Skip to main content

Scope & Applicability of DPDPA

The Digital Personal Data Protection Act (DPDPA) notified on 14th November, 2025, establishes a framework that applies broadly across entities and sectors in India. Its scope is deliberately wide to ensure that any processing of personal data in digital format affecting individuals within India is governed by uniform standards of accountability, transparency, and security.

  • The Act applies to all processing of digital personal data that takes place within the territory of India, regardless of whether the processing entity is located in India or abroad.
  • The Act applies to entities outside India when they process personal data in connection with offering goods or services to individuals located within India.
  • The Act applies equally to government departments, public authorities, and private organizations, thereby creating a uniform regulatory environment across both public and private sectors.
  • The Act specifically recognizes certain entities as Significant Data Fiduciaries, based on factors such as the volume and sensitivity of data processed, the potential impact on national interests, or the risks posed to individuals. These entities are subject to additional responsibilities such as data protection audits, impact assessments, and the appointment of a Data Protection Officer.
  • The Act applies to Consent Managers, who are independent intermediaries registered with the Data Protection Board, and who are required to enable individuals to manage, review, and withdraw consent with transparency and ease.
  • The Act does not apply to the processing of data that is rendered anonymous in such a way that individuals cannot be identified, since anonymized data falls outside the scope of personal data.
  • The Act permits exemptions for processing carried out for certain legitimate state functions, such as providing benefits, licenses, or services, provided that such processing complies with prescribed safeguards.
  • The Act provides further exemptions for processing carried out solely for research, statistical, or archival purposes, subject to conditions that ensure data is not misused.

The DPDP Act Rules came into effect on 14 November 2025, and organizations must now begin their compliance journey without delay. All entities are required to achieve full implementation within the 18-month deadline, while Consent Managers must comply within 12 months from the enforcement date. This involves reviewing existing data practices, updating consent workflows, strengthening data security controls, and establishing clear processes for breach notifications and grievance redressal. Delayed readiness may expose organizations to regulatory penalties, reputational risks, and operational limitations within India’s digital ecosystem.