Data Localisation Requirements in India

India has not imposed blanket data localisation through DPDPA, instead relying on sectoral requirements. RBI mandates payment data localisation. IRDAI restricts insurance data. SEBI imposes securities data requirements. Understanding this fragmented landscape is essential for compliant data architecture.

DPDPA Section 16 adopts a permissive approach, allowing transfers except to restricted jurisdictions. No general localisation mandate exists. However, Section 16(2) empowers the Central Government to impose additional conditions including localisation for specific categories. This flexibility preserves future policy options without current mandatory requirements.

The 2018 RBI Circular mandates that all payment system data be stored exclusively in India. This applies to payment system operators including card networks, payment aggregators, and banking correspondents. A mirroring approach is permitted where data may exist abroad but must be stored in India. Enforcement has been strict with compliance deadlines.

IRDAI restricts insurance data transfers with specific approval requirements. SEBI mandates securities market data localisation for stock exchanges and depositories. Telecom licensing conditions impose data localisation for CDR records. Healthcare regulations under consideration may impose additional requirements. Each sector demands specific compliance assessment.

Organisations must map all data flows against sectoral requirements. Cloud infrastructure contracts should specify data residency capabilities. Hybrid architectures maintaining India data copies while processing abroad require careful design. Exit strategies must address data repatriation if requirements tighten.