The questions every buyer asks

Almost certainly yes. The Act applies to anyone who processes personal data of an individual in India, regardless of size, sector, or whether you're B2B or B2C. If you have employees, customers, or vendors with named contact persons, you process personal data and the Act applies. There is no minimum-size exemption.

Yes. Personal data includes the names and emails of your enterprise customers' employees, the contact persons in your CRM, the IP addresses your application logs, and the badge photos at reception. None of that becomes non-personal just because the buyer is an enterprise.

Yes. Section 3(b) gives the Act extraterritorial reach for any processing in connection with offering goods or services to Data Principals in India. Where you're headquartered doesn't matter — where the Data Principals are does.

Probably not yet. The central government has not yet notified the criteria for SDF designation, but the early indications point to large consumer platforms, banks and NBFCs above a customer-count threshold, telcos, large healthcare providers, and entities handling biometric or financial data at meaningful scale. If you're in any of those buckets at meaningful size, you should expect designation within 12-18 months.

Inventory your personal data. Not a heroic data discovery exercise — a spreadsheet listing every system that holds personal data, who owns it, what it's for, and how long it lives there. This is your Record of Processing Activities (RoPA). Without it, every other step is guessing.

Mandatory only for Significant Data Fiduciaries (Section 10). Strongly recommended for everyone else. The companies that wait until they're designated discover that the senior privacy talent market in India is small and getting smaller as enforcement begins. Hiring early is cheap insurance.

The DPDP Rules 2025 set the response window. In practice, you should be able to acknowledge within 24 hours and complete within the statutory window of days, not weeks. The deadline is calendar days, not working days.

Section 8(6) requires you to notify the Data Protection Board within 72 hours of becoming aware of facts that suggest a breach may have occurred. The clock starts at the moment of awareness, not the moment of forensic certainty. You also need to notify affected Data Principals where required.

Section 33 sets the schedule. Up to ₹250 crore per instance for failure of reasonable security safeguards (Section 8(5)), up to ₹200 crore for failure to notify a breach (Section 8(6)) or for children's data violations (Section 9), up to ₹150 crore for SDF obligation failures (Section 10), and up to ₹50 crore for catch-all violations.

Adversarially. The Board doesn't start at zero and add up factors — it starts at the maximum and subtracts factors that the Fiduciary can demonstrate (good-faith effort, evidence of controls, remediation, self-disclosure, training records). Organisations with no evidence start at the maximum.

The Data Protection Board has been constituted but is still building its operational machine — staffing, premises, case management. The first high-profile enforcement actions are likely in the second half of 2026 or early 2027. But waiting until then to start preparing is exactly the wrong move — your compliance posture on the day of investigation is whatever existed before the panic, not whatever the panic produced.

On your own infrastructure. We deploy AutoCops to your GCP, AWS, or Azure region of choice — typically asia-south1 (Mumbai) for Indian Fiduciaries, so personal data of Indian Data Principals never leaves the country. There is no shared SaaS multi-tenant cluster you'd be on.

Typical timeline is 2-4 weeks from kick-off to a live deployment with the consent ledger, DSR workflow, and breach module operational. The full 11-capability rollout takes 8-12 weeks depending on how many systems you want connected and how complete your existing data inventory is.

Yes. We have native connectors for Postgres, MSSQL, Oracle, MongoDB, Elasticsearch, and any system that exposes a REST or GraphQL API. For systems without an API, the requests get routed to a human operator with a structured checklist.

Every record AutoCops creates is exportable in standard formats. We will help you migrate out — that's part of our promise of open architecture and no lock-in. We earn renewals by being useful, not by holding your data hostage.