City · Delhi

DPDPA Compliance in Delhi

The Digital Personal Data Protection Act (DPDPA), 2023 sets new rules for how organisations collect, store, and process personal data in India. With the compliance deadline set for May 2027, businesses in Delhi must build consent frameworks, breach protocols, and data governance systems now, rather than scrambling once enforcement begins.

Why DPDPA compliance matters in Delhi specifically

Delhi's economy spans government contractors and PSUs in Connaught Place, a vast IT and consulting sector in Nehru Place and Gurugram-adjacent corridors, plus dense wholesale and export trading hubs in Karol Bagh, Chandni Chowk, and Okhla. This mix means DPDPA compliance in Delhi touches everyone from large system-integrators bidding on government data contracts to thousands of export-import SMEs handling customer and vendor data with little formal consent infrastructure, raising exposure across both ends of the spectrum.

What Delhi businesses should prepare first

  • Map government-contract and citizen-data touchpoints (PSU / tender work) and confirm lawful grounds before sharing with agencies.
  • Document lawful grounds and consent records for each processing purpose.
  • Build a breach response SOP aligned to CERT-In's 6-hour and DPB's 72-hour clocks.
  • Review vendor contracts for processor-grade security and escalation clauses.

Frequently asked questions

Do government contractors and vendors in Delhi have extra DPDPA obligations?

Yes, in practice. Firms handling government data or citizen records often process sensitive, high-volume datasets, increasing the likelihood of being classified as a Significant Data Fiduciary under Rule 13, which brings added requirements like DPO appointment and periodic audits.

What counts as a reportable data breach for a Delhi-based trading or export business?

Any unauthorised access, disclosure, or loss of personal data — such as customer or vendor contact details — is reportable. The dual-clock applies: CERT-In must be notified within 6 hours, and the Data Protection Board within 72 hours of becoming aware.

Are small IT consulting firms in Delhi exempt from DPDPA because they're not SDFs?

No. Every Data Fiduciary must comply with baseline obligations like consent and security safeguards, regardless of size. Only the extra Rule 13 obligations (DPO, audits, impact assessments) are limited to Significant Data Fiduciaries, not the Act's core requirements.

Get a DPDPA readiness walkthrough for your Delhi business

Book a 30-minute call to map your consent architecture, vendor exposure, and breach posture against DPDPA.

Book a demo Free Gap Analysis

Disclaimer: Privigo is not a law firm. This page provides operational compliance guidance only. For institution-specific obligations, work with qualified Indian legal counsel.