DPDP Act compliance and AI tools
7 min read · Reference · Updated May 12, 2026 · Not legal advice
India's Digital Personal Data Protection Act (DPDP Act, 2023) puts real obligations on every company that handles personal data of Indian residents. The Act doesn't single out AI tools, but every clause that governs "processing" and "disclosure" of personal data applies the moment an employee pastes that data into ChatGPT, Claude, Gemini, or any other third-party service.
This article is a plain-English orientation, not legal advice. Get qualified Indian counsel before relying on it for compliance decisions.
Why AI tool usage falls under the DPDP Act
The Act applies to any "digital personal data" processed for any "lawful purpose". The moment an employee pastes a customer phone number, email, Aadhaar reference, PAN, or financial detail into an AI tool, you are:
- Processing personal data (transmission + the model's subsequent operations are both processing).
- Disclosing it to a third party (the AI provider) and any sub-processors they use.
- Transferring it outside India when the AI provider is non-Indian.
All three trigger DPDP duties - and the consent the data principal originally gave you almost certainly didn't list "may be pasted into ChatGPT to draft your support reply".
The five duties that bite hardest
1. Purpose limitation (Section4)
Data may only be processed for the purpose the principal consented to. Pasting customer data into an AI tool to summarise a ticket is a new purpose that wasn't consented to. The fix isn't adding "we may share with AI tools" to your privacy policy - that's rarely meaningful consent. The fix is removing the personal data before it reaches the AI tool.
2. Notice obligation (Section5)
Principals are entitled to know who their data is shared with. If you don't know which AI tools your employees are using (Shadow AI), you can't answer that question - and a Data Principal Request asking "has my data gone to OpenAI?" becomes very awkward.
3. Reasonable security safeguards (Section8)
A Data Fiduciary must protect personal data against breach. The Act's standard is "reasonable security safeguards" - which the Board has signalled means modern technical controls, not just policies. A documented AI DLP control directly maps to this clause.
4. Breach notification (Section8(6))
Personal data breaches must be reported to the Data Protection Board and to each affected principal. An unredacted customer list ending up in an external AI tool is a notifiable breach. Detection-and-redaction logs are how you prove an incident didn't happen - and how you scope it if one did.
5. Penalties (Section33, Schedule)
Penalties for failure to take reasonable security safeguards run up to ₹250 crore per instance. AI-driven leaks are the cleanest possible "reasonable security would have prevented this" case the Board will see.
What "reasonable security safeguards" looks like for AI
A defensible AI governance posture under the DPDP Act usually includes:
- Inventory. You know which AI tools your employees use. Shadow AI is a known unknown - fix it.
- In-flight redaction. Personal data is removed from prompts before they reach a third-party AI service. This is the in-flight control that actually prevents the disclosure.
- Audit log. Per-employee, per-tool log of what categories of data were detected and redacted. Critical for Data Principal Requests and incident scoping.
- Policy + training. Written acceptable-use policy, with documented training. The Board looks at the policy + the technical control together.
- Data residency awareness. If you're transferring personal data outside India, you should know what's in the payload before it leaves.
What DPDP does not require
- Banning AI tools. The Act doesn't care what tool you use, only what data flows into it.
- Self-hosted everything. Cloud-hosted AI is fine as long as the personal data going to it is minimised - which redaction handles.
- Indian-only data residency for all data. The Act allows cross-border transfers; it just imposes accountability.
The short version
If a regulator ever asks how your company complies with the DPDP Act for AI tool usage, "we have a policy that asks employees not to" isn't enough. "We have a technical control that redacts personal data before it reaches the AI, and an audit log per employee" is.
Building DPDP-ready AI governance? NexusNest is built India-first - DPDP category detection, INR billing, and an audit trail that maps to the Act's reporting needs. See how it works →
Sources
- MeitY - Digital Personal Data Protection Act, 2023 (official page)
- DPDP Act 2023 - full text (PDF)
- Government of India - e-Gazette publication (search "DPDP")
- IAPP - overview of the DPDP Act
This article paraphrases the Act for an operator audience and is not legal advice. Section numbers reference the 2023 Act as published; subordinate rules and Board guidance may add detail or revise specifics over time.