How does India’s Digital Personal Data Protection Act affect you?

As global data privacy standards continue to evolve – from the EU’s GDPR to California’s CCPA and now India’s Digital Personal Data Protection Act (DPDPA) 2023 – multinational organisations face a common challenge: how to stay compliant across borders while maintaining operational agility.

India’s new framework marks a pivotal moment in this global privacy shift. The DPDPA, along with its upcoming Draft Rules 2025, is the country’s first comprehensive data protection law – one that governs not only how data is used and stored within India, but also how it is transferred, processed, and managed across borders.

For organisations running integrated global systems like SAP, this law has far-reaching implications. The DPDPA’s extraterritorial reach means it applies not just to Indian companies, but to any enterprise handling data relating to Indian residents, regardless of where your systems or teams are based.

In this article, we’ll explore what the DPDPA means for cross-border business operations. You’ll learn:

• why India’s focus on digital sovereignty is reshaping the global data landscape;
• what the DPDPA covers, who it affects, and how it compares to the GDPR;
• core compliance areas, from consent and breach reporting to data localisation; and
• practical steps for SAP-driven organisations managing data across multiple jurisdictions.

By the end, you’ll have a clear understanding of how to prepare your systems and governance for compliance – and how aligning early can strengthen your position in one of the world’s fastest-growing digital economies.

Why India is prioritising digital sovereignty

India’s digital economy has grown at remarkable speed, driven by cloud adoption, large-scale government digitisation programs, and the world’s largest mobile user base. Yet that growth has also exposed an important vulnerability: where the country’s most sensitive data actually resides.

A 2024 Ministry of Electronics and Information Technology report found that more than 70 percent of Indian enterprises store critical data on foreign servers – a dependency that raises both national-security and regulatory risks (Financial Express, 2025).

At the same time, India’s cloud computing market is expected to reach US$76.4 billion by 2030, growing at a compound annual rate of 26.5 percent (Grand View Research, 2025). With this growth comes increasing scrutiny over how personal and corporate data moves across borders – and how it’s protected once it leaves India’s jurisdiction.

The policy response: the DPDPA

To address these challenges, the Indian government introduced the DPDPA – a landmark privacy law designed to balance citizen protection with economic growth. It replaces a fragmented set of regulations with a modern, principle-based framework governing how personal data can be collected, processed, and transferred.

Crucially, the DPDPA aligns India with other major privacy regimes such as the GDPR, while still allowing flexibility for one of the world’s fastest-evolving digital ecosystems. For global organisations, it marks a turning point – one where India’s growing digital market now comes with clear compliance expectations that mirror the world’s most advanced data-protection standards.

What the DPDPA covers (and who it affects)

Enacted in August 2023, the DPDPA regulates the processing of all digital personal data within India and extends its reach to entities outside India if they offer goods or services to individuals within the country (Mintz, 2025).

The law excludes personal or household activities, as well as personal data deliberately made public by the individual. It also exempts processing for purposes such as national security, law enforcement, research, and compliance with judicial orders.

This broad yet balanced scope means that even organisations with no physical presence in India must evaluate whether their systems process data relating to Indian residents; for example, through marketing databases, SAP HR systems, or e-commerce transactions.

Obligations and compliance areas

Consent and transparency

Consent is central to the DPDPA. Organisations must obtain free, specific, informed, and unambiguous consent through clear affirmative action before collecting or processing data. Privacy notices must explain the purpose, categories of data collected, withdrawal options, and grievance redressal mechanisms, and be available in English, or one of India’s 22 official languages (American Bar Association, 2025).

Data security and breach notification

Data Fiduciaries – equivalent to data controllers – must implement reasonable security safeguards, including encryption and access controls. Any breach compromising data integrity, confidentiality, or availability must be reported to both the affected individuals and the Data Protection Board of India within 72 hours of discovery. Unlike the GDPR, the DPDPA does not specify a materiality threshold – all breaches must be reported.

Data retention and purpose limitation

Organisations may retain data only for as long as it is necessary for the purpose for which it was collected or until consent is withdrawn. The draft Rules propose a three-year limit for certain sectors, such as e-commerce, online gaming, and social media intermediaries (Squire Patton Boggs, 2025).

Children’s data and parental consent

Processing personal data of individuals under 18 requires verifiable parental consent. Targeted advertising and behavioural monitoring of minors are prohibited.

Cross-border data transfers

While the DPDPA does not impose blanket localisation requirements, it empowers the government to restrict transfers to specific jurisdictions deemed inadequate. This means that multinational organisations must map their data flows and prepare for potential restrictions on transfers to or from certain regions (DLA Piper, 2025).

Significant Data Fiduciaries (SDFs)

Enterprises processing large volumes of sensitive data, or where the government deems there is heightened risk to national security or individual privacy, may be classified as SDFs. These entities must appoint a Data Protection Officer based in India, conduct regular audits and Data Protection Impact Assessments, and maintain detailed records of processing activities (Cockroach Labs, 2025).

Penalties and enforcement

The DPDPA prescribes penalties of up to INR 250 crore (approximately USD 30 million) for severe violations, including inadequate safeguards or breaches involving children’s data. Enforcement will be overseen by the Data Protection Board of India, which can order remedial actions and investigations.

What this means for global enterprises

For organisations operating integrated systems across borders, India’s DPDPA introduces new compliance touchpoints within existing frameworks. Global businesses already adhering to GDPR or APAC privacy standards will find familiar principles – such as consent, purpose limitation, and accountability – but must pay attention to India’s unique elements:

• Broad extraterritorial scope (even indirect data flows through shared systems)
• Mandatory reporting for all data breaches
• Language and localisation expectations for user notices
• New accountability structures like Consent Managers and SDF designations

To prepare effectively, enterprises should begin by:

• Mapping data flows involving Indian residents or subsidiaries
• Reviewing consent and notice frameworks for clarity and accessibility
• Updating breach-response playbooks to include the 72-hour reporting requirement
• Assessing vendor and processor contracts for DPDPA-aligned clauses
• Monitoring government updates on restricted jurisdictions and sector-specific guidance

Looking ahead

The DPDPA represents both a challenge and an opportunity. As India positions itself as a digital powerhouse, this law brings predictability to an area long governed by fragmented regulations. For global organisations, compliance will not only be a legal necessity but also a competitive advantage – signalling trust, transparency, and readiness to operate in one of the world’s fastest-growing markets.

References

• Mintz (2025). Unveiling India’s New Data Privacy Law
• Squire Patton Boggs (2025). The Impact of India’s New Digital Personal Data Protection Rules
• DLA Piper (2025). India – Data Protection Overview
• American Bar Association (2025). Global Businesses Should Brace Themselves for India’s New Personal Data Protection Law
• Cockroach Labs (2025). DPDP Act: India’s New Era in Data Protection and Privacy
• Financial Express (2025). As India Goes Digital, Experts Raise Alarms Over Sensitive Data Stored on Foreign Servers
• Grand View Research (2025). India Cloud Computing Market Size & Outlook, 2024–2030

Disclaimer:

This article is provided for general informational purposes only and reflects publicly available information as of November 2025. While care has been taken to ensure accuracy, EPI-USE Labs does not guarantee completeness or reliability and assumes no responsibility for errors or omissions. It is not intended as legal advice. Organisations should seek professional counsel when assessing compliance obligations under the Digital Personal Data Protection Act 2023 or related legislation.