As global data privacy standards continue to evolve – from the EU’s GDPR to California’s CCPA and now India’s Digital Personal Data Protection Act (DPDPA) 2023 – multinational organisations face a common challenge: how to stay compliant across borders while maintaining operational agility.
India’s new framework marks a pivotal moment in this global privacy shift. The DPDPA, along with its upcoming Draft Rules 2025, is the country’s first comprehensive data protection law – one that governs not only how data is used and stored within India, but also how it is transferred, processed, and managed across borders.
For organisations running integrated global systems like SAP, this law has far-reaching implications. The DPDPA’s extraterritorial reach means it applies not just to Indian companies, but to any enterprise handling data relating to Indian residents, regardless of where your systems or teams are based.
In this article, we’ll explore what the DPDPA means for cross-border business operations. You’ll learn:
By the end, you’ll have a clear understanding of how to prepare your systems and governance for compliance – and how aligning early can strengthen your position in one of the world’s fastest-growing digital economies.
India’s digital economy has grown at remarkable speed, driven by cloud adoption, large-scale government digitisation programs, and the world’s largest mobile user base. Yet that growth has also exposed an important vulnerability: where the country’s most sensitive data actually resides.
A 2024 Ministry of Electronics and Information Technology report found that more than 70 percent of Indian enterprises store critical data on foreign servers – a dependency that raises both national-security and regulatory risks (Financial Express, 2025).
At the same time, India’s cloud computing market is expected to reach US$76.4 billion by 2030, growing at a compound annual rate of 26.5 percent (Grand View Research, 2025). With this growth comes increasing scrutiny over how personal and corporate data moves across borders – and how it’s protected once it leaves India’s jurisdiction.
To address these challenges, the Indian government introduced the DPDPA – a landmark privacy law designed to balance citizen protection with economic growth. It replaces a fragmented set of regulations with a modern, principle-based framework governing how personal data can be collected, processed, and transferred.
Crucially, the DPDPA aligns India with other major privacy regimes such as the GDPR, while still allowing flexibility for one of the world’s fastest-evolving digital ecosystems. For global organisations, it marks a turning point – one where India’s growing digital market now comes with clear compliance expectations that mirror the world’s most advanced data-protection standards.
Enacted in August 2023, the DPDPA regulates the processing of all digital personal data within India and extends its reach to entities outside India if they offer goods or services to individuals within the country (Mintz, 2025).
The law excludes personal or household activities, as well as personal data deliberately made public by the individual. It also exempts processing for purposes such as national security, law enforcement, research, and compliance with judicial orders.
This broad yet balanced scope means that even organisations with no physical presence in India must evaluate whether their systems process data relating to Indian residents; for example, through marketing databases, SAP HR systems, or e-commerce transactions.
Consent is central to the DPDPA. Organisations must obtain free, specific, informed, and unambiguous consent through clear affirmative action before collecting or processing data. Privacy notices must explain the purpose, categories of data collected, withdrawal options, and grievance redressal mechanisms, and be available in English, or one of India’s 22 official languages (American Bar Association, 2025).
Data Fiduciaries – equivalent to data controllers – must implement reasonable security safeguards, including encryption and access controls. Any breach compromising data integrity, confidentiality, or availability must be reported to both the affected individuals and the Data Protection Board of India within 72 hours of discovery. Unlike the GDPR, the DPDPA does not specify a materiality threshold – all breaches must be reported.
Organisations may retain data only for as long as it is necessary for the purpose for which it was collected or until consent is withdrawn. The draft Rules propose a three-year limit for certain sectors, such as e-commerce, online gaming, and social media intermediaries (Squire Patton Boggs, 2025).
Processing personal data of individuals under 18 requires verifiable parental consent. Targeted advertising and behavioural monitoring of minors are prohibited.
While the DPDPA does not impose blanket localisation requirements, it empowers the government to restrict transfers to specific jurisdictions deemed inadequate. This means that multinational organisations must map their data flows and prepare for potential restrictions on transfers to or from certain regions (DLA Piper, 2025).
Enterprises processing large volumes of sensitive data, or where the government deems there is heightened risk to national security or individual privacy, may be classified as SDFs. These entities must appoint a Data Protection Officer based in India, conduct regular audits and Data Protection Impact Assessments, and maintain detailed records of processing activities (Cockroach Labs, 2025).
The DPDPA prescribes penalties of up to INR 250 crore (approximately USD 30 million) for severe violations, including inadequate safeguards or breaches involving children’s data. Enforcement will be overseen by the Data Protection Board of India, which can order remedial actions and investigations.
For organisations operating integrated systems across borders, India’s DPDPA introduces new compliance touchpoints within existing frameworks. Global businesses already adhering to GDPR or APAC privacy standards will find familiar principles – such as consent, purpose limitation, and accountability – but must pay attention to India’s unique elements:
To prepare effectively, enterprises should begin by:
The DPDPA represents both a challenge and an opportunity. As India positions itself as a digital powerhouse, this law brings predictability to an area long governed by fragmented regulations. For global organisations, compliance will not only be a legal necessity but also a competitive advantage – signalling trust, transparency, and readiness to operate in one of the world’s fastest-growing markets.
This article is provided for general informational purposes only and reflects publicly available information as of November 2025. While care has been taken to ensure accuracy, EPI-USE Labs does not guarantee completeness or reliability and assumes no responsibility for errors or omissions. It is not intended as legal advice. Organisations should seek professional counsel when assessing compliance obligations under the Digital Personal Data Protection Act 2023 or related legislation.