Checklist Before Collecting Indian User Data by Multinational Corporations

Posted On - 20 April, 2026 • By - Aniket Ghosh

Navigating India’s Digital Personal Data Protection Act, 2023

Introduction: India’s Data Privacy Inflection Point

India is not merely a market but the world’s largest pool of digital consumers, with over 900 million internet users and a rapidly expanding digital economy. For Multinational Corporations (MNCs), collecting personal data from Indian users whether for targeted advertising, product personalisation, analytics, or service delivery has never been more commercially attractive. Yet, it has also never been more legally consequential.

The Digital Personal Data Protection Act, 2023 (DPDP Act), passed by the Indian Parliament and receiving Presidential assent in August 2023, marks a decisive break from the patchwork of sectoral rules that previously governed data handling in India. Although the rules framed under the Act are still awaited and implementation is phased, the statutory framework is live. MNCs that are slow to align risk not just regulatory penalties which under the DPDP Act can reach INR 250 crores per contravention, but also reputational damage, loss of user trust, and the loss of operating licences in India.

This thought leadership paper distils the DPDP Act’s obligations into a structured, actionable pre-collection checklist for MNCs. It is not a substitute for tailored legal advice but serves as a foundational compliance compass for legal, technology, and product teams.

Applicability: Does the DPDP Act Apply to Your Organisation?

Before diving into collection mechanics, MNCs must first determine whether and to what extent the DPDP Act applies to them. The Act has significant extraterritorial reach and is not limited to entities physically present in India.

1. Territorial Scope

The DPDP Act applies to the processing of digital personal data where:

  • The data is collected within the territory of India (including online collection from persons in India); or
  • The data is processed outside India, but in connection with profiling of, or offering of goods and services to, Data Principals (individuals) in India.

This means that an MNC headquartered in the United States, European Union, or Singapore that operates a website, application, or digital platform accessible to Indian residents and collects their personal data, will fall within the DPDP Act’s ambit. The principle mirrors the GDPR’s market-targeting test and should be read expansively.

2. Who is a ‘Data Fiduciary’?

Under the DPDP Act, an entity that alone or in conjunction with others determines the purpose and means of processing personal data is a ‘Data Fiduciary’. MNCs operating in India or targeting Indian users will almost invariably be Data Fiduciaries, bearing primary compliance obligations. Entities processing data on behalf of Data Fiduciaries are ‘Data Processors’ but this does not dilute the Fiduciary’s accountability.

3. Significant Data Fiduciaries (SDFs)

The Central Government may, by notification, designate certain Data Fiduciaries as ‘Significant Data Fiduciaries’ (SDFs) based on factors such as the volume and sensitivity of data processed, potential risk to national security, and impact on sovereignty. SDFs carry enhanced obligations, including appointment of a Data Protection Officer (DPO) based in India, periodic Data Protection Impact Assessments (DPIAs), and audits by independent data auditors. Large MNCs processing high volumes of Indian user data should prepare for possible SDF designation.

Understanding Key Definitions: Clarity Before Collection

A critical pre-collection step is mapping your data practices against the DPDP Act’s core definitions. Mischaracterisation at this stage cascades into non-compliance downstream.

TermDefinition under DPDP Act, 2023
Personal DataAny data about an identifiable individual broader than ‘sensitive’ categories and includes names, contact details, device IDs, browsing history, etc.
Data PrincipalThe individual to whom the personal data relates. Includes minors (through guardians). Indian citizens are Data Principals when their data is collected.
Data FiduciaryEntity determining the purpose and means of processing. Bears primary statutory obligations.
Consent ManagerAn entity registered with the Data Protection Board enabling Data Principals to give, manage, review, and withdraw consent through an accessible platform.
ProcessingWholly or partly automated operations on personal data including collection, recording, storage, retrieval, use, sharing, transmission, and erasure.
Deemed ConsentConsent inferred by law in specific situations (e.g., voluntary provision of data, state functions, employment, emergencies) distinct from express consent.

The Pre-Collection Checklist for MNCs

The following checklist is organised thematically, mirroring the lifecycle of data collection preparedness. Each item should be signed off by the relevant internal stakeholder before data collection commences or continues.

  • Determine the legal basis for processing: Identify whether you rely on express consent, deemed consent, or a notified exemption. Do not assume that a privacy policy is sufficient, the DPDP Act requires a separate, specific consent notice.
  • Design a compliant consent notice: Notices must be itemised, in plain language, and must specify (i) the personal data sought, (ii) the purpose of processing, (iii) the Data Fiduciary’s identity, and (iv) the manner in which the Data Principal may withdraw consent.
  • Enable language accessibility: Consent notices must be available in the scheduled languages of the Indian Constitution upon request. For large-scale consumer platforms, proactively provide localised notices in major Indian languages (Hindi, Tamil, Telugu, Bengali, etc.).
  • Ensure consent is freely given, specific, informed, and unambiguous: Pre-ticked boxes, bundled consents, or consent tied to service eligibility (where not strictly necessary) will not meet the standard. Map each data collection point to a distinct consent signal.
  • Configure withdrawal mechanism: The withdrawal of consent must be as easy as giving it. Audit every consent-grant flow and build a parity withdrawal flow. Document the withdrawal pathway in your privacy notice.
  • Register with or integrate a Consent Manager (if applicable): For organisations relying on Consent Manager infrastructure, ensure the Consent Manager is registered with the Data Protection Board (once operationalised) and that integration is technically complete and auditable.

