Your SaaS platform just onboarded its first major Indian enterprise customer. Marketing is running campaigns targeting users in Mumbai and Bangalore. Product is building features specifically for the Indian market. Legal received notification that your organization may be designated a Significant Data Fiduciary.
Explore more privacy compliance insights and best practices
The Digital Personal Data Protection (DPDP) Act, 2023, establishes India's first comprehensive data protection framework centered on individual privacy rights and organizational accountability. The Act governs processing of digital personal data by Data Fiduciaries (controllers) and Data Processors, establishing consent as the primary legal basis and granting Data Principals (individuals) rights over their information.
Phase 2 marks the transition from institutional setup to operational enforcement. While Phase 1 (November 2025) established the Data Protection Board of India (DPBI) and appointed members, Phase 2 (November 2026) activates critical infrastructure:
Consent Manager registration: Independent platforms enabling Data Principals to manage consents centrally across multiple services become operational.
Significant Data Fiduciary designation: Government begins notifying which organizations face enhanced compliance obligations due to scale, sensitivity, or systemic risk.
Enhanced scrutiny: The DPBI moves from organizational establishment to active monitoring, investigations, and enforcement actions.
Phase 1 was administrative, creating regulatory authority. Phase 2 is operational: activating enforcement mechanisms, consent infrastructure, and penalty frameworks. January 2026 consultations proposed compressing compliance windows from 18 months to 12 months, potentially moving full enforcement to November 2026 rather than May 2027.
| Phase | Effective Date | Key Provisions Activated | Operational Focus |
|---|
| Phase 1: Foundation | November 13, 2025 | Rules 1, 2, 17–21; Act Sections 18–26 | DPBI establishment; appointment of members |
| Phase 2: Intermediaries | November 13, 2026 | Rule 4; Act Section 6(9) | Consent Manager registration; technical standards |
| Phase 3: Full Compliance | May 13, 2027 | Rules 3, 5–16, 22, 23; All remaining provisions | Substantive obligations; penalties operational |
Ministry consultations with major technology platforms proposed significantly ma for Significant Data Fiduciaries from 18 months to 12 months. This creates "compliance gradient" where larger entities already aligned with global standards like GDPR are expected to achieve readiness faster.
For global SaaS companies, Phase 2's November 2026 date may effectively serve as the deadline for most core obligations.
The DPBI functions as an independent legal body with authority to investigate complaints, levy penalties up to INR 250 crore per contravention, issue compliance directions, maintain public registry of enforcement actions, and operate as "digital office" enabling virtual hearings.
All entities incorporated in India processing digital personal data as part of business operations must comply regardless of size or revenue.
The Act's territorial reach is explicitly extraterritorial, applying to processing of digital personal data outside India if connected to offering goods or services to individuals within India.
Critical distinction: Unlike GDPR's "monitoring" threshold, DPDP doesn't require "targeting" Indian individuals in a granular sense. Mere provision of service to Data Principal in India triggers compliance obligations.
SaaS providers face immediate implications:
Customer location tracking: Must implement geolocation tagging identifying Indian Data Principals across global platform instances.
India-specific consent flows: Deploy localized consent mechanisms meeting unconditional and multilingual requirements.
Offshore AI training: AI providers scraping or processing Indian data trigger compliance if models connect to services offered in India.
Marketing platforms and ecommerce operations processing Indian user data for targeting, analytics, or personalization require explicit consent for each distinct purpose—consent for core service doesn't cover ancillary marketing uses.
Section 17(1)(d) provides "Outsourcing Exemption" for India's IT and BPO sectors: processing personal data of individuals located outside India within India under contract with entities outside India is exempt. Global companies must segregate India-facing datasets from offshore-managed datasets.
The individual whose personal data is being processed. The Act uses pronouns "she" and "her" regardless of gender. For children under 18 or persons with disabilities, definition includes parents or lawful guardians.
The 18-year threshold for majority is notably higher than GDPR's 16, necessitating strict age-gating for platforms.
Any person who determines the purpose and means of processing personal data. The term "fiduciary" implies duty of care transcending commercial contracts.
Data Fiduciaries remain the primary point of accountability—even if Data Processors cause breaches, Fiduciaries are legally liable and must ensure processor compliance through valid contracts.
Processes data purely on instructions of the fiduciary. Processors must implement reasonable security safeguards and are restricted from engaging sub-processors without fiduciary authorization.
Global SaaS providers acting as processors for Indian enterprises must include DPDP-specific clauses in agreements.
Entities designated by the Central Government face heightened accountability due to systemic risk. Designation based on volume and sensitivity of data processed, risk to Data Principal rights, potential impact on sovereignty, risk to electoral democracy, and State security.
Indicative thresholds suggest companies with more than 50 lakh users or INR 250 crore annual revenue are likely candidates.
Independent platforms registered with DPBI are serving as the single point of contact for Data Principals to manage consent through an interoperable dashboard.
