India's Digital Personal Data Protection Act (DPDPA), signed into law in August 2023 and operationalised through the DPDP Rules 2025 (notified November 13, 2025), represents a watershed moment for India's $283 billion IT industry. With full compliance mandatory by May 13, 2027, and no grace period thereafter, technology companies serving global clients face a rapidly closing window to prepare.
This article examines the practical impact of the DPDPA on Indian tech exports and outlines what companies must do to stay competitive and compliant.
The Stakes: India's IT Export Powerhouse
India's IT-BPM sector generated $224 billion in exports in FY2025, employing approximately 5.4 million people. NASSCOM projects total industry revenue approaching $300 billion in FY2026. This sector is the backbone of India's services economy, and the DPDPA has the potential to either reinforce or undermine its global competitiveness, depending on how effectively companies adapt.
The BPO Exemption: A Strategic Lifeline
Perhaps the single most consequential provision for India's outsourcing industry is the exemption for processing foreign nationals' data under contractual arrangements with overseas entities. When an Indian BPO or IT services firm processes personal data of individuals not within India pursuant to a contract with a foreign company, that processing is largely exempt from DPDPA obligations, including data fiduciary duties, Significant Data Fiduciary (SDF) requirements, cross-border transfer rules, and individual rights provisions.
However, the exemption is not blanket. Security safeguard obligations still apply. This means Indian IT firms must maintain reasonable security measures even for exempt processing, a requirement that, while less onerous than full compliance, still demands investment in security infrastructure and governance.
This carve-out was a pragmatic recognition of the industry's importance. It preserves the core outsourcing model while signalling to global clients that India takes data protection seriously.
Cross-Border Data Transfers: The "Blacklist" Approach
Unlike the GDPR's "whitelist" model, where transfers are restricted unless the destination country receives an adequacy decision or appropriate safeguards are in place, the DPDPA adopts a negative list approach. Data transfers are permitted to all countries except those explicitly restricted by government notification.
On the surface, this is more permissive. In practice, significant uncertainties persist:
- No restricted countries list has been published as of early 2026
- No equivalent of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) exists under DPDPA
- SDFs may face additional localisation mandates, with the government empowered to restrict transfer of specified personal data categories
- Traffic data associated with government-specified personal data must also remain within India
For Indian tech companies, this regulatory ambiguity complicates contract negotiations with global clients who expect clear, documented compliance pathways.
The EU Adequacy Question
A critical concern for Indian IT exporters serving European clients: India does not have an EU adequacy decision, and the path to obtaining one appears challenging. In April 2025, the EU Data Protection Supervisor (EDPS) declined the European Investment Bank's request to transfer contact data to India, citing concerns about the adequacy of India's data protection framework.
Key barriers to adequacy include:
- Regulatory independence concerns: The Data Protection Board of India operates under the Ministry of Electronics & IT, with government control over appointments and procedures. This contrasts sharply with the GDPR's requirement for fully independent supervisory authorities
- Broad government exemptions: Section 17(2) permits state exemptions for sovereignty, security, and public order without independent oversight, necessity tests, or proportionality reviews
- Deletion restrictions: Section 17(4) limits individuals' right to request data deletion when government entities use data for subsidies, benefits, or permits
For Indian companies processing EU residents' data, this means continued reliance on SCCs and other GDPR transfer mechanisms, creating a dual compliance burden that is now the operational reality.
The Dual Compliance Challenge
Indian tech firms must now navigate overlapping regulatory regimes:
| When processing data of... | Primary compliance obligation |
|---|---|
| Indian residents | DPDPA |
| EU residents | GDPR |
| California residents | CCPA/CPRA |
| Sector-specific data (banking, telecom, insurance) | RBI, SEBI, TRAI, IRDAI requirements (which take precedence over DPDPA) |
This is not merely a legal exercise. It requires architectural decisions, including how consent is collected, how data flows are structured, and how deletion pipelines are built, that affect product design, infrastructure, and operational workflows.
A critical gap compounds this challenge: the DPDPA does not recognise "legitimate interests" as a legal basis for processing, unlike the GDPR. Indian companies that have built their EU compliance around legitimate interest processing must develop entirely separate consent-based workflows for Indian data subjects.
