DPDP Act 2023 and Workflow Automation: What Indian Businesses Must Know Before Automating

India's Digital Personal Data Protection Act 2023 carries penalties of up to ₹250 crore for a single data breach caused by inadequate security safeguards. Most Indian SMBs running automations on Zapier or Make are routing customer names, phone numbers, and financial records through US and EU servers without a clear compliance plan. That doesn't automatically make you liable. But it does mean you need to understand what the DPDP Act actually requires, what it doesn't, and how to choose automation tools that match your data sensitivity level.

What does the DPDP Act actually cover?

The Digital Personal Data Protection Act 2023 was passed in August 2023 and applies to any entity processing "digital personal data" of Indian residents, whether the processor is based in India or abroad. (Ministry of Electronics and IT, 2023). The penalty scale ranges from ₹50 crore for minor notification failures up to ₹250 crore for data breaches caused by inadequate security safeguards.

Personal data under the Act means any data that can identify an individual. That includes customer names, email addresses, phone numbers, Aadhaar numbers, PAN numbers, financial records, health data, and biometric data. It does not include business-level identifiers. A customer's GSTIN is business data, not personal data. An employee's salary? Personal data. Your Razorpay transaction amount? Depends on whether it's linked to an individual.

As a Data Fiduciary (the business collecting and using data), your core obligations are straightforward. You must obtain informed consent before collecting data. You must tell users what you'll do with their data and for how long. You must maintain security safeguards. You must designate a grievance officer who can handle user complaints. And you must notify users and the Data Protection Board if a breach occurs.

The "Significant Data Fiduciary" category applies to businesses processing data at large scale or handling especially sensitive data. Those businesses face additional obligations including data protection impact assessments and third-party audits. Rules defining the exact thresholds are still being finalised as of 2025-2026.

How do automation tools handle your data?

When a customer fills a form on your website and that submission triggers a Make scenario, the customer's name and phone number travel from your server to Make's EU data centers (Frankfurt or Ireland), get processed there, and are then sent onward to WhatsApp or your CRM. The same flow applies to Zapier, except the processing happens on AWS servers in US-East-1. (Zapier, 2024; Make, 2024). Your customer's personal data leaves India the moment the trigger fires.

Here is how the major automation platforms handle data residency for Indian businesses.

• Zapier: Processes workflow data on AWS us-east-1 (US) servers. No India data residency option.
• Make: Processes data in EU (Frankfurt and Ireland data centers). No India option.
• n8n Cloud: Processes data in EU. No India residency option on the managed plan.
• n8n Self-hosted: You control everything. Deploy on an Indian server and data never leaves India.
• Zoho (Indian accounts): India data centers available in Mumbai. Zoho Flow processes in India for accounts on the India data center.
• Google Workspace: EU and US by default. India data residency is available for Workspace for Education accounts but not standard business accounts.

[UNIQUE INSIGHT] Cross-border data transfer is not automatically prohibited under the DPDP Act. The law permits transfers to all countries except those specifically blocked by the Central Government via notification. No country has been blocked yet, and the blocked-country list is not yet published as of 2026. The real compliance risk is not where the data goes. It is whether you have valid consent, adequate security measures, and a processing agreement with your automation platform. Businesses treating "data left India" as an automatic violation are misreading the Act.

DPDP risk matrix: which automations need what level of care?

Not every automation carries the same compliance weight. A GST filing reminder that contains only a GSTIN number involves no personal data. A payroll automation that processes PAN numbers, bank account details, and salary figures is a high-risk flow requiring careful tool selection. The table below maps common Indian SMB automations to their DPDP risk level and tool recommendation.

The risk tiers here are practical, not legal opinions. "Medium" means the data is personal but not so sensitive that a breach causes severe harm. "Very High" means a breach is reportable, potentially catastrophic for the individual, and likely to attract regulatory scrutiny. Aadhaar-linked data sits in its own category because Aadhaar handling is governed by the Aadhaar Act 2016 in addition to DPDP, and routing Aadhaar numbers through foreign servers creates compounded legal exposure.