Requirements include Indian incorporation, minimum net worth of INR 2 crore, data-blindness (maintaining consent records without accessing underlying data), fiduciary duty to Data Principals, and no conflicts of interest.
Consent under DPDP must be "free, specific, informed, unconditional, and unambiguous." The "unconditional" requirement explicitly targets "bundling" where access to core services is contingent on agreeing to unrelated data collection.
Fiduciaries must prove data collected is strictly "necessary" for specified purpose—consent for unnecessary fields is invalid.
Rule 3 mandates standalone privacy notices presented independently of Terms of Service. Notices must provide:
Notices and consent requests must be available in English or any of the 22 languages specified in the Eighth Schedule to the Indian Constitution. This creates a massive localization burden requiring dynamic translation engines.
Data Principals must be able to withdraw consent as easily as giving it. In microservices architectures, single withdrawal signal must propagate across hundreds of APIs, analytics pipelines, and third-party integrations.
Organizations must maintain comprehensive records of when consent was obtained, what specific purposes were consented to, format and language of consent request, and withdrawal requests with processing cessation timestamps.
| Aspect | GDPR | DPDP |
|---|
| Primary Basis | One of six lawful bases | Primary and often sole basis |
| Legitimate Interest | Available alternative | Not available as basis |
| Contractual Necessity | Allows processing for contract performance | Requires explicit consent even for core service |
| Children | Up to 16 (can lower to 13) | Up to 18 (no flexibility) |
Data Principals can request summary of data being processed, specific activities undertaken, and identities of other fiduciaries and processors with whom data has been shared. (Similar to GDPR).
Rights to seek correction of inaccurate data, completion of incomplete records, or updating of outdated information. Organizations must implement workflows validating and executing correction requests.
Fiduciaries must delete personal data once specified purpose is fulfilled or consent is withdrawn, unless retention is mandated by Indian law. For platforms, erasure is triggered after continuous period of three years of user inactivity, with 48-hour advance notice.
Critical challenge: Failing to delete single copy in neglected shared drive constitutes non-compliance. Organizations need automated data discovery scanning entire IT ecosystems. (Similar to GDPR)
Fiduciaries must resolve grievances within maximum 90 days. Data Principals must exhaust this internal mechanism before approaching DPBI, placing burden on support teams to resolve disputes within defined SLAs.
Unique DPDP feature: Data Principals can nominate another individual to exercise their rights in event of death or incapacity. Platforms must build nomination workflows into account settings.
Rights implementation requires searchable data inventories, automated workflows routing requests appropriately, validation mechanisms preventing fraud, documentation proving timely response, and integration with data deletion capabilities across all systems.
Central Government notifies SDF status based on factors including volume and sensitivity of data processed, risk to Data Principal rights, potential impact on sovereignty, risk to electoral democracy, and State security.
While specific designations haven't been issued, consultations suggest companies with 50+ lakh users or INR 250+ crore annual revenue are likely candidates.
Once notified, SDFs must:
Appoint India-based DPO: Data Protection Officer must be senior employee based in India, answerable to Board of Directors, serving as primary DPBI contact.
Appoint Independent Auditor: Third-party auditor must evaluate compliance annually.
Conduct DPIAs: Data Protection Impact Assessments must be undertaken periodically to manage risks to individual rights.
Algorithmic Accountability: SDFs must perform due diligence verifying technical measures, including algorithmic software, don't harm user rights—including testing for bias in credit, employment, or healthcare decisions.
SDFs face greater DPBI scrutiny, mandatory annual compliance audits, public disclosure of certain processing activities, and enhanced penalties for violations.
Fiduciaries must implement encryption and masking (mandatory for data at rest and in transit), access control (strict role-based access), and logging and monitoring (continuous review detecting unauthorized access).
Novel requirement: mandatory one-year retention of processing logs, authentication records, and associated traffic data supporting DPBI investigations and forensic audits.
Fiduciaries must notify DPBI and affected Data Principals "without delay":
Initial intimation: Immediately upon discovery.
Detailed report: Within 72 hours, including breach description, consequences, and mitigation measures.
Failure to notify breaches attracts penalties up to INR 200 crore.
India adopts "blacklist" model: by default, personal data may be transferred to any country or territory outside India. Unlike GDPR, there's no requirement for an adequacy decision before transfers.
However, Central Government reserves the right to restrict transfers to certain destinations through future notifications.
Rule 13 introduces complexity for SDFs: government may specify certain personal data categories and related traffic data that must not be transferred outside India.
For global SaaS companies, this could mean metadata showing access patterns of Indian users must be localized, even if primary workload remains on global cloud.
| Transfer Mechanism | EU GDPR | India DPDP |
|---|
| Model | Whitelist (Adequacy) | Blacklist (Negative List) |
| Standard Clauses | Mandatory SCCs | Not explicitly mandated |
| Localization | Limited cases | Sectoral laws + SDF critical data |
DPBI can levy fines up to INR 250 crore per contravention based on nature, gravity, and duration of breach, repetitive nature of non-compliance, unfair gain or loss, and extent of remedial action taken.
