mandated timelines
- Implement reasonable security safeguards
- Notify the DPBI and affected principals within 72 hours of a breach
- Delete personal data when purpose is fulfilled
- Appoint a grievance officer accessible to Indian data principals
Tier 2 — Significant Data Fiduciary (SDF)
Organizations designated by the Central Government under Section 10, based on volume, sensitivity, national risk, or electoral risk criteria. SDFs must fulfill all Tier 1 obligations PLUS:
- Appoint an India-resident Data Protection Officer with board-level access
- Conduct annual Data Protection Impact Assessments (DPIAs)
- Submit to annual independent data audits
- Comply with data localization requirements if notified
- Implement algorithmic accountability measures
| Obligation | Standard Data Fiduciary | Significant Data Fiduciary |
|---|---|---|
| Consent and notice | Required | Required |
| Data principal rights fulfillment | Required (7-day window) | Required (7-day window) |
| Security safeguards | Required | Required |
| Breach notification | 72 hours | 72 hours |
| DPO appointment | Grievance officer only | India-resident DPO with board access |
| Annual DPIA | Not required | Required |
| Independent data audit | Not required | Required annually |
| Data localization | Not required (currently) | Subject to Central Government notification |
| Maximum penalty | Up to ₹250 crore | Up to ₹250Cr + ₹150Cr SDF violations |
Does DPDP Apply to Small Businesses and Startups?
The Act does not create a small business exemption based on revenue or employee count. Every organization processing digital personal data of Indian residents is in scope, regardless of size.
The Central Government has the authority to exempt specific classes of Data Fiduciaries through notification, but no such exemption has been issued as of May 2026. The absence of a small business carve-out is a deliberate policy choice — India’s startup ecosystem processes vast quantities of personal data, and a size-based exemption would create a compliance vacuum in the highest-growth segment of the market.
The practical implication: a seed-stage fintech with 10,000 Indian users processing payment data is a Data Fiduciary subject to the full standard obligation tier. The consent store, rights fulfillment workflows, and breach notification pipeline must exist regardless of headcount or ARR.
Size does not determine DPDP applicability. Data processing of Indian residents’ personal data does.
Final Verdict
The DPDP Act applies to any organization processing digital personal data of Indian residents — Indian or foreign, large or small, commercial or non-profit. The exemptions are narrow and most commercial enterprises cannot access them. The Significant Data Fiduciary tier adds a materially heavier obligation set for organizations at scale. Both tiers carry the same ₹250 crore security safeguard penalty ceiling.
The only applicability assessment that matters is whether your organization processes digital personal data of Indian residents. If the answer is yes, you are in scope — and the compliance clock is running.
FAQ: DPDP Act Applicability and Exemptions
Any organization — Indian or foreign — that processes digital personal data collected within India, or collected outside India in connection with offering goods or services to Indian residents. This applies regardless of company size, incorporation geography, or industry.
Yes. Any company outside India that collects or processes digital personal data of Indian residents — including through apps, websites, or digital services — is subject to the Act. The jurisdiction trigger is the location of the data principal, not the location of the company.
Genuine exemptions are limited to state security and sovereignty functions, certain research and statistical activities (where outputs are not used in individual decisions), personal/domestic use, and journalistic purposes. Commercial enterprises do not qualify for any of these exemptions in their normal operations.
No. The Act does not create a size-based exemption. Every organization processing digital personal data of Indian residents is in scope. The Central Government may issue class-based exemptions through notification, but none have been issued as of May 2026.
An organization designated by the Central Government based on data volume processed, sensitivity of data, risk to data principals’ rights, potential impact on national security, or risk to electoral democracy. SDFs face additional obligations including a mandatory India-resident DPO, annual DPIAs, and independent data audits.
Designation is made by the Central Government through notification under Section 10. Organizations processing high-volume sensitive data — particularly in BFSI, healthtech, and large consumer platforms — should conduct an SDF self-assessment and prepare for potential designation before May 2027.
Talk to Sinki.ai about scoping your DPDP applicability
Build the compliance architecture your obligation tier requires – all native to your Databricks workspace.