What SMBs actually need to do: six practical steps

The DPDP Act's implementing rules are still being finalised as of 2026, but the core obligations in the Act itself are already in force. (Ministry of Electronics and IT, 2023). Waiting for complete rules before acting is a reasonable strategy for complex questions. For the basics below, you don't need to wait.

Step 1: Map your data flows

List every automation you currently run. For each one, identify what personal data it touches and which platform processes it. A simple spreadsheet works. Column headers: automation name, trigger, personal data fields involved, tool used, tool's data location, consent obtained (yes or no). This map is your baseline. Without it, you can't assess risk or respond to a regulator's question.

Step 2: Add consent capture before every data collection point

Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous. Before collecting a customer's name, email, or phone number in any form, you must tell them what the data will be used for and get a clear opt-in. A pre-ticked checkbox is not valid consent. Add a consent checkbox with a one-line purpose statement to every lead form, booking form, and contact form on your website and landing pages.

Step 3: Create a privacy notice

You need a one-page document that explains: what data you collect, why you collect it, how long you keep it, who you share it with (including automation platforms), and how a user can request correction or erasure. This does not need to be written by a lawyer for a small business. It needs to be accurate and accessible. Link it from your website footer and from every consent checkpoint.

Step 4: Designate a grievance officer

The DPDP Act requires every Data Fiduciary to have a point of contact for user complaints about their data. For a small business, this can be the founder. Publish the grievance officer's name and contact email on your privacy notice. The requirement is real even for businesses with three employees. A published contact who responds within a reasonable timeframe is what the law asks for.

Step 5: Choose automation tools by data sensitivity tier

Use the risk matrix above as a guide. For low and medium-risk automations (lead capture, support ticket creation, GST reminders), Make and Zapier are reasonable choices with proper consent in place. For high and very-high-risk automations (invoicing with PAN data, payroll, health records), route data through Zoho's India servers or n8n self-hosted on an Indian VPS. This is not about distrust of foreign platforms. It is about matching data sensitivity to processing location.

Step 6: Establish a data retention policy

How long is your Google Sheet storing customer phone numbers from last year's lead campaign? The DPDP Act requires that personal data be deleted once its purpose is fulfilled. Set a clear retention window: 12 months for lead data, 7 years for financial records (Income Tax requirement), 3 years for general customer correspondence. Build automated deletion or archival into your workflows. A quarterly audit of open Google Sheets with customer data is a good starting habit.

Is n8n self-hosted the compliance path for sensitive data?

For automations involving financial records, health data, or Aadhaar-linked information, n8n self-hosted on an Indian server is the only tool that gives you full data sovereignty. All workflow processing happens on your server, at a location you choose. A Mumbai VPS on AWS ap-south-1 or DigitalOcean BLR1 (Bangalore) keeps every byte of customer data within India's borders, regardless of what the DPDP rules ultimately say about cross-border transfers.

The cost is practical. A VPS suitable for running n8n and handling most SMB automation workloads costs ₹500-2,000 per month. The n8n software itself is free and open-source. (n8n.io, 2026). At that price point, you're running unlimited workflow executions with no per-task charges, on infrastructure you fully control.

Server options for Indian businesses considering self-hosted n8n:

• AWS ap-south-1 (Mumbai): Most reliable option, higher cost (₹1,500-3,500/month for a production-grade instance)
• DigitalOcean BLR1 (Bangalore): Good balance of cost and reliability (₹800-1,500/month)
• Hetzner (EU): Very affordable but EU-hosted; good GDPR compliance story, not an India residency solution
• Local Indian VPS providers: Hostinger India, E2E Networks; lowest cost but verify uptime SLAs before using for production

[PERSONAL EXPERIENCE] For Indian CA firms and healthcare providers automating client or patient data, self-hosted n8n is the only automation tool we recommend. The data control argument is clean and unambiguous. When a client asks "where does my patient's data go during this automation?", the answer is "your server in Mumbai" rather than "a data center in Frankfurt." That answer is much easier to stand behind.

