Free — No signup required

Does the DPDP Act Apply
to Your Business?

Answer a few quick questions to find out if India's Digital Personal Data Protection Act, 2023 applies to your organisation — and what your obligations are.

Takes about 1 minute

What You'll Find Out

Whether DPDP Applies

A clear yes, no, or exempt answer based on your organisation type and data processing activities.

Your Classification

Whether you are a Data Fiduciary, Data Processor, or potential Significant Data Fiduciary under the Act.

Your Obligations

A specific list of compliance obligations with DPDP Act section references.

How It Works

Answer Questions

A short decision tree about your organisation and data practices. Each answer determines the next question.

Get Your Result

An instant, clear answer: does the DPDP Act apply, are you exempt, and what type of entity are you.

See Your Obligations

A specific list of what you need to comply with, citing exact DPDP Act sections.

Common Misconceptions

Many Indian businesses incorrectly believe DPDP doesn't apply to them

"We're a small company — DPDP is for large enterprises"

There is no size threshold. The Act applies equally to sole proprietors, startups, and large enterprises.

"We're B2B only — we don't handle personal data"

B2B companies handle employee data, vendor contacts, and client representative data — all personal data under the Act.

"We have no Indian customers"

If you have Indian employees, you process their personal data (payroll, Aadhaar, PAN). The Act applies.

"We're a nonprofit — we must be exempt"

No exemption exists for nonprofits. Donor records, beneficiary data, and volunteer information are all covered.

Frequently Asked Questions

Who does the DPDP Act 2023 apply to?+
The DPDP Act applies to every person or organisation that processes digital personal data within India, or processes data of individuals in India while offering goods or services. There is no size threshold — sole proprietors, startups, SMEs, nonprofits, and large enterprises are all covered if they handle digital personal data.
Does DPDP apply to B2B companies?+
Yes. The Act does not distinguish between B2B and B2C. B2B companies handle employee data, vendor contact details, and client representative information — all of which is personal data. A work email like 'rahul@company.com' identifies an individual and is covered.
Is there a size threshold or startup exemption?+
No. The DPDP Act has no exemption based on company size, revenue, or number of employees. Section 17(5) gives the Central Government the power to exempt certain classes of data fiduciaries for up to five years, but no such exemption has been notified as of 2026.
Does DPDP apply if I only have Indian employees but no Indian customers?+
Yes. Employee data — payroll records, Aadhaar copies, PAN numbers, attendance, biometrics, health records — is personal data. As an employer, you are a Data Fiduciary for your employees' data regardless of where your customers are located.
What is the difference between a Data Fiduciary and a Data Processor?+
A Data Fiduciary determines the purpose and means of processing — why and how data is collected. A Data Processor processes data on behalf of a Fiduciary under instructions. The Fiduciary bears full regulatory liability. If you decide what data to collect and why, you are a Fiduciary.
What is a Significant Data Fiduciary (SDF)?+
The Central Government can designate Data Fiduciaries as SDFs based on data volume, sensitivity, and risk. SDFs have additional obligations: appointing a Data Protection Officer, conducting annual DPIAs, and undergoing periodic audits. Indicative thresholds suggest 50 lakh+ data principals, but formal criteria have not been notified yet.
When is the DPDP compliance deadline?+
Full substantive compliance — including consent, breach notification, data principal rights, erasure, and children's data — is required by May 14, 2027. Most organisations need 9-12 months to implement, meaning the action window is now.
Does the DPDP Act apply to nonprofits and NGOs?+
Yes, if they process digital personal data. Donor records, beneficiary data, volunteer information, and employee data are all covered. The Act applies to any 'person' as defined under law — nonprofit status does not provide an exemption.

Already Know DPDP Applies to You?

Skip ahead and check how ready your organisation is with our free DPDP Readiness Assessment — 15 questions, instant compliance score.

Take the Readiness AssessmentLearn more about Vratex