Who must comply with the DPDP Act?
Any organization that processes digital personal data about individuals in India—startups, SaaS vendors, banks, hospitals, e-commerce, and government contractors—must comply when the Act applies to their processing.
Compliance is not limited to large enterprises. If you run a website, mobile app, CRM, HR system, or marketing stack that handles names, phone numbers, emails, or other personal data, you are likely a Data Fiduciary.
Processors and Significant Data Fiduciaries have additional duties. Map your data flows first, then align notices, consent, security, and grievance handling.