Free, no signup required

Does the DPDP Act Apply
to Your Business?

Answer a few quick questions to find out whether India's Digital Personal Data Protection Act, 2023 (and the DPDP Rules) applies to your organisation, who it applies to, from what date, and what your obligations are.

Takes about 1 minute

What You'll Find Out

Whether DPDP Applies

A clear yes, no, or exempt answer based on your organisation type and data processing activities.

Your Classification

Whether you are a Data Fiduciary, Data Processor, or potential Significant Data Fiduciary under the Act.

Your Obligations

A specific list of compliance obligations with DPDP Act section references.

How It Works

Answer Questions

A short decision tree about your organisation and data practices. Each answer determines the next question.

Get Your Result

An instant, clear answer: does the DPDP Act apply, are you exempt, and what type of entity are you.

See Your Obligations

A specific list of what you need to comply with, citing exact DPDP Act sections.

Common Misconceptions

Many Indian businesses incorrectly believe DPDP doesn't apply to them

"We're a small company. DPDP is for large enterprises"

There is no size threshold. The Act applies equally to sole proprietors, startups, and large enterprises.

"We're B2B only, we don't handle personal data"

B2B companies handle employee data, vendor contacts, and client representative data. All of it is personal data under the Act.

"We have no Indian customers"

If you have Indian employees, you process their personal data (payroll, Aadhaar, PAN). The Act applies.

"We're a nonprofit, we must be exempt"

No exemption exists for nonprofits. Donor records, beneficiary data, and volunteer information are all covered.

Frequently Asked Questions

Who does the DPDP Act 2023 apply to?+
The DPDP Act applies to every person or organisation that processes digital personal data within India, or processes data of individuals in India while offering goods or services. There is no size threshold: sole proprietors, startups, SMEs, nonprofits, and large enterprises are all covered if they handle digital personal data.
Does DPDP apply to B2B companies?+
Yes. The Act does not distinguish between B2B and B2C. B2B companies handle employee data, vendor contact details, and client representative information, all of which is personal data. A work email like 'rahul@company.com' identifies an individual and is covered.
Is there a size threshold or startup exemption?+
No. The DPDP Act has no exemption based on company size, revenue, or number of employees. Section 17(5) gives the Central Government the power to exempt certain classes of data fiduciaries for up to five years, but no such exemption has been notified as of 2026.
Does DPDP apply if I only have Indian employees but no Indian customers?+
Yes. Employee data (payroll records, Aadhaar copies, PAN numbers, attendance, biometrics, health records) is personal data. As an employer, you are a Data Fiduciary for your employees' data regardless of where your customers are located.
What is the difference between a Data Fiduciary and a Data Processor?+
A Data Fiduciary determines the purpose and means of processing: why and how data is collected. A Data Processor processes data on behalf of a Fiduciary under instructions. The Fiduciary bears full regulatory liability. If you decide what data to collect and why, you are a Fiduciary.
What is a Significant Data Fiduciary (SDF)?+
The Central Government can designate Data Fiduciaries as SDFs based on data volume, sensitivity, and risk. SDFs have additional obligations: appointing a Data Protection Officer, conducting annual DPIAs, and undergoing periodic audits. Indicative thresholds suggest 50 lakh+ data principals, but formal criteria have not been notified yet.
When is the DPDP compliance deadline?+
Full substantive compliance, including consent, breach notification, data principal rights, erasure, and children's data, is required by May 14, 2027. Most organisations need 9-12 months to implement, meaning the action window is now.
Does the DPDP Act apply to nonprofits and NGOs?+
Yes, if they process digital personal data. Donor records, beneficiary data, volunteer information, and employee data are all covered. The Act applies to any 'person' as defined under law; nonprofit status does not provide an exemption.
From what date does the DPDP Act apply? (DPDP applicability date)+
The DPDP Act 2023 is already law, and the DPDP Rules were notified on November 14, 2025 with a phased rollout. Consent manager provisions take effect on November 14, 2026, and full substantive compliance, including consent, breach notification, data principal rights, and erasure, is required by May 14, 2027. These obligations apply to your organisation from those dates regardless of when you begin preparing.
Do the DPDP Rules apply to my organisation, or only the Act?+
Both. The DPDP Act 2023 sets out the obligations, and the DPDP Rules notified in November 2025 provide the operational detail: how consent notices, breach reporting, and data principal requests must work in practice. If the Act applies to you as a Data Fiduciary, the Rules apply too. This checker tells you whether you fall within scope.

Already Know DPDP Applies to You?

Skip ahead and check how ready your organisation is with our free DPDP Readiness Assessment: 15 questions, instant compliance score.