Who does the DPDP Act 2023 apply to?+
The DPDP Act applies to every person or organisation that processes digital personal data within India, or processes data of individuals in India while offering goods or services. There is no size threshold: sole proprietors, startups, SMEs, nonprofits, and large enterprises are all covered if they handle digital personal data.
Does DPDP apply to B2B companies?+
Yes. The Act does not distinguish between B2B and B2C. B2B companies handle employee data, vendor contact details, and client representative information, all of which is personal data. A work email like 'rahul@company.com' identifies an individual and is covered.
Is there a size threshold or startup exemption?+
No. The DPDP Act has no exemption based on company size, revenue, or number of employees. Section 17(5) gives the Central Government the power to exempt certain classes of data fiduciaries for up to five years, but no such exemption has been notified as of 2026.
Does DPDP apply if I only have Indian employees but no Indian customers?+
Yes. Employee data (payroll records, Aadhaar copies, PAN numbers, attendance, biometrics, health records) is personal data. As an employer, you are a Data Fiduciary for your employees' data regardless of where your customers are located.
What is the difference between a Data Fiduciary and a Data Processor?+
A Data Fiduciary determines the purpose and means of processing: why and how data is collected. A Data Processor processes data on behalf of a Fiduciary under instructions. The Fiduciary bears full regulatory liability. If you decide what data to collect and why, you are a Fiduciary.
What is a Significant Data Fiduciary (SDF)?+
The Central Government can designate Data Fiduciaries as SDFs based on data volume, sensitivity, and risk. SDFs have additional obligations: appointing a Data Protection Officer, conducting annual DPIAs, and undergoing periodic audits. Indicative thresholds suggest 50 lakh+ data principals, but formal criteria have not been notified yet.
When is the DPDP compliance deadline?+
Full substantive compliance, including consent, breach notification, data principal rights, erasure, and children's data, is required by May 14, 2027. Most organisations need 9-12 months to implement, meaning the action window is now.
Does the DPDP Act apply to nonprofits and NGOs?+
Yes, if they process digital personal data. Donor records, beneficiary data, volunteer information, and employee data are all covered. The Act applies to any 'person' as defined under law; nonprofit status does not provide an exemption.
From what date does the DPDP Act apply? (DPDP applicability date)+
The DPDP Act 2023 is already law, and the DPDP Rules were notified on November 14, 2025 with a phased rollout. Consent manager provisions take effect on November 14, 2026, and full substantive compliance, including consent, breach notification, data principal rights, and erasure, is required by May 14, 2027. These obligations apply to your organisation from those dates regardless of when you begin preparing.
Do the DPDP Rules apply to my organisation, or only the Act?+
Both. The DPDP Act 2023 sets out the obligations, and the DPDP Rules notified in November 2025 provide the operational detail: how consent notices, breach reporting, and data principal requests must work in practice. If the Act applies to you as a Data Fiduciary, the Rules apply too. This checker tells you whether you fall within scope.