Does DPDP apply to me? A 7-question self-check that actually answers it

Of all the questions I get about the Digital Personal Data Protection Act, 2023, this one is the most frequent and the most badly answered: does it apply to me? The version most people have absorbed from press articles goes something like, "It applies to large companies and consumer-facing apps." That answer is short, memorable, and wrong.

The Act's applicability is wider than that, and the consequences of getting the answer wrong are real. If you've concluded "we're not in scope" and you actually are, every passing month is a compliance gap that the Data Protection Board will eventually be able to point at. So let's do this properly.

Below is a 7-question self-check. Answer each one honestly, and at the end I'll tell you what the realistic answer is for the typical Indian organisation in 2026.

Question 1 — Are you processing the personal data of any individual located in India?

This is the trigger. Section 3 of the Act says it applies to the processing of digital personal data within India where the data is collected (a) in digital form, or (b) in non-digital form and subsequently digitised.

"Personal data" (Section 2(t)) is any data about an individual who is identifiable from that data, or in combination with other data. "Processing" (Section 2(x)) is any operation performed on personal data — collection, storage, use, disclosure, retention, alignment, erasure. That's almost every interaction you have with data.

The bar isn't B2C versus B2B. It isn't customer data versus employee data. It's: are you doing anything with data that identifies an individual?

Honest answer for most organisations: yes, almost certainly yes.

If you have employees, you process employee data. If you have customers, you process customer data. If you have vendors with named contact persons, you process vendor data. If your website logs IP addresses against page views, you process digital identifiers. The set of organisations that genuinely process zero personal data is essentially empty.

Question 2 — Are any of those individuals in India?

The Act's territorial reach (Section 3(b)) covers the processing of personal data outside India if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.

Translation: even if you are headquartered abroad, even if your servers are in Singapore, even if your engineering team is in Berlin — if you have customers or users or employees in India, the Act follows you.

Honest answer: yes for any organisation that does business in India, full stop.

The carve-out for "personal data made publicly available by the Data Principal themselves" (Section 3(c)(ii)) is much narrower than people assume. A LinkedIn profile is publicly visible, but the moment you scrape it into your CRM and start emailing the person, you've crossed back into in-scope territory because the processing purpose is yours, not theirs.

Question 3 — Do you decide why and how that data is processed?

This is the question that determines whether you are a Data Fiduciary or merely a Data Processor. Section 2(i) defines the Data Fiduciary as "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data." A Data Processor (Section 2(k)) is anyone who processes personal data on behalf of a Data Fiduciary.

Most organisations are both. You are a Fiduciary for your own customers, employees, and vendors. You are a Processor for your enterprise customers' end users (if you operate a SaaS product or run a managed service for someone). The Act applies to both, but the obligations are heavier on Fiduciaries.

The deciding question is: who chose what to do with this data? If your company decided, you're the Fiduciary for that purpose. If you're executing someone else's decision under contract, you're the Processor.

Honest answer for almost every organisation: you are a Data Fiduciary for at least some of your processing activities.

Question 4 — Are you a Significant Data Fiduciary?

Section 10 introduces a special class of Data Fiduciary called the Significant Data Fiduciary (SDF). The Central Government can notify any Fiduciary as significant based on factors including the volume and sensitivity of personal data, the risk to the rights of Data Principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.

If you're an SDF, you have to:

• Appoint a Data Protection Officer (a real one, India-based, with actual authority — not the General Counsel wearing a second hat)
• Appoint an independent data auditor
• Conduct periodic Data Protection Impact Assessments
• Conduct periodic audits
• Comply with any other obligations the Government may notify

The Government has not yet published the criteria thresholds for SDF designation, but the early indications point to: large consumer platforms, banks and NBFCs above a customer-count threshold, telecom operators, large healthcare providers, and any entity handling biometric or financial data at meaningful scale.

Honest answer for most: you are probably not an SDF yet, but you should know the criteria and have a plan for the day you're designated. Designation can happen retroactively.

