What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Explainer•4 min read

DPDP Act Applicability: India's Data Law for Your Business

Unsure if India's DPDP Act applies to your company? This guide explains the scope, tests, and practical implications for Indian businesses.

Sushant Pasumarty18 May 2026

DPDP Act Applicability: Does India's Data Law Cover Your Business?

Understanding if the Digital Personal Data Protection (DPDP) Act, 2023, applies to your business is the critical first step towards compliance. Many Indian businesses, from startups to large enterprises, are asking this question. The quick answer depends on how your business handles personal data of individuals in India.

Quick Answer: The DPDP Act applies if your business (a 'Data Fiduciary') processes personal data within India or processes personal data outside India, but related to offering goods or services to Data Principals in India.

What the DPDP Act Says About Scope

The DPDP Act clearly defines its territorial and material scope. It covers the processing of digital personal data inside India. Crucially, it also extends to processing personal data outside India if that processing relates to offering goods or services to Data Principals (individuals) within India, or for profiling such Data Principals.

This means even if your servers are overseas, but you serve an Indian customer base, the DPDP Act likely applies to you. Sushant Pasumarty, founder of Meridian Bridge Strategy (MBS), emphasizes, "Many businesses mistakenly believe that an overseas presence exempts them. The Act's reach is broad, focusing on the location of the Data Principal."

The Applicability Test: 3 Key Questions

To determine if the DPDP Act applies to your business, ask these three questions:

Do you process 'personal data'? This includes any data about an individual who is identifiable by or in relation to such data. Examples include names, phone numbers, email addresses, IP addresses, or even transaction histories linked to a person.
Is the processing within India? This covers any operation or set of operations performed on personal data, whether automated or manual, within the territory of India.
If processing is outside India, are you offering goods or services to Data Principals in India, or profiling them? This extends the Act's reach to businesses targeting the Indian market, regardless of their physical location.

Tip for Startups: Even if you only collect basic customer information like email for a newsletter, you are processing personal data. Do not underestimate the scope.

Practical Implications for Your Business

If the DPDP Act applies to your business, you become a 'Data Fiduciary.' This designation comes with significant responsibilities, including obligations for consent, data security, data breach notification, and maintaining the accuracy of data. Failing the applicability test can lead to significant penalties.

For instance, a tech startup collecting user analytics from Indian users, or an e-commerce platform selling to Indian customers, falls under the Act. Even a small HR department processing employee data is covered. MBS has guided over 20 companies through initial applicability assessments.

Cost to Comply: MBS Services & Price Ranges

Understanding your applicability is just the start. Complying with the DPDP Act involves structured steps. Meridian Bridge Strategy (MBS) offers productized services tailored to different levels of need and budget. Here's an overview of the typical investment:

Tier	Includes	Price Range	Duration
Data Mapping	Map every personal data flow within your organization.	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Comprehensive Gap Analysis against DPDP requirements.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Audit + Tailored Recommendations + A 90-day compliance roadmap.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support + Interim Data Protection Officer (DPO) services + Readiness Opinion.	₹7L – ₹12L	3-6 months

"The cost of compliance is an investment in trust and avoiding penalties," says Sushant Pasumarty. "Our tiered services help businesses right-size their DPDP journey."

Common Mistakes Businesses Make

Ignoring small data sets: Believing the Act only applies to large data holders. Any personal data processing is covered.
Assuming overseas exemption: Not recognizing the Act's extraterritorial reach for services targeting India.
Delaying assessment: Waiting for penalties or data breaches to prompt action. Early assessment saves cost and reputation.
Confusing DPDP with GDPR: While similar, the DPDP Act has specific nuances and requirements unique to the Indian context.

Your Next Step: Verify Your Applicability

Determining your exact status under the DPDP Act is crucial. If you process any personal data of individuals in India, it's highly probable the Act applies to you. For a deeper dive into compliance, consider exploring our resources on DPDP compliance roadmaps.

Frequently Asked Questions

What kind of data does the DPDP Act cover?

The DPDP Act covers 'personal data,' which is any data about an individual who is identifiable by or in relation to such data. This includes names, contact details, financial information, online identifiers (like IP addresses), and biometric data, among others.

Does the DPDP Act apply if my company is based outside India?

Yes, if your company processes personal data outside India, but that processing is related to offering goods or services to Data Principals (individuals) within India, or for profiling such Data Principals in India, the DPDP Act applies to you.

What is a 'Data Fiduciary' under the DPDP Act?

A 'Data Fiduciary' is any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. If the DPDP Act applies to your business, you are likely a Data Fiduciary and must adhere to the Act's obligations.

What are the penalties for non-compliance with the DPDP Act?

The DPDP Act specifies significant financial penalties for non-compliance. These can range from ₹10,000 up to ₹250 crore, depending on the nature and severity of the contravention, such as failure to protect personal data or notify a data breach.

How quickly can MBS help my business assess DPDP applicability?

Meridian Bridge Strategy (MBS) can typically complete an initial Data Mapping service, which includes assessing applicability and identifying personal data flows, within 1-2 weeks. This provides a clear understanding of your business's status under the DPDP Act.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →