DPDPA Compliance Roadmap for Foreign Companies Entering India

Foreign companies entering India — through wholly-owned subsidiaries, joint ventures, branch offices, liaison offices, or SaaS deployments targeting Indian users — trigger DPDPA obligations the moment they process digital personal data of individuals within India. Section 3 extends jurisdiction to offshore processing where personal data is collected within India or for offering goods and services to Data Principals in India. This article provides a structured 12-phase compliance roadmap that a foreign General Counsel can operationalise from jurisdictional assessment through enforcement readiness.

Phase 1 determines whether the foreign entity falls within DPDPA jurisdiction under Section 3. The test is whether it processes digital personal data (a) collected within India, or (b) collected in connection with offering goods or services to Data Principals in India. A US SaaS company serving Indian enterprise clients triggers Section 3(a). A Singapore e-commerce platform selling to Indian consumers triggers Section 3(b). Phase 2 maps the entity structure — Indian subsidiary (Data Fiduciary), offshore processor (Data Processor under Section 8(2)), joint venture partner (potential co-Fiduciary). Phase 3 audits all personal data touchpoints: employee data (HR systems), customer data (CRM), vendor data (procurement), and visitor data (website/app analytics).

Phase 4 builds the consent architecture. Every processing purpose requires separate, specific consent under Section 6. Bundled consent ("by using this service, you agree to all processing") is non-compliant. Phase 5 drafts Section 5 notices for each processing category — employee data, customer data, marketing data, analytics data — each with itemised purposes, retention periods, and withdrawal mechanisms. Phase 6 restructures all processor contracts under Section 8(2). The foreign parent's global vendor contracts must be supplemented with DPDPA-specific addenda covering: processing scope limitations, security safeguards, sub-processor controls, breach notification obligations, and deletion on termination. A global Data Processing Agreement (DPA) does not satisfy DPDPA requirements without India-specific terms.

Phase 7 operationalises Data Principal rights under Sections 11-13: the right to access information about processing, the right to correction and erasure, and the right to nominate. The foreign entity must establish a dedicated rights request portal, response SLAs, and identity verification protocols. Phase 8 builds the breach response framework under Section 8(6) read with Rule 7. India-specific incident classification, escalation matrices, Board notification templates, and Data Principal communication scripts must be pre-built — not improvised during an incident. Phase 9 addresses children's data under Section 9 read with Rules 10-12. Any platform accessible to individuals under 18 in India must implement age verification, parental consent collection, and behavioural targeting suppression.

Phase 10 assesses Significant Data Fiduciary risk under Section 10 read with Rule 13. Volume of processing, sensitivity of data, and risk to Data Principal rights determine SDF classification. If SDF notification is likely, budget immediately for a resident DPO, periodic DPIA cycles, and independent audit engagements. Phase 11 designs the cross-border data architecture under Section 16. While DPDPA permits transfers to all jurisdictions not on the negative list, sectoral regulators (RBI, IRDAI, SEBI) impose independent localisation requirements that override the DPDPA's permissive default. Phase 12 builds the enforcement readiness layer: Board hearing preparation, documentation of compliance measures, penalty mitigation strategy, and appellate response planning. Penalties under DPDPA extend up to Rs 250 Cr under the Schedule — the compliance investment is proportionate to the exposure.