PART B: Data Minimisation & Purpose Limitation

  • Map every data element to a disclosed purpose: Run a data inventory audit. Every field collected must correspond to a purpose explicitly stated in your consent notice. Surplus collection even if technically convenient is non-compliant.
  • Apply data minimisation principles: Collect only what is necessary for the stated purpose. This applies to both the categories of data and volume. Reassess legacy data collection practices that predate the DPDP Act.
  • Prohibit repurposing without fresh consent: Build technical and contractual controls to prevent downstream use of data for purposes not originally consented to. This includes intra-group data sharing, cross-product profiling, and sale of insights to third parties.
  • Identify and flag sensitive personal data: While the DPDP Act does not use the ‘sensitive personal data’ label of the earlier IT Rules framework, certain categories (health data, financial data, biometric data, data of children) attract elevated obligations and scrutiny. Flag these categories for enhanced governance.
  • Determine if your platform is accessible to minors: Under the DPDP Act, minors are persons below 18 years of age. If your platform, product, or service is likely to be accessed by individuals under 18, specific obligations are triggered.
  • Implement verifiable parental consent mechanisms: Before processing a minor’s personal data, verifiable consent of a parent or guardian is mandatory. Design age-verification and parental consent flows in accordance with standards to be prescribed by the rules.
  • Prohibit behavioural tracking and targeted advertising to children: MNCs must not engage in tracking, behavioural monitoring, or targeted advertising directed at children. This includes profiling for the purposes of algorithmically serving ads or content to users identified as minors.
  • Obtain Central Government approval for processing children’s data (if required): Processing of children’s personal data may require prior approval of the Central Government for certain categories of Data Fiduciaries, as may be specified. Monitor notifications carefully.

PART D: Cross-Border Data Transfer Controls

  • Identify all jurisdictions receiving Indian user data: Map every international data transfer including to cloud service providers, analytics platforms, group entities, and third-party vendors to understand the geographic footprint of Indian personal data.
  • Monitor Central Government transfer notifications: The DPDP Act empowers the Central Government to restrict transfer of personal data to specified countries by notification. Unlike GDPR’s adequacy regime, India’s framework is a negative list approach. Review and operationalise any transfer restrictions as and when notified.
  • Include DPDP Act obligations in data processing agreements: All contracts with Data Processors receiving Indian personal data must include mandatory data processing terms compliant with the DPDP Act. Update standard contractual clauses and vendor agreements accordingly.
  • Assess your cloud infrastructure for Indian data residency requirements: While the DPDP Act does not currently mandate data localisation as broadly as earlier proposals, sector-specific rules (RBI, IRDAI, SEBI) may impose localisation. Verify applicable sectoral obligations.

PART E: Data Principal Rights Infrastructure

  • Build a Data Principal rights portal or mechanism: Data Principals have the right to access information about their data, correction and erasure of inaccurate/unnecessary data, and the right to nominate a person to exercise rights on their behalf. Build a functional, response-tracked mechanism.
  • Set and document response timelines: The Act requires Data Fiduciaries to respond to Data Principal requests within prescribed timelines (to be specified in Rules). Establish internal SLAs, escalation paths, and logging protocols now, in anticipation of rules.
  • Honour erasure requests appropriately: Implement processes for erasure of personal data upon consent withdrawal or satisfaction of the processing purpose. This must include erasure by Data Processors and sub-processors ensure contractual pass-through.
  • Configure grievance redressal mechanism: MNCs must establish a grievance officer, publish their contact details, and ensure Data Principals can lodge complaints that are addressed within the prescribed period. This is a front-end obligation visible to users.

PART F: Organisational & Governance Readiness

  • Appoint a Data Protection Officer (DPO) – mandatory for SDFs: SDFs must appoint a DPO based in India, who shall be the point of contact for Data Principals and the Data Protection Board. Even non-SDFs should consider DPO equivalents for governance purposes.
  • Conduct a Data Protection Impact Assessment (DPIA): While DPIAs are mandated for SDFs, any MNC engaging in large-scale, high-risk processing of Indian data should proactively conduct a DPIA before launch. This demonstrates accountability and supports legal defensibility.
  • Implement data breach detection and notification protocols: The DPDP Act requires Data Fiduciaries to notify the Data Protection Board and affected Data Principals of any personal data breach in the prescribed manner and form. Ensure your SIEM infrastructure, incident response playbooks, and legal notification workflows are aligned.
  • Review and update employee data practices: Employment-related personal data also falls under the DPDP Act’s ambit. Review HR data practices, including background verification, monitoring, and payroll data processing, for compliance.
  • Conduct privacy training for key personnel: Employees involved in product development, marketing, data engineering, and legal must be trained on the DPDP Act’s requirements. Ignorance is not a defence and enforcement risk is real.
  • Document everything: Maintain records of consent signals, processing activities, DPIA outcomes, breach logs, and Data Principal requests. Accountability under the DPDP Act is evidenced through documentation. Build a compliance record that can withstand regulatory scrutiny.

Exemptions: Know When the Checklist Shifts

The DPDP Act carves out specific exemptions where some or all of its provisions do not apply. MNCs should not, however, treat exemptions as a default exit from compliance. Exemptions must be carefully scoped and documented.

  • State instrumentalities and notified research/statistical/archival purposes may attract reduced obligations but commercial MNCs will rarely qualify.
  • Processing for national security, public order, or prevention of offences may be exempt by Central Government notification and MNCs should not assume this applies to them.
  • Start-ups and smaller entities may receive threshold-based relaxations as prescribed but global MNCs with large Indian user bases are unlikely to qualify for these relaxations.
  • Manual processing of personal data (non-automated) falls outside the Act’s scope but most MNC data operations are automated and therefore within scope.

The prudent approach is to design full DPDP Act compliance into your data architecture and then document any exemption that you legitimately rely upon rather than designing for exemption and risking mis-characterisation.

Penalty Framework: The Cost of Non-Compliance

The DPDP Act establishes a tiered penalty regime adjudicated by the Data Protection Board of India (DPBI). Key penalty thresholds include:

ViolationMaximum Penalty
Failure to take reasonable security safeguards causing data breachINR 250 Crores
Failure to notify the Board and Data Principals of a breachINR 200 Crores
Non-compliance with obligations relating to children’s dataINR 200 Crores
Non-compliance by Significant Data Fiduciary obligationsINR 150 Crores
Breach of Data Principal rights obligations or dutiesINR 10,000 (per individual), aggregated risk can be substantial

Penalties are cumulative and can be assessed per contravention. For MNCs processing data of tens of millions of Indian users, even a modest per-incident penalty multiplied across a large data set produces an existential compliance risk. The DPBI’s powers to issue directives, require erasure, and block data flows add operational stakes beyond monetary penalties.

Intersection with Other Laws: The Compliance Matrix

The DPDP Act does not operate in isolation. MNCs must navigate a complex intersection of laws:

  • Information Technology Act, 2000 and IT (Reasonable Security Practices) Rules, 2011 continue to apply pending repeal provisions under the DPDP Act. Data breach and security obligations under IT Rules remain in effect.
  • Reserve Bank of India (RBI) Guidelines for fintech, banking, and payment sector entities, RBI’s data localisation and storage norms for payment data are distinct and mandatory requirements.
  • SEBI, IRDAI, and TRAI Regulations for capital markets, insurance, and telecom sectors have independent data-related regulations that may impose obligations beyond the DPDP Act.
  • Consumer Protection (E-Commerce) Rules, 2020 impose additional transparency and grievance obligations on e-commerce entities collecting Indian consumer data.
  • GDPR / UK GDPR: MNCs subject to European data protection law must ensure that Indian compliance measures do not create conflicts with GDPR obligations, particularly in cross-border transfer contexts.

Legal counsel should prepare a jurisdiction-specific compliance matrix identifying applicable laws, divergences, and an integrated compliance pathway.

  • Form a cross-functional DPDP Act task force comprising legal, IT, product, HR, and finance, compliance is not a legal team obligation alone.
  • Commission a DPDP Act gap assessment against your current data practices, mapped to the checklist items in this paper. Prioritise high-risk gaps.
  • Update all privacy notices, consent flows, cookie banners, and data sharing disclosures to align with DPDP Act standards before rules are finalised, retrofitting after rules are issued will be resource-intensive.
  • Negotiate DPDP Act-compliant data processing addenda with all Indian vendors, third parties, and group entities that receive Indian personal data.
  • Monitor the Data Protection Board’s constitution, rule notifications, and guidance. The regulatory landscape will evolve rapidly once the DPBI is operational.
  • Engage proactively with the MeitY consultation process on draft rules, MNCs with significant Indian presence have a legitimate stake in shaping implementable regulations.
  • Do not wait for the rules to be finalised. The obligations under the principal Act are enforceable now. Design for compliance against the Act and refine for rules when they arrive.

Conclusion: Compliance as a Competitive Differentiator

For Multinational Corporations, the DPDP Act is not merely a compliance burden but an opportunity to differentiate on trust. Indian users are increasingly data-aware, and regulators globally are watching how platforms govern user data in high-growth markets. MNCs that invest in DPDP Act compliance today will build institutional credibility with Indian regulators, demonstrate accountability to boards and investors, and build genuine user trust all of which are long-term competitive advantages.

Explore KSK Data Privacy Hub

Free compliance tools and expert guidance covering 75+ jurisdictions.