DPDP applicability assessment for Indian organisations

Applicability is where privacy programmes discover whether they are in court, in chambers, or merely in the wrong meeting. A DPDP applicability assessment answers a basic but often mishandled question: does this activity fall within the Indian digital personal data protection framework, and if yes, what role does the organisation play? For growing companies, that answer should be documented before product, vendor or marketing decisions harden.

What to review

Begin with the personal data itself. The DPDP Act applies to processing of digital personal data in India where personal data is collected in digital form or collected non-digitally and digitised later. It also extends to processing outside India when connected with offering goods or services to Data Principals in India. That means an assessment should not stop at where the company is incorporated or where servers sit.

Review each business activity separately. Customer onboarding, employee administration, support tickets, payments, analytics, marketing campaigns, security logs, vendor portals and partner integrations may each have a different purpose and control design. For each activity, record the person whose data is processed, the collection channel, the processing purpose, the system owner, the vendor chain and whether any exclusion or exemption is being considered.

The assessment should also identify role. A business may be a Data Fiduciary for its own customers and a processor for an enterprise customer in another workflow. That distinction affects who decides purpose and means, who gives notice, who handles rights requests, and how contracts should allocate instructions and evidence. The output should be specific enough for product, legal, security and procurement teams to use.

Implementation steps

First, prepare an activity-by-activity processing register. Avoid broad labels such as customer data or HR data unless they are broken into real workflows. Second, mark whether data is collected digitally, later digitised, or processed outside India in connection with Indian users. Third, record the organisation's role for each workflow: Data Fiduciary, processor, or both in different contexts.

Fourth, test the purpose. If the purpose is vague, notice, consent and retention controls will also be vague. Fifth, identify high-attention workflows: children's data, large-scale user data, employee data, financial data, health-related data, behavioural tracking, cross-border SaaS tools and vendor sharing. Sixth, create an applicability memo that explains conclusions, assumptions, unresolved questions and the next controls required.

A good assessment also records what is outside scope. For example, personal or domestic processing by an individual is outside the Act, but that does not help a company processing user or employee data as part of business operations. Keeping this distinction clear prevents overclaiming exemptions and underbuilding controls. The memo should also record which DPDP Rules, 2025 commencement dates may affect the implementation sequence.

Applicability should also be revisited when the business model changes. A company that begins with B2B software may later add a self-serve product, analytics layer, marketplace, customer community or overseas support team. Each change can alter the role analysis, notice requirement, vendor map or rights workflow. The assessment should therefore be treated as a living control document, not a one-time legal note. When it is kept current, later implementation work becomes less speculative because every control can be traced back to a recorded processing activity.

Common mistakes

• Treating company location as the only factor in applicability.
• Combining fiduciary and processor roles without mapping the actual decision-maker.
• Using broad data categories instead of workflow-level processing records.

How DataNuance can help

DataNuance can help run an applicability assessment that maps activities, roles, purposes, systems, vendors and rule-readiness issues. The output can become the foundation for notices, vendor instructions, rights workflows, governance reporting and implementation sequencing.

For a focused applicability review, contact DataNuance through the consultation page.

FAQs

Does the DPDP Act apply only to Indian companies?

No. The Act can also apply to processing outside India if it is connected with offering goods or services to Data Principals in India.

Is employee data part of an applicability assessment?

Yes. Employee, contractor and candidate workflows should be reviewed where they involve digital personal data processed in business operations.

Can one company be both a Data Fiduciary and a processor?

Yes. The same organisation can play different roles in different workflows, so the assessment should be activity-specific.

What should the final assessment record contain?

It should record covered activities, excluded activities, roles, purposes, systems, vendors, assumptions, source checks and the implementation controls required next.

Sources

• Digital Personal Data Protection Act, 2023: https://www.indiacode.nic.in/indiacode/handle/123456789/22037?view_type=browse
• Digital Personal Data Protection Rules, 2025 and Gazette notification: https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa?pageTitle=Digital-Personal-Data-Protection-Rules-2025686cadad39.pdf