Plain English Guides
India's DPDP Act: What Tech Businesses Need to Address
India is too large a market to treat privacy as a side project. The Digital Personal Data Protection Act (DPDP Act) is the centrepiece of India’s modern data rules. If you run a SaaS product, marketplace, fintech, or AI feature used by people in India — or you process digital personal data in connection with offering goods or services there — you need a clear plan for obligations addressed under DPDP, plus adjacent cyber and sector expectations.
Hub: India regulations. Context: Global AI Compliance in 2025. Compare APAC neighbour: Singapore MAS AI Governance.
What the DPDP Act is (plain English)
The DPDP Act is India’s framework for processing digital personal data. It focuses on:
- Lawful processing grounded in consent or recognised legitimate uses
- Duties of data fiduciaries (controllers, in familiar language)
- Rights of individuals (data principals)
- Security safeguards
- Cross-border transfer rules shaped by government notifications
- Children’s data and significant data fiduciary obligations where designated
Rules and implementing details continue to mature. Treat DPDP as a live programme: update notices, consent flows, vendor contracts, and retention when subordinate rules and guidance land.
Who it applies to
Typical tech scenarios in scope:
- You offer apps, websites, or services to people in India
- You process digital personal data of individuals in India as part of those offerings
- You act as a data fiduciary or processor/service provider in that chain
- You use AI features that ingest Indian user data (prompts, profiles, logs, support tickets)
Overseas companies are not automatically out of scope. Extraterritorial reach can apply when you target Indian users. Map product surfaces, billing entities, and subprocessors — not just where your engineers sit.
Significant Data Fiduciaries (when designated) face heavier duties. Most early-stage products will not start there, but growth, volume, and risk profile can change that picture.
Key obligations to address
Consent and purpose
Build clear notices. Collect consent where required. Limit processing to stated purposes. “We’ll use everything for AI improvement forever” is not a strategy — it is a future incident report.
Legitimate uses
DPDP recognises certain legitimate uses beyond consent. Do not stretch them casually. Document the legal basis for each high-volume processing activity, including analytics and model improvement.
Individual rights
Be ready for access, correction, erasure, and withdrawal-of-consent style requests on operational timelines. AI systems that hard-bake personal data into models need a deletion and retention story you can defend.
Security
Implement “reasonable security safeguards.” For tech teams that means access control, encryption in transit and at rest where appropriate, logging, vendor security reviews, and tested incident response.
Children’s data
Extra care for users under the age threshold set by law. Age gates, parental consent mechanisms, and tighter marketing/AI profiling limits belong in the product backlog — not a legal footnote.
Cross-border transfers
Watch government notifications on permitted transfer destinations and conditions. Update SCCs-style contracts and transfer records to match Indian rules, not only GDPR muscle memory.
Processors and vendors
Contracts should spell out processing instructions, security, breach cooperation, and deletion. AI vendors that train on your prompts need explicit limits.
Adjacent rules tech teams forget
DPDP is not the whole India stack.
- CERT-In directions — incident reporting, log retention, and time synchronisation duties for covered entities and service providers
- MEITY AI policy / advisory work — responsible AI expectations that show up in public-sector and enterprise diligence
- RBI technology risk expectations — if you are a regulated financial entity or a critical fintech vendor
AI features sit at the intersection: personal data + security logs + model behaviour. Address all three.
Enforcement reality
India’s enforcement posture will firm up as the Data Protection Board and implementing machinery operate in practice. Expect investigation risk after breaches, deceptive consent, or ignored rights requests — plus commercial blockers from enterprises that already demand DPDP-ready paperwork.
Do not wait for a landmark fine before fixing consent UX and retention. Buyers and partners will ask first.
Practical checklist for product and engineering
- Data map of Indian user personal data across product, analytics, support, and AI logs
- Consent / notice redesign for core journeys (signup, cookies/SDKs, AI features)
- Rights-request workflow with SLAs and audit trails
- Retention and deletion for prompts, embeddings, and backups
- Vendor DPA updates for Indian processing and AI subprocessors
- CERT-In-aware incident and logging posture if you are covered
- Evidence pack: policies, DPIA-style notes for high-risk AI, training for staff who handle requests
How this fits the global picture
If you already run GDPR or Singapore PDPA programmes, reuse the inventory and rights machinery — then localise notices, children’s rules, transfer mechanisms, and CERT-In timelines. See Singapore’s guide for another APAC privacy-plus-AI pattern, and the pillar post Global AI Compliance in 2025 for a side-by-side regional view.
What to do next
Start with an accurate India data map and consent audit. Then close security and vendor gaps that would fail a customer questionnaire.
Run your free audit to see which India-linked obligations apply. Dig into the India hub for regulation detail.
Run your free audit and see which obligations apply to your business →
This article is for information only. It's not legal advice. For complex situations, talk to a qualified lawyer.
Run your free audit and see which India obligations apply to your business →
Check my tools →