Why the DPDP Act Matters for Foreign Companies
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data privacy law, and it has explicit extraterritorial reach. If your company — regardless of where it is incorporated — processes the personal data of individuals located in India in connection with offering goods or services to them, you are a Data Fiduciary under this law. There is no revenue threshold, no employee count minimum, and no exemption for B2B-only companies.
The DPDP Rules, 2025 — notified by the Ministry of Electronics and Information Technology (MeitY) on November 14, 2025 — operationalise the Act with specific compliance requirements, timelines, and technical standards. The rules follow a phased commencement schedule, with full enforcement beginning May 13, 2027. Foreign companies that delay preparation risk penalties of up to INR 250 crore (approximately USD 30 million) per violation.
This guide provides a phase-by-phase compliance roadmap for foreign companies, covering consent management, data principal rights, breach notification, cross-border transfers, and Significant Data Fiduciary obligations. If you are unfamiliar with the basics of this legislation, our DPDP Act glossary entry provides the foundational overview.
Extraterritorial Scope: Which Foreign Companies Are Covered
Section 3 of the DPDP Act establishes two conditions under which a foreign company falls within scope:
- Processing Indian personal data within India: If your Indian subsidiary, branch office, or liaison office collects or processes employee data, customer data, or vendor data in India, you are squarely within scope.
- Processing Indian personal data outside India: If your company processes data outside India in connection with offering goods or services to individuals in India — for example, an e-commerce platform serving Indian customers from US servers, or a SaaS company with Indian subscribers — you are also covered.
Key Definitions
| Term | Definition Under DPDP Act |
|---|---|
| Data Fiduciary | Any person who alone or jointly determines the purpose and means of processing personal data |
| Data Principal | The individual whose personal data is being processed |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary |
| Significant Data Fiduciary (SDF) | A Data Fiduciary notified by the Central Government based on volume, sensitivity, and risk of data processed |
| Consent Manager | A registered intermediary that enables Data Principals to manage their consent |
Practical Implication
A US-based SaaS company with 10,000 Indian subscribers processes Indian personal data even if its servers are in AWS us-east-1. A UK-based consulting firm with a wholly owned subsidiary in Mumbai processes Indian employee data through that subsidiary. A Singapore-based e-commerce platform shipping to Indian addresses collects personal data (names, addresses, payment details) of Indian Data Principals. All three are Data Fiduciaries under the DPDP Act.
Phased Compliance Timeline
The DPDP Rules follow a three-stage implementation timeline. Foreign companies should use this schedule to plan their compliance programme:
Phase 1 — November 13, 2025 (Immediate)
- The Data Protection Board of India (DPBI) is constituted alongside its responsibilities and processes
- No direct compliance obligations on foreign companies in this phase
- However, this marks the start of the enforcement infrastructure — the regulator now exists
Phase 2 — November 13, 2026 (12 Months)
- Consent Manager registration process opens
- Only India-incorporated entities with a minimum net worth of INR 2 crore can register as Consent Managers
- Intensified oversight of Significant Data Fiduciaries begins
- Foreign companies classified as SDFs must begin appointing Data Protection Officers and conducting Data Protection Impact Assessments
Phase 3 — May 13, 2027 (18 Months — Full Compliance)
- All Data Fiduciary obligations become enforceable
- Privacy notices, consent mechanisms, security safeguards, breach protocols, data retention policies, children's data protections, and Data Principal rights infrastructure must all be fully operational
- Penalties become enforceable — up to INR 250 crore per violation
Core Obligations for Foreign Companies
1. Lawful Basis and Consent
The DPDP Act requires consent to be free, specific, informed, unconditional, and unambiguous. For foreign companies, this means:
- Itemised notices: Each purpose of data processing must be individually described in clear, plain language. Bundled consent (e.g., one checkbox for marketing, analytics, and third-party sharing) is not valid
- Granular consent: Data Principals must be able to consent to or reject each processing purpose independently
- Easy withdrawal: The process for withdrawing consent must be as simple as the process for giving it — a one-click unsubscribe must match a one-click subscribe
- Purpose limitation: Once consent is withdrawn, all data collected for that purpose must be deleted unless another lawful basis applies
There are limited exemptions — processing for employment purposes, government-mandated purposes, and legitimate uses specified in the Act — but these are narrowly defined and do not cover most commercial data processing by foreign companies.
2. Data Principal Rights
Data Principals have the right to:
- Access a summary of all personal data held and a list of all Data Processors and third parties with whom it has been shared
- Correct inaccurate or incomplete personal data
- Erase personal data that is no longer necessary for the purpose for which it was collected
- Nominate another individual to exercise their rights in case of death or incapacity
- File complaints with the Data Protection Board
Foreign companies must build infrastructure to respond to these requests within the timelines prescribed by the Rules. This typically means deploying a Data Subject Request (DSR) workflow integrated with your CRM, HR systems, and marketing databases.
3. Data Breach Notification
Under the DPDP Rules, Data Fiduciaries must notify both the Data Protection Board and affected Data Principals of a personal data breach within 72 hours of becoming aware of it. The notification must include:
- Nature of the breach and the categories of personal data affected
- Number of Data Principals affected (or an approximate figure)
- Potential consequences of the breach
- Measures taken or proposed to address the breach
For foreign companies, this means your India-specific incident response plan must be able to trigger within 72 hours, even if your global security operations centre is in a different timezone. Consider maintaining a pre-drafted notification template and a designated India data breach response coordinator.
4. Data Retention and Erasure
The DPDP Act requires purpose-based retention — you may only retain personal data for as long as it is necessary for the specified purpose. Once the purpose is fulfilled or the Data Principal withdraws consent, the data must be erased unless retention is required by law.
For foreign companies with Indian operations, this intersects with other Indian retention requirements. For example, FEMA requires certain financial records to be retained for specified periods, and the Companies Act mandates retention of employee records. Your data retention policy must map each data category to its retention period under both the DPDP Act and other applicable Indian laws.
5. Children's Data
Processing personal data of children (under 18 in India) requires verifiable parental consent. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited. If your platform serves Indian users who may be minors — e-learning, gaming, social media, or e-commerce — you must implement age verification and parental consent mechanisms.
Cross-Border Data Transfer Rules
Section 16 of the DPDP Act adopts a blacklist approach to cross-border data transfers. Personal data can flow freely to any country except those specifically restricted by the Central Government. This is more permissive than the GDPR's adequacy-based model.
Current Status
- As of March 2026, no countries have been blacklisted
- The Central Government retains discretion to restrict transfers to specific countries at any time, without advance notice or transparent criteria
- Industry observers expect the eventual blacklist may align with existing FDI and FEMA restricted country lists
What This Means for Foreign Companies
In practice, foreign companies can currently transfer Indian personal data to their headquarters in the US, UK, EU, Singapore, or any other jurisdiction without additional safeguards beyond DPDP Act compliance. However, this permissive regime could change with little warning. Foreign companies should:
- Monitor MeitY notifications for any blacklist updates
- Build contractual clauses that allow operational continuity if their home jurisdiction is suddenly restricted
- Consider maintaining a data processing option within India (e.g., AWS ap-south-1 or Azure Central India) as a contingency
For a detailed comparison of how India's approach compares to the EU's GDPR, see our article on DPDP Act vs GDPR differences.
Significant Data Fiduciary (SDF) Requirements
The Central Government may classify certain Data Fiduciaries as Significant Data Fiduciaries based on the volume and sensitivity of data processed, risk of harm to Data Principals, and potential impact on India's sovereignty and security. Foreign companies with large-scale Indian operations — particularly in financial services, healthcare, e-commerce, and technology — should anticipate SDF designation.
Additional SDF Obligations
| Obligation | Detail |
|---|---|
| Data Protection Officer (DPO) | Must appoint a DPO who is based in India and reports to the Board of Directors |
| Data Protection Impact Assessment (DPIA) | Must conduct periodic DPIAs for high-risk processing activities |
| Independent Audit | Must undergo annual data protection audits by an independent auditor |
| Indian Representative | Foreign SDFs must appoint an Indian representative or agent |
| Algorithmic Accountability | Must ensure that algorithms used to process personal data do not pose risks to Data Principals |
Financial Preparedness
Foreign Data Fiduciaries should consider maintaining an escrow account in India for potential penalties or obtaining liability insurance covering Indian regulatory penalties. Given that penalties can reach INR 250 crore, this is a material financial planning consideration for CFOs of foreign companies with Indian exposure.
