Does India’s DPDP Act apply to you — and are you a Significant Data Fiduciary?
Four quick questions. Get a clear read on whether the Digital Personal Data Protection Act applies, whether you show signals of a likely SDF, and the obligations that follow.
Do you process personal data of individuals in India?
Digital data, or paper records you later digitise, both count.
Do you offer goods or services to people in India?
This counts even if you operate from outside India.
Do you handle large volumes of personal data, or sensitive data?
Sensitive includes financial, health, children’s, or biometric data.
Roughly how many Indian users do you have?
This checker is general guidance, not legal advice. It reflects the Digital Personal Data Protection Act, 2023. Your actual obligations depend on your data flows, contracts, and how the rules apply to your situation.
Answer the four questions and your DPDP verdict appears here.
DPDP applicability — common questions
Does DPDP apply to companies outside India?
It can. The Act has extraterritorial reach: if you process the personal data of people in India in connection with offering goods or services to them, it applies even when you operate entirely from outside India. Where your servers sit does not decide the question — whose data you handle does.
What makes us a Significant Data Fiduciary?
A Significant Data Fiduciary (SDF) is not something you self-declare. The government designates SDFs based on factors set out in the Act — the volume and sensitivity of the personal data you process, the risk to data principals’ rights, security of the state, and similar considerations. High volume, sensitive data such as financial or health data, and children’s data are the signals that point toward likely designation, but the formal call rests with the government.
What extra obligations does an SDF have?
On top of the duties every data fiduciary has, an SDF must appoint a Data Protection Officer based in India and answerable to its board, appoint an independent data auditor, carry out periodic Data Protection Impact Assessments and independent audits, and observe any further measures the rules prescribe.
When must we comply?
Full compliance with the Digital Personal Data Protection Act is due 13 May 2027. The underlying work — data mapping, consent and notice, grievance redressal, security safeguards — usually takes longer than teams expect, so the practical time to start is well ahead of that date.
Map your DPDP obligations
A 30-minute call to confirm whether DPDP applies, whether you are a likely SDF, and what to do before 13 May 2027.
Free Assessment
No obligation, no sales pitch
Custom Roadmap
Tailored to your organization
Expert Guidance
500+ successful audits