Any operation performed on digital personal data including collection, storage, use, sharing, or erasure.
Processing means any wholly or partly automated operation performed on digital personal data. This includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction. Under DPDPA, virtually anything you do with personal data constitutes processing and requires a lawful basis.
Every interaction with personal data — from reading it in a dashboard to storing it in a backup — is "processing" under DPDPA. This broad definition means compliance obligations apply to your entire data lifecycle.
When a Noida SaaS company collects user signups, stores them in PostgreSQL, analyses usage patterns, shares anonymised metrics with investors, and eventually deletes inactive accounts — each of these steps is a separate processing activity requiring documentation in the RoPA.
Many believe "processing" only means active computation or analysis. Simply storing data in a backup, even if never accessed, constitutes processing under DPDPA.
DPDPA Shield automates Data Inventory & RoPA. See how →