Practical Compliance Roadmap for Foreign Companies
Based on the phased timeline and the obligations outlined above, here is a month-by-month roadmap for foreign companies that have not yet started their DPDP compliance programme:
Q2 2026 (April–June): Discovery and Assessment
- Data inventory: Map all personal data of Indian Data Principals across your global systems — CRM, HR, marketing, analytics, customer support, payment processing
- Classify processing activities: Identify each purpose for which you process Indian personal data and the lawful basis for each
- Gap analysis: Compare your current privacy practices against DPDP Act requirements, focusing on consent mechanisms, data retention policies, and breach response procedures
- SDF assessment: Evaluate whether your company is likely to be designated as a Significant Data Fiduciary based on data volume and sensitivity
Q3 2026 (July–September): Architecture and Build
- Redraft privacy notices: Create itemised, purpose-specific notices for all Indian data processing activities
- Build consent infrastructure: Implement granular consent collection, storage, and withdrawal mechanisms
- Design DSR workflow: Build a Data Subject Request system that can handle access, correction, erasure, and portability requests from Indian Data Principals
- Update processor contracts: Amend contracts with all Data Processors handling Indian personal data to include DPDP Act compliance obligations
Q4 2026 (October–December): Testing and Training
- Breach response drill: Conduct a tabletop exercise simulating a data breach affecting Indian Data Principals, testing the 72-hour notification capability
- Employee training: Train all employees who handle Indian personal data on DPDP Act requirements
- Children's data controls: If applicable, implement age verification and parental consent mechanisms
- Data retention cleanup: Begin deleting Indian personal data that exceeds its defined retention period
Q1 2027 (January–March): Validation
- Internal audit: Conduct a pre-enforcement audit of all DPDP compliance measures
- DPO appointment: If you anticipate SDF designation, appoint your India-based DPO
- Board reporting: Brief the Board of Directors on DPDP readiness and residual risks
- Regulatory monitoring: Establish a process to monitor MeitY notifications, DPBI guidance, and blacklist updates
May 13, 2027: Full Enforcement
All obligations are enforceable. The Data Protection Board can investigate complaints, initiate suo motu inquiries, and impose penalties.
Penalty Framework
The DPDP Act establishes a graduated penalty structure:
| Violation | Maximum Penalty (INR) |
|---|---|
| Failure to take reasonable security safeguards (resulting in breach) | 250 crore |
| Failure to notify the Board and affected Data Principals of a breach | 200 crore |
| Non-compliance with obligations regarding children's data | 200 crore |
| Failure to comply with Data Fiduciary obligations (consent, retention, etc.) | 150 crore |
| Failure to comply with additional SDF obligations | 150 crore |
| Data Principal's breach of duty (providing false information) | 10,000 |
These are maximum penalties. The Data Protection Board has discretion to impose lower amounts based on the nature, gravity, and duration of the violation, the number of Data Principals affected, and whether the violation was a first offence or a repeat occurrence.
Integration with Other Indian Compliance Requirements
Foreign companies must ensure that their DPDP compliance programme integrates with other Indian regulatory requirements:
- FEMA and RBI regulations: Financial data of foreign investors, FC-GPR filings, and FLA returns involve personal data of directors and signatories. Your FEMA compliance processes must incorporate DPDP consent and retention requirements
- Companies Act, 2013: Director DSC applications, SPICe+ incorporations, and annual compliance filings involve personal data that must be processed in compliance with the DPDP Act
- GST and tax compliance: Customer transaction data used for GST filings involves personal data subject to both GST regulations and DPDP requirements
- Employment law: Employee personal data — Aadhaar, PAN, bank details, medical records — requires compliance with both labour laws and the DPDP Act
Our FEMA and RBI compliance services can help you integrate data protection requirements into your existing India compliance framework. For companies setting up new operations, our company incorporation service includes guidance on building DPDP-compliant processes from the outset.
Data Processor Obligations and Vendor Management
Foreign companies often engage Indian Data Processors — cloud service providers, payroll companies, IT support firms, and marketing agencies — to process personal data on their behalf. Under the DPDP Act, the Data Fiduciary (your company) remains ultimately responsible for any processing done by its Data Processors.
Contract Requirements
Every contract with a Data Processor handling Indian personal data must include:
- Processing restrictions: The Data Processor may only process personal data for the purposes specified by the Data Fiduciary — no independent use of the data is permitted
- Security safeguards: The Data Processor must implement the same level of security as required of the Data Fiduciary
- Breach notification: The Data Processor must notify the Data Fiduciary of any breach within a timeframe that allows the Data Fiduciary to meet its 72-hour notification obligation to the DPBI
- Deletion obligations: Upon termination of the contract or completion of processing, the Data Processor must delete all personal data unless retention is required by law
- Audit rights: The Data Fiduciary should retain the right to audit the Data Processor's compliance with DPDP Act requirements
For foreign companies with multiple Indian vendors, this means a systematic review and amendment of all vendor contracts before the May 2027 deadline. Companies with existing transfer pricing arrangements with Indian entities should align their data processing agreements with both DPDP and transfer pricing documentation requirements.
