Skip to content
checkDPDP

Industry guide · #8 most exposed · High risk

DPDP Act for Government & PSU in India

Government portals, PSU customer platforms, e-governance applications, public-utility apps and state-level citizen services are Data Fiduciaries under the Act. Section 17 provides limited exemptions for specific government functions, but the default position is full coverage — including SDF likelihood for any platform touching tens of millions of citizens.

Penalty exposure cap

₹250 cr

Section 8 security failures hit ₹250 cr; SDF duty failures ₹150 cr. Public-sector breaches also draw parliamentary and CAG scrutiny on top of the Board.

Realistic effort

200–500 hrs (10–24 weeks)

CISO + DPO + Department privacy lead + auditor

Annual budget

₹10–50 lakh / yr (typically procurement-funded)

Tooling + DPO retainer + audit

Sector regulators

MeitY · CERT-In · CAG (audit)

Stack on top of DPDP — comply with both

Why this industry

How DPDP hits Government & PSU differently

Volume alone (hundreds of millions of citizens) triggers SDF criteria. Many platforms touch Aadhaar-linked data, sensitive caste / minority status, and welfare scheme eligibility. The Section 17 exemption is narrower than people assume — only specific notified functions qualify.

What you must do

Specific DPDP obligations for this sector

Section 17

Confirm Section 17 exemption applicability

Notified functions only. Default assumption: not exempt unless gazetted.

Section 10

DPO appointment + audit + DPIA (likely SDF)

Any citizen-facing platform at scale should plan as SDF — DPO, audit, DPIA mandatory.

Section 6

Granular consent for non-statutory data sharing

Sharing between departments requires consent or a specific notification; mass MoUs without consent are exposed.

Section 16

India residency for citizen data

Public-sector data on Indian citizens defaults to India-resident processing.

Rules · breach notification

Breach notification with citizen-impact assessment

72-hour Board notification + CERT-In 6-hour notification + parliamentary disclosure pathway.

What to ship

Minimum control set + realistic time to land each

Effort estimates assume an in-house engineer + an external CMP/DPO partner where indicated. Cumulative time gets you to a defensible posture; full SDF maturity adds 1–2 quarters on top.

  1. 1

    DPO appointment per platform

    4–8 weeks (procurement)

  2. 2

    Section 17 mapping exercise (legal + dept)

    2–4 weeks legal

  3. 3

    DPIA for every citizen-facing service

    2 weeks per service

  4. 4

    Independent audit per Section 10

    6–10 weeks (empanelled auditor)

  5. 5

    India residency for cloud / DC

    1–2 quarter migration if not already

  6. 6

    Consent notice + grievance officer per service

    1 week per service

  7. 7

    Vendor inventory + DPA chase for every integrator

    4–8 weeks

What goes wrong

Real-world enforcement scenarios

Citizen data shared between departments without notification

Section 6 + Section 5 — mid-band fine + media scrutiny.

Welfare-scheme database leak

Section 8(5) ₹250 cr cap + parliamentary inquiry + CAG audit. Highest visibility breach.

Close these first

The three highest-impact gaps for this sector

  1. 1

    No mapping of which services are exempt vs in-scope

    Legal + dept workshop to produce the Section 17 register.

    Open the fix →
  2. 2

    No DPO for citizen-facing platforms

    Procurement-funded DPO role per major platform.

    Open the fix →
  3. 3

    Inter-department data sharing without consent / notification

    Build the consent/notification register before next sharing MoU is signed.

    Open the fix →

See your sector-specific score in 60 seconds

Calculate your Government / PSU risk →Run a free site scan

Government / PSU · FAQ

Sector-specific questions, answered

Are all government platforms exempt under Section 17?

No. Only specific notified functions are exempt. Default assumption: full DPDP coverage unless gazetted otherwise.

Is Aadhaar-linked data subject to DPDP?

Yes, in addition to the Aadhaar Act and UIDAI regulations. DPDP layers on top, it does not replace.

Who is the DPO for a state government portal?

A senior officer designated by the department, with reporting line to the secretary. Must be India-resident and accountable to citizens for grievance redressal.

Compare across sectors

Other industries' DPDP exposure

BFSI & Fintech

Critical

Highest DPDP exposure of any Indian sector — payment data, KYC, credit profiles all in scope.

Diagnostic Labs & Pathology Chains

Critical

Patient PII + lab results + Aadhaar-linked KYC — the most stacked DPDP exposure of any sub-sector inside healthcare.

Healthtech & Pharma

Critical

Health data is the highest-sensitivity category — DPDP overlaps with ABDM and the Clinical Establishments rules.