India's DPDP Act 2023: An NRI Data Buyer's Brief

6 min read · Compliance · Updated 3 May 2026

India's Digital Personal Data Protection Act 2023 (DPDP) is India's first comprehensive personal-data law — broadly modelled on EU GDPR but adapted for Indian regulatory realities. For NRI data buyers based outside India, the practical question is: when does DPDP apply to my use of NRI data, and what does compliance look like? The short answer is "usually it doesn't, but check the edge cases."

What DPDP covers

DPDP applies to processing of personal data:

Within India, regardless of where the controller is located; or
Outside India, where the processing is in connection with offering goods or services to data principals (data subjects) located within India.

Why DPDP usually does not apply to NRI marketing

NRIs are by definition Non-Resident Indians — Indian nationals or persons of Indian origin who live outside India. The data subjects of NRI marketing campaigns are physically located in the UK, UAE, USA, or other foreign countries — not within India. As a result, DPDP's territorial scope usually does not extend to a non-Indian controller marketing to NRIs.

The two principal exceptions:

You operate within India. If your business is registered in India or processes the dataset on Indian infrastructure (Indian-based servers, Indian sub-processors), DPDP applies to that processing.
You market to India-resident parties. If you use the NRI dataset to market goods or services to India-resident relatives (e.g., emailing the NRI's parents in India), that processing falls within DPDP scope.

What DPDP requires when it does apply

The substantive requirements track EU GDPR closely:

Lawful basis (consent or legitimate use) for processing personal data.
Notice to data principals at the point of collection.
Data principal rights — access, correction, erasure, grievance redressal.
Reasonable security safeguards.
Data breach notification to the Data Protection Board of India.
Significant Data Fiduciary obligations for high-volume processors (DPO appointment, DPIA, audit).

Penalties

DPDP penalties run up to ₹250 crore (~$30M USD) for serious breaches such as:

Failure to take reasonable security safeguards (up to ₹250 crore).
Failure to notify a personal-data breach (up to ₹200 crore).
Failure to fulfill obligations as a Significant Data Fiduciary (up to ₹150 crore).
Breach of additional obligations relating to processing of children's personal data (up to ₹200 crore).

Enforcement reality in 2026

DPDP enforcement against foreign controllers is nascent. The Data Protection Board of India is still building enforcement capacity, and cross-border enforcement is technically difficult. That said:

Enforcement against India-based businesses is already active.
Foreign controllers with significant India connections (Indian subsidiaries, Indian sub-processors, India-resident customers) face real exposure.
The medium-term direction is clearly toward more assertive enforcement, including cross-border cooperation under MLAT-style arrangements.

What this means for NRI marketers in practice

If you are a UK / UAE / USA-based controller marketing to UK / UAE / USA-resident NRIs from non-India infrastructure, DPDP usually does not apply to your processing.
If you have any India-side processing — Indian sub-processor, Indian server, Indian employee handling the data — DPDP applies to that processing.
If your business operates in India (registered Indian entity), DPDP applies regardless of where the data subjects are located.
If you market to India-resident parties (e.g., relatives of NRIs), the India-side processing is in scope.
Document your DPDP-applicability analysis as part of your compliance file. The analysis is more important than the conclusion.

Common mistakes

Assuming DPDP doesn't apply just because the data subject is an NRI. Check your processing infrastructure too.
Ignoring the children's-data provisions. DPDP has strict rules around processing personal data of minors (under 18) — relevant for India-connected EdTech and family-services NRI marketing.
Skipping documentation. Even if DPDP doesn't apply, your written analysis is what protects you in an enforcement inquiry.

Ready to put this into action?

NRI Financial Services has verified, opt-in NRI marketing data for the UK, UAE, and USA — segmented by remittance, real estate, tax, shopping, travel, and card-spending behaviours. Pick a segment and click Buy Access to get started, or email contact@nrifinancialservices.com for a free 50-row sample.