How DPDP Differs from GDPR for Foreign Companies
Foreign companies already compliant with the EU's GDPR will find significant overlap with India's DPDP Act, but several critical differences require attention:
| Requirement | GDPR | DPDP Act |
|---|---|---|
| Lawful bases for processing | Six bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) | Primarily consent-based; limited exemptions for employment, state functions, and specified legitimate uses |
| Cross-border transfers | Adequacy decisions, SCCs, BCRs required | Blacklist approach — transfers to all countries permitted unless specifically restricted |
| Data Protection Officer | Required for all controllers engaged in large-scale processing | Required only for Significant Data Fiduciaries |
| Breach notification | 72 hours to supervisory authority | 72 hours to DPBI and affected Data Principals |
| Right to portability | Yes | Not explicitly included in current rules |
| Age of child | 16 years (member states may lower to 13) | 18 years — no flexibility |
| Maximum penalty | EUR 20 million or 4% of global turnover | INR 250 crore (approximately USD 30 million) — fixed cap, not revenue-based |
The most significant practical difference is the absence of legitimate interests as a lawful basis under the DPDP Act. Many processing activities that GDPR-compliant companies rely on legitimate interests for — analytics, fraud detection, direct marketing to existing customers — will require explicit consent under Indian law. This is a major operational change for companies accustomed to the GDPR framework.
Key Takeaways
- Full DPDP compliance is mandatory by May 13, 2027 — foreign companies processing Indian personal data have no exemptions based on location, size, or revenue
- Start your compliance programme in Q2 2026 — the 12-month roadmap above requires immediate action on data inventory, consent redesign, and breach response planning
- Cross-border transfers are currently unrestricted, but the blacklist approach means restrictions could come without warning. Build contingency plans now
- Penalties are severe: Up to INR 250 crore per violation, with the Data Protection Board having discretion on quantum based on severity and recurrence
- Integration is critical: DPDP compliance cannot be siloed from your FEMA, Companies Act, GST, and employment law obligations — build a unified India data governance framework
Frequently Asked Questions
Does the DPDP Act apply to foreign companies with no office in India?
Yes. Section 3 of the DPDP Act applies extraterritorially to any entity that processes personal data of individuals in India in connection with offering goods or services, regardless of whether the company has a physical presence in India. A US-based SaaS company with Indian subscribers or a UK-based e-commerce platform shipping to Indian addresses are both covered.
What is the deadline for full DPDP Act compliance?
May 13, 2027. The DPDP Rules follow a three-phase timeline: Phase 1 (November 2025) established the Data Protection Board, Phase 2 (November 2026) activates Consent Manager registration and SDF oversight, and Phase 3 (May 2027) enforces all Data Fiduciary obligations with penalties.
What are the penalties for non-compliance with the DPDP Act?
Penalties range up to INR 250 crore (approximately USD 30 million) for the most serious violations such as failure to implement reasonable security safeguards resulting in a data breach. Breach notification failures carry penalties up to INR 200 crore. General non-compliance with Data Fiduciary obligations can result in penalties up to INR 150 crore.
Can foreign companies transfer Indian personal data outside India?
Currently yes. The DPDP Act uses a blacklist approach — data can flow to any country except those specifically restricted by the Central Government. As of March 2026, no countries have been blacklisted. However, the government retains discretion to restrict transfers at any time without advance notice or transparent criteria.
What is a Significant Data Fiduciary under the DPDP Act?
An SDF is a Data Fiduciary designated by the Central Government based on the volume and sensitivity of data processed, risk of harm to Data Principals, and potential impact on sovereignty and security. SDFs face additional obligations including appointing an India-based DPO, conducting periodic DPIAs, undergoing annual independent audits, and appointing an Indian representative or agent.
How quickly must a data breach be reported under the DPDP Act?
Data Fiduciaries must notify both the Data Protection Board and affected Data Principals within 72 hours of becoming aware of a personal data breach. The notification must detail the nature of the breach, the number of individuals affected, potential consequences, and measures taken or proposed to mitigate harm.
Does the DPDP Act require a Data Protection Officer in India?
Only Significant Data Fiduciaries are required to appoint a DPO who is based in India and reports to the Board of Directors. Other Data Fiduciaries are not mandated to appoint a DPO but should designate a responsible individual for data protection compliance to manage consent, DSR workflows, and breach response.