What the DPDP Act does NOT require

The Act has been widely misread in business circles, often in ways that create unnecessary fear about standard automation practices. The DPDP Act does not prohibit sending customer data through Zapier or Make. (Ministry of Electronics and IT, 2023). What it requires is that you have consent, a legitimate purpose, and security safeguards.

Here is what the Act does not require, stated plainly:

• No mandatory data localisation: There is no requirement to store or process all personal data within India. The government may introduce localisation requirements for specific categories later, but no such requirement exists in the Act as passed.
• No blanket prohibition on foreign automation tools: Using Zapier, Make, or any other foreign-hosted platform is not illegal. You need a Data Processing Agreement with these platforms and valid consent from your users.
• No applicability to personal or domestic use: If you process data for purely personal or household purposes, the Act does not apply.
• No applicability to anonymised data: Once data is genuinely anonymised and cannot be re-identified, it falls outside the Act's scope.
• No applicability to data processed for legal proceedings or national security: These carve-outs are explicit in the Act.

The practical implication: a small business running lead nurture automations through Make, with proper consent checkboxes on its forms and a signed Data Processing Agreement with Make, is in a much better compliance position than a business with data stored on Indian servers but no consent mechanism at all. Location matters less than process.

FAQ: DPDP Act and automation compliance for Indian SMBs

Is it illegal to use Zapier or Make for customer data under the DPDP Act?

No. Using Zapier or Make to process Indian customer data is not automatically illegal under the DPDP Act 2023. Cross-border data transfers are permitted except to countries specifically blocked by the Central Government. (Ministry of Electronics and IT, 2023). What the law requires is valid consent before data collection, a stated purpose, and adequate security safeguards. A consent checkbox on your form and a Data Processing Agreement with your automation platform are the two most important compliance steps.

What is the penalty for a DPDP Act violation for a small business?

Penalties scale by violation type. Minor procedural failures (such as not notifying a breach promptly) carry penalties up to ₹200 crore. Failure to maintain adequate security safeguards that results in a data breach can reach ₹250 crore. Non-fulfilment of general obligations goes up to ₹150 crore. (Ministry of Electronics and IT, 2023). The Data Protection Board determines actual penalty amounts based on severity, impact, and whether the business took remediation steps.

Do I need a lawyer to comply with the DPDP Act for my automation workflows?

For most small businesses, a lawyer is not needed for the basic compliance steps: adding consent checkboxes to forms, writing a plain-language privacy notice, designating a grievance officer, and signing platform Data Processing Agreements. Legal advice becomes worthwhile if you process health data, financial records at scale, or Aadhaar-linked information, or if you are categorised as a Significant Data Fiduciary. Start with the practical steps in this post. Bring in legal counsel for your specific data handling edge cases.

Where to go from here

The DPDP Act 2023 is not a reason to stop automating your business. It is a reason to automate thoughtfully. The businesses most at risk are not those using Make or Zapier. They are businesses collecting customer data through forms with no consent mechanism, storing it indefinitely in Google Sheets, and running it through workflows without knowing what happens to it at each step.

Start with the data mapping exercise. It takes two hours and tells you exactly where your risk sits. Then add consent capture to every collection point. Then match your most sensitive data flows to the right tools using the risk matrix above. That sequence covers the practical bulk of DPDP compliance for most Indian SMBs.

If you want help auditing your current automation stack for DPDP compliance considerations, or want to build new automations on n8n self-hosted with proper data handling from the start, our workflow automation service covers both assessment and implementation. You can also read our full comparison of n8n vs Make for Indian SMBs or our guide to workflow automation tools available in India to continue building your tool selection framework.