DPDPA vs. GDPR: Key Differences That Matter
| Dimension | DPDPA | GDPR |
|---|---|---|
| Primary legal basis | Consent | Six legal bases (including legitimate interests) |
| Transfer mechanism | Blacklist (all transfers allowed unless restricted) | Whitelist (adequacy decisions, SCCs, BCRs) |
| Sensitive data | No separate category | Special categories with enhanced protections |
| Children's age threshold | Under 18 | Under 16 (states may lower to 13) |
| Maximum penalties | INR 250 crore (~$30M) per violation | 4% of global turnover or EUR 20M |
| Regulatory independence | Under Ministry of Electronics & IT | Independent supervisory authorities |
| Publicly available data | Excluded from scope | Still protected |
Who Bears the Greatest Burden?
Startups and mid-size firms face disproportionate impact. The DPDPA's penalty structure does not tier by company size. A single compliance lapse can attract fines up to INR 250 crore regardless of whether the offender is a five-person startup or a multinational. Compliance cost estimates suggest INR 5–15 lakh annually for early-stage startups, with Data Protection Officer salaries ranging from INR 9–40 lakh per year.
As privacy advocate Mishi Choudhary has noted, the implementation "disproportionately affects smaller companies with fewer resources than tech giants." Large enterprises with existing compliance teams can absorb DPDPA requirements incrementally; smaller players face a fundamental restructuring challenge.
SaaS companies face particularly acute pressure. They must:
- Redesign consent mechanisms away from buried terms-of-service models
- Build automated deletion pipelines with mandatory 48-hour user notification
- Maintain data logs for a minimum of one year
- Restructure marketing practices relying on broad consent around specific, itemised purposes
The Compliance Timeline: 14 Months and Counting
| Phase | Deadline | Key Requirements |
|---|---|---|
| Phase 0 | November 2025 (complete) | Data Protection Board constitution, basic rule framework |
| Phase 1 | November 2026 | Consent Manager registration and functioning |
| Phase 2 | May 13, 2027 | Full compliance, no grace period |
The recommended compliance roadmap for companies that have not yet begun:
- Months 0–6: Data mapping, gap analysis, risk assessment, vendor review
- Months 6–12: Consent redesign, rights management infrastructure, policy drafting, employee training
- Months 12–18: System deployment, legacy data migration, testing, internal audits, vendor contract finalisation
With the deadline approximately 14 months away, companies starting now are already behind the recommended curve.
The Strategic Opportunity
Despite the compliance burden, the DPDPA creates genuine strategic opportunities for Indian tech companies:
- Enhanced global credibility: A comprehensive data protection law positions India as a more trustworthy destination for data processing, potentially unlocking new business with privacy-conscious clients
- Regulatory convergence: Alignment with global norms could facilitate future adequacy decisions, if structural concerns around regulatory independence are addressed
- Competitive differentiation: Companies that achieve robust DPDPA compliance early can market it as a trust signal to prospective clients
Practical Recommendations for Indian Tech Exporters
- Audit your data flows immediately. Map every jurisdiction where personal data is collected, stored, processed, and transferred. Identify which processing falls within the BPO exemption and which does not.
- Build for dual compliance from day one. Design consent and data management systems that satisfy both DPDPA and GDPR requirements simultaneously, rather than bolting on DPDPA compliance as an afterthought.
- Invest in automated compliance infrastructure. Consent management platforms, automated deletion pipelines, and breach notification systems are not optional. They are operational necessities.
- Review and renegotiate vendor contracts. Ensure upstream vendors and downstream processors have adequate security safeguards and compliance commitments.
- Engage specialised legal counsel. The interplay between DPDPA, GDPR, sector-specific regulations, and contractual obligations requires expertise that generic legal teams may lack.
- Monitor regulatory developments closely. The restricted countries list, SDF designation criteria, and consent manager standards remain undefined, and any of these could materially alter compliance requirements.
Conclusion
The DPDPA is not merely a regulatory hurdle. It is a structural shift in how India's technology sector handles personal data. For an industry that has built its global dominance on trust, efficiency, and scalability, the Act presents both a compliance challenge and a strategic opportunity.
The BPO exemption preserves the core outsourcing model. But for SaaS companies, AI startups, and any firm processing Indian residents' data, the obligations are substantial and the deadline is firm. Companies that invest in compliance now will be best positioned to maintain, and expand, their share of global technology services.
The question is not whether to comply, but how quickly and how well.