What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

advanced faq•5 min read

Does India's DPDP Act Apply to Foreign Companies?

Understand if India's DPDP Act, 2023, applies to your foreign company operating in or serving Indian Data Principals. Assess your compliance obligations and costs.

MBS

Meridian Bridge Strategy10 May 2026

Quick answer

Yes, the Digital Personal Data Protection (DPDP) Act, 2023, unequivocally applies to many foreign companies. If your organisation, regardless of its global headquarters, processes personal data in connection with offering goods or services to Data Principals within the territory of India, or for profiling such Data Principals, you fall under its purview. This is a crucial aspect of DPDP's extraterritorial reach, mirroring global privacy laws like GDPR.

Ignoring this can lead to significant penalties and reputational damage. Understanding your applicability is the first, most critical step.

💡 Key Insight: DPDP's reach isn't limited by physical presence. If you target or monitor individuals in India, you likely have compliance obligations.

Understanding DPDP's Global Reach

Many foreign companies incorrectly assume that without a physical office or registered entity in India, they are exempt from the DPDP Act. This is a dangerous misconception. The Act's Section 3 (b)(i) and (ii) clearly outline its applicability to the processing of personal data outside India, specifically:

If such processing is in connection with any activity related to offering goods or services to Data Principals within the territory of India.
If such processing is in connection with profiling of Data Principals within the territory of India.

This means if your company, for instance, operates an e-commerce website that ships to India, offers a SaaS product used by Indian customers, or conducts market research by profiling Indian users, DPDP applies. Your obligations as a Data Fiduciary or Data Processor commence once you process data of individuals located in India.

“The location of the Data Fiduciary or Data Processor is secondary; the location of the Data Principal and the intent to offer services in India are paramount for DPDP applicability.”

Practical Scenarios for Foreign Company Applicability

Scenario	DPDP Applicability	Example
Global Company serving Indian users/customers	Yes, likely applicable.	A US-based streaming service with paid Indian subscribers.
Global Company profiling Indian users	Yes, likely applicable.	A European advertising tech firm tracking Indian website visitors for targeted ads.
Foreign parent company of an Indian subsidiary	Yes, often applicable.	A Japanese manufacturing giant's Indian subsidiary processes employee data, then transfers it to the Japanese parent for global HR. Parent becomes Data Fiduciary for that processing.
Foreign company with no direct India presence or services	No, generally not applicable.	A UK-based local retail store with no online presence or international shipping.

Even if you engage an Indian vendor or partner (a Data Processor), if you decide the purpose and means of processing personal data of Indian individuals, you remain the primary Data Fiduciary and bear ultimate responsibility.

Key Compliance Focus for Global Entities

For foreign companies, DPDP compliance isn't just a legal checkbox; it's an operational shift. Key areas demanding immediate attention include:

Valid Consent Mechanisms: Ensuring all data collection from Indian Data Principals is based on explicit, informed, and verifiable consent, with clear notices in accessible languages.
Data Principal Rights: Establishing robust processes for individuals in India to exercise their rights, such as the right to erasure, access, and correction.
Cross-Border Data Transfers: Adhering to DPDP's rules for transferring personal data out of India, which currently involves a 'negative list' approach.
Data Breach Notification: Having a clear plan to detect, assess, and notify the Data Protection Board of India within 72 hours of a data breach.
Vendor Management: Vetting Indian and global third-party vendors (Data Processors) to ensure they meet DPDP standards and have appropriate data processing agreements in place.

⚠️ Warning: Misinterpreting DPDP's extraterritoriality or delaying compliance can lead to substantial penalties, potentially up to ₹250 Crore for certain breaches, in addition to significant reputational damage.

Typical cost range

For a foreign company assessing and implementing DPDP compliance, the costs can vary widely depending on existing data privacy frameworks (e.g., GDPR compliance), data volume, and operational complexity. Initial assessments and legal opinions for foreign entities typically range from ₹3 Lakh to ₹15 Lakh.

Implementing the necessary changes, including data mapping, consent management system integration, and policy overhauls, can cost anywhere from ₹15 Lakh to ₹1 Crore+, particularly for larger enterprises or those with complex global data flows.

What drives the cost

Several factors specifically influence the compliance costs for foreign companies:

Existing Global Privacy Frameworks: Companies already compliant with GDPR or CCPA may have a head start, reducing foundational assessment costs, but still require India-specific customisation.
Data Volume and Sensitivity: Higher volumes of personal data, especially sensitive personal data, increase the complexity and cost of data mapping, security measures, and Data Principal request handling.
Number of Indian Data Principals: The more Indian users or customers a foreign company has, the greater the scale of implementing consent, managing rights, and responding to requests.
Integration with Indian Partners: If the foreign company relies heavily on Indian subsidiaries, vendors, or resellers, ensuring their compliance and harmonising data processing agreements adds to the cost and complexity.
Technology Stack Adjustments: Modifying IT systems, websites, and mobile applications to meet DPDP consent requirements and support Data Principal rights can involve significant development expenses.

✅ Pro Tip: Conduct a swift, targeted DPDP applicability assessment for your India-facing operations. This clarifies your obligations and helps you budget effectively for the necessary compliance efforts.

Next step

If your foreign company serves Indian Data Principals or profiles them, DPDP applies to you. The next critical step is to accurately assess your specific obligations and develop a clear compliance roadmap. Don't wait for enforcement notices.

Start by understanding your data processing activities in India and then engage with experts who can guide your global team through the intricacies of the DPDP Act. Use our free cost calculator to get a preliminary estimate, and then consider our DPDP Readiness Workshop for a comprehensive, actionable plan tailored to your global operations with an Indian footprint.

Frequently Asked Questions

If my foreign company's servers are outside India, does DPDP still apply to the data of Indian citizens?

Yes. DPDP's applicability is not determined by the physical location of your servers or data processing facilities. It applies if you process personal data in connection with offering goods or services to Data Principals in India, or for profiling them, irrespective of where that data is stored or processed globally. The focus is on the Data Principal's location and the intent to target Indian users.

How does DPDP affect data transfers between my foreign parent company and its Indian subsidiary?

Such transfers are considered cross-border data transfers and must comply with DPDP's provisions, specifically Section 16. The Indian subsidiary, as a Data Fiduciary, must ensure a legitimate basis for the transfer (e.g., consent or legitimate use) and that the foreign parent provides a similar level of protection. While there's currently a 'negative list' approach, ensuring robust contractual safeguards and adherence to DPDP principles is essential for both entities.

My foreign company offers a free service to Indian users. Does DPDP still apply, even if no money changes hands?

Yes, DPDP applies regardless of whether your service is paid or free. The Act's applicability is tied to the 'offering of goods or services' to Data Principals in India, or 'profiling' them. A free service still involves the processing of personal data (e.g., account creation, usage data, preferences) in connection with that offering, bringing it under DPDP's scope.

Check Your DPDP Cost

Use the free calculator first. Then decide if your team needs the DPDP Readiness Workshop.

Check My DPDP Cost →

Book a Workshop Call →