An AI system runs on data, and a meaningful share of that data is personal. So, the natural question in front of all enterprises adopting AI today should be how will the DPDPA impact AI?
The DPDP Act does not single out AI as a special category. Instead, it applies its existing consent, purpose limitation and accountability principles to any system that processes personal data, artificial intelligence included. However, the reach is broader when you first map your AI stack against the Act.
For those building or buying AI across sectors, from fintech underwriting models to healthcare diagnostics to retail personalisation engines, DPDPA changes how training data is sourced, how consent is documented and how cross-border AI tools are used.
Although, we expect more clarity around AI governance from the DPDPA in the future, this blog walks through where the Act touches AI adoption and what your team needs in place before enforcement fully lands.
Do AI systems fall inside DPDPA’s scope?
Section 3(c) of the DPDPA defines personal data broadly, covering any information relating to an identifiable individual. Nothing exempts data because it feeds a model rather than a database.
Training data is personal data too
If your AI model is trained on customer records, transaction histories or user behaviour logs, that training dataset is subject to the same consent and purpose limitation rules as any other processing activity.
This includes structured datasets used for supervised learning such as credit scoring inputs or claims history, unstructured data like chat transcripts and support tickets used for natural language models, and behavioural signals such as clickstream or app usage data feeding recommendation engines.
Automated decision-making draws extra scrutiny
Where AI outputs influence decisions about a person, such as loan approval or eligibility screening, the Data Protection Board can examine whether adequate safeguards existed against harm from that processing.
Consent architecture needs to change for AI use cases
DPDPA rejects the “legitimate interest” basis that GDPR allows. Processing needs consent that is free, specific, informed and unambiguous, or a narrow legitimate use exemption.
What this means for model training
Consent notices written for a single purpose, such as service delivery, do not automatically cover secondary use for model training.
Practical steps include separating purpose clauses so consent for AI training is distinct from consent for the primary service, building consent withdrawal into the pipeline so a withdrawn consent stops that data point from being used in future training runs, and documenting lawful basis per dataset rather than per organisation.
The erasure and retraining tension
Once personal data has shaped a trained model, removing a specific data point without retraining is technically difficult. Organisations should plan for this at the design stage using techniques like differential privacy or federated learning, rather than treating erasure requests as an afterthought.
Significant Data Fiduciary status brings AI-specific obligations
Classification as a Significant Data Fiduciary (SDF) under Section 10 is government-notified based on factors like data volume and risk, not something an organisation can self-declare or opt out of.
Rule 13 due diligence for algorithmic systems
SDFs must exercise due diligence to confirm that the algorithmic software they use does not pose a risk to the rights of Data Principals.
This applies to AI used for storing, processing, transmitting or modifying personal data, and typically requires a Data Protection Impact Assessment specific to each AI use case, independent audits of algorithmic decision-making processes, and technical documentation covering model architecture, data lineage and decision logic.
This obligation sits on top of the general processing rules, so an SDF’s AI governance burden is materially higher than a standard data fiduciary’s.
Cross-border AI tools carry a distinct compliance risk
Section 17 permits cross-border data transfers unless the government has specifically restricted a destination country, which is a lighter model than GDPR’s adequacy framework. That flexibility does not remove the risk from everyday enterprise AI tool use.
The generative AI copilot problem
Every query sent to a cloud-based AI assistant can transmit personal or proprietary data to servers outside India. Employees pasting customer details or internal documents into public AI tools create exposure the organisation may not even be tracking.
Building an enterprise AI usage policy
A workable policy typically covers using approved, enterprise-tier AI products with data residency guarantees over free public versions, prohibiting submission of customer or employee personal data into external AI tools without an explicit documented basis, deploying data loss prevention controls that flag sensitive data before it leaves the network, and training employees on what DPDPA classifies as personal data.
What MeitY’s AI governance guidelines signal
The India AI Governance Guidelines released in November 2025 confirmed the government’s intent to regulate AI through existing law, DPDPA included, rather than a standalone AI statute. DPDPA obligations on consent, purpose limitation and data minimisation will continue to shape how AI systems are built and audited.
Conclusion
DPDPA does not ask organisations to slow AI adoption. It asks for traceability: knowing what personal data trains your models, under what consent, and where that data travels once an AI tool is in the loop. Enterprises that build this traceability now, rather than retrofitting it before the May 2027 enforcement deadline, will move faster once the Data Protection Board starts examining AI-driven processing.
At CyberNX, our DPDPA Consultation practice works with technology and AI teams to map training data against consent records, build SDF-ready governance documentation and design enterprise AI usage policies that hold up to audit. If your organisation is deploying AI systems that touch personal data, talk to our team about a readiness assessment before your next model goes into production.
How will the DPDPA Impact AI FAQs
Does DPDPA apply to AI models trained outside India using Indian user data?
Yes. DPDPA applies based on whether the data belongs to individuals in India, not where the processing or training occurs, provided the goods or services are offered to people in India.
Do organisations need separate consent for AI training versus regular service delivery?
In most cases yes, since DPDPA’s purpose limitation principle requires consent to be specific to each stated purpose.
Is anonymised data exempt from DPDPA when used for AI training?
Data that is genuinely and irreversibly anonymised falls outside the Act’s scope. Pseudonymised data that can be re-identified generally does not qualify.