Failure to implement reasonable security: INR 50-200 crore depending on scale and impact.
Non-compliance with Data Principal rights: INR 10-100 crore based on affected individuals and delay.
Breach notification failures: Up to INR 200 crore, particularly for delayed or incomplete notifications.
DPDP doesn't provide for statutory damages or private rights of action—all enforcement and financial recovery flows through state-led DPBI. This centralized model means organizations face regulatory penalties rather than class action litigation.
| Aspect | GDPR | DPDP |
|---|---|---|
| Consent Model | One of six lawful bases | Primary and often sole basis |
| Lawful Bases | Six options including Legitimate Interests | Primarily Consent with narrow exceptions |
| Children | Up to 16 (flexible to 13) | Up to 18 (no flexibility) |
| Breach Notification | 72 hours to authority | Initial immediately, detailed within 72 hours |
| Maximum Fines | €20M or 4% global turnover | INR 250 crore (~€27M) |
| DPO Requirement | Mandatory for certain categories | Mandatory for SDFs only |
| Cross-Border | Whitelist (adequacy) | Blacklist (negative list) |
Standalone notices in English and relevant Indian languages explaining itemized data collection and purposes.
Explicit, unconditional consent mechanisms for each processing purpose.
Comprehensive records of consent obtained, purposes, format/language, and withdrawals.
Processes handling access, correction, erasure, and nomination within 90-day resolution window.
Comprehensive mapping of all personal data processed, locations, purposes, and retention periods.
DPDP-specific clauses in processor agreements.
Mechanisms validating Data Principals are 18+ or obtaining verifiable parental consent.
Procedures enabling immediate DPBI notification and 72-hour detailed reporting.
Encryption, access controls, logging, and monitoring.
One-year retention of processing logs, authentication records, and traffic data.
Records of where data is transferred and validation destinations aren't restricted.
Accessible complaint processes with 90-day resolution SLAs.
DPO appointment, auditor engagement, DPIA processes.
No Consent Logging: Many organizations implement consent UI without maintaining comprehensive records proving consent was obtained.
Manual Rights Handling: Processing Data Principal rights requests manually through email doesn't scale and can't reliably fulfill erasure requests.
No Processing Inventory: Operating without comprehensive data inventories makes demonstrating compliance impossible.
Fragmented Governance: Treating DPDP as isolated legal exercise rather than cross-functional governance transformation.
Shadow IT and Data Hoarding: Unstructured data in spreadsheets, email archives, and legacy servers creates compliance risks when erasure requests arrive.
Step 1: Map Indian Data - Conduct comprehensive data discovery identifying all personal data of Indian Data Principals across systems. Document processing purposes, legal bases, retention periods, and third-party transfers.
Step 2: Update Notices - Revise privacy notices to meet standalone, multilingual requirements with itemized data collection and specific purposes.
Step 3: Implement Consent Governance - Build consent management infrastructure capturing explicit, unconditional consent for each distinct purpose with comprehensive logging.
Step 4: Build Rights Workflows - Establish automated workflows handling Data Principal rights including request intake, identity verification, data location, execution, response generation, and documentation.
Step 5: Prepare Breach Playbooks - Develop incident response procedures enabling immediate breach detection, impact assessment, DPBI notification, detailed 72-hour reporting, and individual notifications.
Step 6: Update Vendor Agreements - Revise processor contracts including DPDP-specific clauses addressing security obligations, breach notification, audit rights, and liability.
Step 7: Establish Governance Structure - Create cross-functional governance committee with clear ownership. If likely SDF candidate, prepare for DPO appointment and independent auditor engagement.
India DPDP Phase 2 represents an operational enforcement phase with penalties up to INR 250 crore, effective November 2026.
Extraterritorial reach means foreign companies offering services to Indian individuals must comply regardless of physical presence.
Consent is the primary legal basis—GDPR concepts like legitimate interests don't apply, requiring explicit consent for most processing.
Unconditional consent requirement prohibits bundling—organizations can't condition core service access on unrelated data collection.
Multilingual obligations require serving notices in English or any of 22 constitutional languages based on Data Principal preference.
Data Principal rights implementation requires automated workflows, comprehensive data inventories, and orchestrated deletion capabilities.
Significant Data Fiduciaries face enhanced obligations including India-based DPO appointment, independent audits, DPIAs, and algorithmic accountability.
Cross-border transfers operate on a blacklist model—generally permitted but subject to future government restrictions particularly for SDF traffic data.
Organizations treating DPDP as back-office legal tasks face substantial penalties and operational instability. Those embedding privacy-by-design, automating data lifecycle management, and building restriction-ready architectures transform compliance into competitive advantage through demonstrable commitment to responsible data stewardship in one of the world's fastest-growing digital economies.
