What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•3 min read

DPDP Cross-Border Data Transfer Rules Explained

Understand DPDP rules for international data transfers, their current impact on Indian businesses, and compliance costs.

Sushant Pasumarty4 June 2026

DPDP Cross-Border Data Transfer Rules Explained

Yes, the Digital Personal Data Protection Act (DPDP) permits cross-border data transfers, but with specific conditions. The Indian government has the authority to restrict transfers to certain notified countries or territories. For now, there are no blanket prohibitions, meaning transfers are generally allowed unless explicitly restricted.

This 'whitelisting' approach grants the Central Government the power to specify countries where data *cannot* be transferred. Until such a list is published, organizations can continue existing cross-border data flows, provided they meet all other DPDP obligations like consent and purpose limitation.

What This Means Right Now for Indian Businesses

The DPDP Act has been notified, but specific rules detailing cross-border transfer mechanisms, enforcement timelines, and restricted countries are yet to be published. This means businesses have a window to prepare.

💡 Key Insight: While no countries are currently restricted, businesses must assume future restrictions are possible. This necessitates robust data mapping to identify all cross-border flows.

Sushant Pasamarty, founder of Meridian Bridge Strategy, notes that companies operating internationally should not wait for specific rules. "Identifying where your data goes is fundamental, regardless of upcoming restrictions. It's about knowing your ecosystem."

What You Actually Need to Do for Cross-Border Transfers

Preparing for DPDP's cross-border rules involves a structured approach. Focus on understanding your data's journey and securing it appropriately.

Identify All Cross-Border Data Flows: Pinpoint every instance where personal data of Indian Data Principals leaves India. This includes transfers to cloud providers, third-party vendors, parent companies, or subsidiaries located abroad.
Assess Lawful Basis for Transfer: Ensure a valid legal basis (e.g., explicit consent, legitimate use) exists for each data transfer. Review your existing data collection and consent mechanisms to ensure they comply with DPDP requirements.
Review Data Processing Agreements (DPAs): Update your DPAs with international vendors and partners to reflect DPDP obligations. Ensure these agreements specify data security measures, purpose limitations, and the Data Fiduciary's right to audit.
Implement Robust Security Measures: Regardless of destination, ensure data transferred abroad is protected with adequate security safeguards. This includes encryption, access controls, and regular security audits.
Monitor Regulatory Updates: Stay informed about any notifications from the Central Government regarding restricted countries or specific transfer mechanisms. Your compliance strategy must be agile.

✅ Pro Tip: Start with a comprehensive Data Mapping exercise. You cannot manage what you don't know exists. This foundation is critical for any cross-border compliance strategy.

What DPDP Cross-Border Data Transfer Readiness Costs

The cost for preparing your business for DPDP cross-border data transfer rules depends on the complexity of your data ecosystem and the level of support you need. Meridian Bridge Strategy offers tiered services to address these needs:

Tier	What it includes	Price range	Duration
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it. Essential for identifying cross-border flows.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion). Identifies specific gaps in cross-border DPA and consent practices.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap. Develops a clear plan for addressing cross-border transfer risks.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion. Comprehensive support, including DPA updates and security recommendations for global operations.	₹7L – ₹12L	3-6 months

For businesses with extensive global operations and numerous international data flows, the Full DPDP Consulting tier offers the most comprehensive support, ensuring all aspects of cross-border data transfer compliance are addressed from strategy to implementation.

When to Start Your DPDP Cross-Border Readiness

Begin immediately. The absence of specific restrictions today does not mean indefinite leeway. Establishing foundational data governance and identifying your cross-border data footprint is a prerequisite for adapting to future regulations. Waiting until the rules are explicit will put your business at a significant disadvantage.

Next Step

Understand your specific DPDP compliance needs, including cross-border data transfers. Use our free online calculator to get an estimated cost and then schedule a discussion with Sushant Pasamarty to tailor a solution for your business.

Frequently Asked Questions

Are there currently any countries restricted for data transfer under DPDP?

No, as of now, the Indian government has not notified any specific countries as restricted for cross-border data transfer under the DPDP Act. Transfers are generally permitted, provided other DPDP obligations are met.

Does DPDP require specific contractual clauses (like SCCs) for cross-border transfers?

The DPDP Act allows the Central Government to prescribe conditions or safeguards for cross-border transfers. While specific mechanisms like Standard Contractual Clauses (SCCs) are common in other regimes (e.g., GDPR), DPDP rules on this are yet to be notified. Businesses should update DPAs to reflect general DPDP obligations.

What is the biggest risk if my business transfers personal data outside India without DPDP compliance?

The biggest risk is non-compliance with DPDP's core principles, which apply universally to personal data of Indian Data Principals. This includes insufficient consent, inadequate security measures, or processing beyond the stated purpose, potentially leading to significant penalties once enforcement begins. Future country restrictions could also halt your data flows.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →

DPDP Cross-Border Data Transfer Rules Explained

DPDP Cross-Border Data Transfer Rules Explained

What This Means Right Now for Indian Businesses

What You Actually Need to Do for Cross-Border Transfers

What DPDP Cross-Border Data Transfer Readiness Costs

When to Start Your DPDP Cross-Border Readiness

Next Step

Frequently Asked Questions

Related Guides

DPDP Compliance: Mandatory for Indian Startups?

DPDP Fines for Small Businesses: What You Need to Know

DPDP Act: Foreign Companies in India – Guide by MBS

Check Your DPDP Cost