.png){kind=logo}
The DPDP Act: What It Means for India’s Enterprises
- Manish Yadav
- 3 days ago
- 2 min read
Overview and Impact
Digital Personal Data Protection (DPDP) Act, 2023 is set to reshape how Indian enterprises collect, process, and share data.
With enforcement likely in 2025, every enterprise must re-evaluate its data practices especially where personal or derived data is used for verification, enrichment, or analytics.
While the Act aims to strengthen privacy and accountability, many current industry practices sit in a grey zone, particularly those involving API-based data access and public portal scraping (UAN, RC, PAN lookups).
Grey Area and Compliance Challenges
Many current industry practices sit in a compliance grey zone, particularly those involving API-based data access and public portal scraping (UAN, RC, PAN lookups).
Enterprises must assess whether implied consent, public data sources, or derived data analytics meet DPDP's explicit consent and purpose limitation requirements. What was standard practice may now require significant
reconfiguration.
Sector-Wise Data Risk Hotspots Area
Sector | Common Use Cases | Typical Vendors/Methods | Potential Compliance Risks |
BFSI | KYC, loan eligibility, credit scoring using PAN/GST/UAN APIs | API aggregators, digital KYC providers, fintech onboarding tools | Implied consent and public data scraping could breach DPDP’s explicit consent and purpose-limitation clauses |
Manufacturing | Workforce verification, vendor checks, IoT-based worker tracking | Workforce platforms, ERP vendors, IoT data services | IoT or surveillance data tied to individuals needs consent and data retention control |
CPG & Retail | Loyalty programs, influencer tracking, CRM enrichment | Martech, data brokers, loyalty analytics tools | Third-party sharing without user consent or retention control violates DPDP |
Telecom | Subscriber verification, usage analytics, LBS | Network API partners, analytics vendors | Telcos are “data fiduciaries” and liable if partners mishandle data |
Healthcare | Patient onboarding, telehealth, insurance linkage | Health data platforms, IoT device data | Health data is “sensitive personal data” — anonymization alone doesn’t ensure compliance |
Digital Businesses (E-com, SaaS, OTT, EdTech) | Behavioural analytics, login mapping, ad targeting | AdTech, analytics, CX tools | Profiling, data mapping, and remarketing without consent may attract penalties |