When is Personal Data Said to be Digital Under the DPDP Act
The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant milestone in India’s evolving data protection landscape. As businesses, governments, and individuals increasingly rely on technology, understanding what constitutes “digital personal data” becomes crucial. One of the foundational concepts under the Act is the classification of personal data as “digital,” because the law applies specifically to such data.
But when exactly is personal data considered digital under the DPDP Act? The answer is broader than it may initially seem. This blog explores the concept in depth, breaking down the legal definition, its implications, and practical examples to help you fully understand its scope.
Get a callback
Understanding Personal Data Under the DPDP Act
Before diving into what makes personal data “digital,” it’s important to understand what personal data itself means.
Under the DPDP Act, personal data refers to any information that relates to an identified or identifiable individual. This could include:
- Names
- Phone numbers
- Email addresses
- Aadhaar numbers
- Financial information
- Location data
- Online identifiers
If a piece of information can directly or indirectly identify a person, it qualifies as personal data.
What Is “Digital Personal Data”?
The DPDP Act specifically governs digital personal data, and it defines this concept in two key ways:
- Data Collected in Digital Form
Any personal data that is collected directly through digital means is considered digital personal data.
Examples:
- Filling out a form on a website
- Submitting information through a mobile app
- Registering on an e-commerce platform
- Signing up for a newsletter online
- Uploading documents via an online portal
In all these cases, the data originates in digital format, making it clearly subject to the Act.
- Data Collected Offline but Later Digitized
The scope of the DPDP Act extends beyond purely digital interactions. It also includes personal data that is initially collected in physical form but later converted into digital format.
Examples:
- Paper forms entered into a database
- Physical customer records scanned and stored in cloud storage
- Handwritten survey responses digitized into spreadsheets
- Printed applications uploaded into internal systems
Once such data is digitized, it becomes digital personal data and falls under the Act’s purview.
What Is Not Covered?
The DPDP Act does not apply to personal data that remains entirely in non-digital (physical) form.
Examples:
- Paper files stored in physical cabinets
- Handwritten notes never digitized
- Printed registers that are not converted into electronic format
As long as the data stays offline and is not digitized, it is outside the scope of the Act.
However, this exclusion is conditional. The moment such data is digitized—even partially—it becomes subject to the law.
Why This Distinction Matters
The distinction between digital and non-digital personal data is not just technical—it has real legal and operational implications.
- Compliance Requirements
Organizations handling digital personal data must comply with obligations such as:
- Obtaining user consent
- Ensuring data security
- Limiting data usage to specified purposes
- Allowing users to access and correct their data
If data is not digital, these obligations do not apply under the DPDP Act.
- Data Lifecycle Management
The Act emphasizes responsible handling of data throughout its lifecycle:
- Collection
- Storage
- Processing
- Sharing
- Deletion
Once data enters the digital ecosystem, every stage must comply with regulatory requirements.
- Increased Accountability
Digitized data is easier to process, transfer, and analyze—but also easier to misuse. By covering both originally digital and digitized data, the Act ensures:
- Broader accountability
- Reduced loopholes
- Better protection for individuals
Applicability Beyond India
The DPDP Act has extraterritorial applicability, meaning it applies even outside India in certain cases.
When Does It Apply Globally?
The Act applies to digital personal data processed outside India if:
- The data relates to individuals in India, and
- The processing is connected to offering goods or services to such individuals
Example:
A foreign e-commerce company collecting data from Indian users through its website must comply with the DPDP Act—even if its servers are located abroad.
Key Characteristics of Digital Personal Data
To summarize, personal data is considered digital under the DPDP Act if it meets any of the following conditions:
Exists in Digital Form
- Created, stored, or processed electronically
Digitized After Collection
- Initially collected offline but later converted into digital format
Stored in Digital Systems
- Databases, cloud platforms, servers, or software systems
Used for Digital Processing
- Analytics, AI processing, automated decision-making, etc.
Practical Scenarios
Let’s look at some real-world scenarios to clarify how this works:
Scenario 1: Hospital Records
A hospital collects patient information on paper forms and later enters it into a hospital management system.
This becomes digital personal data once entered into the system.
Scenario 2: School Admission Forms
A school collects physical admission forms and stores them in filing cabinets without digitizing them.
This remains non-digital and is not covered by the Act.
Scenario 3: Retail Store Loyalty Program
A store collects customer details on paper but uploads them into a CRM system.
The data becomes digital personal data and is subject to the Act.
Scenario 4: Mobile App Registration
A user signs up using a mobile app and provides personal details.
This is digital personal data from the start.
Challenges for Organizations
The broad definition of digital personal data creates several challenges:
- Data Mapping
Organizations must identify:
- What data they collect
- How it is stored
- Whether it is digitized
- Legacy Records
Many organizations have decades of paper records that are being digitized.
Once digitized, these records fall under compliance requirements.
- Hybrid Systems
Some organizations operate both physical and digital systems.
They must ensure that any data crossing into digital systems is handled lawfully.
- Vendor and Third-Party Risks
Data processed by vendors (e.g., cloud providers, analytics firms) must also comply.
Best Practices for Compliance
To align with the DPDP Act, organizations should:
Audit Data Sources
Identify whether data is:
- Born digital
- Digitized later
Implement Consent Mechanisms
Ensure users clearly consent to data collection and usage.
Secure Digital Data
Use:
- Encryption
- Access controls
- Regular security audits
Maintain Data Minimization
Collect only necessary data.
Track Digitization Activities
Maintain logs of when and how physical data is digitized.
Conclusion
Under the DPDP Act, 2023, personal data is considered “digital” not only when it is collected through digital channels but also when it is converted into digital form after being collected offline. This dual approach significantly broadens the scope of the law, ensuring that individuals’ data remains protected regardless of how it enters the digital ecosystem.
The key takeaway is simple: if personal data exists in digital form at any point, it is likely subject to the DPDP Act.
For organizations, this means greater responsibility—but also an opportunity to build trust through responsible data practices. For individuals, it provides stronger safeguards in an increasingly digital world.
Frequently Asked Questions (FAQs)
Q1. What is digital personal data under the DPDP Act?
A1. Digital personal data refers to personal information that is either collected digitally or collected offline and later digitized.
Q2. Does the DPDP Act apply to paper records?
A2. No, the Act does not apply to purely physical records unless they are converted into digital form.
Q3. If I scan documents, do they become digital personal data?
A3. Yes, once documents are scanned or digitized, they are considered digital personal data.
Q4. Is email data covered under the DPDP Act?
A4. Yes, emails containing personal information are considered digital personal data.
Q5. What about data collected through mobile apps?
A5. Data collected through mobile apps is digital personal data from the outset and is fully covered by the Act.
Q6. Does the Act apply to foreign companies?
A6. Yes, if they process data related to individuals in India and offer goods or services to them.
Q7. Are spreadsheets and databases covered?
A7. Yes, any personal data stored in spreadsheets, databases, or cloud systems is considered digital.
Q8. What happens if offline data is later digitized?
A8. Once digitized, the data becomes subject to the DPDP Act and must comply with its requirements.
Q9. Is CCTV footage considered digital personal data?
A9. Yes, if it can identify individuals and is stored digitally, it is covered under the Act.
Q10. Why is the distinction between digital and non-digital data important?
A10. Because the DPDP Act applies only to digital personal data, determining compliance obligations depends on this classification.