Question 5 — Do you process the personal data of children?

Section 9 of the Act treats the personal data of children (anyone under 18) as a special category. If you process children's data, you must:

• Obtain verifiable consent from a parent or lawful guardian before processing
• Refrain from any processing that is likely to cause any detrimental effect on the well-being of the child
• Not engage in tracking, behavioural monitoring, or targeted advertising directed at children
• Not undertake any other activities the Government may notify

This applies to schools, ed-tech, gaming companies, paediatric healthcare, children's apparel e-commerce, kids' content platforms, and anyone whose service is plausibly used by minors. The "plausibly used by minors" part is what trips most people up — even if your product isn't for children, if children use it (and they do, on every consumer platform), Section 9 applies.

If your answer is yes, you have a separate, harder compliance track on top of everything else. The penalty under Section 33 for breaches of children's data obligations can reach ₹200 crore per instance.

Question 6 — Do you transfer personal data outside India?

Section 16 gives the Central Government the power to restrict transfers of personal data to certain countries or territories by notification. The default is permissive — you can transfer freely unless the Government has specifically restricted a destination — but the Rules and notifications are still being issued, and the list will grow.

More importantly: if you have Data Processing Agreements with global vendors (AWS, Salesforce, Slack, HubSpot, anything cloud-based not hosted in asia-south1), you are doing cross-border transfers. You need to know which countries those vendors operate from, what the current notification status of those countries is, and what your contractual safeguards are.

Honest answer: yes, basically every Indian organisation in 2026 transfers personal data abroad through their SaaS stack, often without realising it. That's not a violation by itself — but it is an obligation to know.

Question 7 — Have you formally answered any of the above before today?

If your organisation has not produced a written, dated, signed-off applicability assessment for the DPDP Act, then in regulatory terms you have not yet started.

Notice that I said "written, dated, signed-off." A whiteboard discussion in a meeting is not an applicability assessment. A WhatsApp message from your General Counsel is not an applicability assessment. A vague memory of "we talked about it last quarter" is not an applicability assessment. You need a document that says: as of [date], on the basis of [these facts], we conclude that the DPDP Act [does/does not] apply to [these processing activities] and we are/are not a Significant Data Fiduciary, and we will/will not implement [these controls] by [these dates], approved by [these people].

That document does not need to be long. It needs to exist.

Putting it together

Let me give you the boring, accurate answer most organisations will arrive at after honest reflection:

"We are a Data Fiduciary under the DPDP Act, 2023. We process personal data of Indian Data Principals (employees, customers, vendors, users) in connection with our business activities. We are not currently a Significant Data Fiduciary, but we acknowledge that we may be designated in the future. We process some children's data through [these touchpoints] and have separate controls for that. We transfer personal data outside India through [these vendors] and we monitor the Section 16 notifications. Our compliance programme is in [stage] of implementation and the next milestones are [these]."

If you can write that paragraph honestly, congratulations — you've done your applicability assessment. If you can't, that's the next thing on your calendar.

The thing nobody tells you

The reason the "does it apply to me" question is so persistent is that people are hoping the answer is no. They're hoping there's a clever interpretation, a carve-out, a threshold that lets them keep doing what they were already doing. There almost never is.

The DPDP Act is not a tax that exempts small business below a turnover line. It's not a sectoral regulation that only catches banking. It's a horizontal law that catches everyone who decides what to do with personal data. The earlier you accept that, the sooner you can stop hoping for an exemption and start building the programme that will actually protect you when the first complaint lands.

The good news is that the work is not infinite. The bad news is that it's not optional either. And the realistic news is that the organisations that do it now will look back in two years and wonder why they wasted six months hoping the answer was no.

Want a faster way to find out where you stand? Take our free 5-minute assessment — it's the same 40 questions we use in production engagements, with a posture score and a prioritised gap list at the end. No signup, no marketing chase.