DPDP Rules 2025 are now in effect. How ready is your business? Most Indian companies don't know yet.Find out in 10 minutes — free →
SaralPrivacy emblem

DPDPA by Industry

Different sectors face different DPDPA risks. Choose your industry for tailored guidance, specific risk areas, and a free readiness assessment.

This page is for businesses that know DPDPA matters but need to understand where the risk actually sits in their own sector. The law is the same. The operational mess is different.

Same law. Different data flows. Different fixes.

IndustryMain personal data typesHighest DPDPA riskFirst fixAssessment
Recruitment AgenciesCVs, candidate profiles, Aadhaar/PAN, background documentsCV databases without consent or deletion policyAdd consent at submission; define retention periodsStart →
CA FirmsPAN, Aadhaar, payroll records, bank details, tax filingsBroad staff access to sensitive client documentsRole-based access controls and DPAs with cloud vendorsStart →
Training InstitutesStudent names, contacts, minor data, placement recordsProcessing minors' data without verifiable parental consentImplement parental consent mechanism for under-18 studentsStart →
D2C BrandsCheckout details, marketing lists, behavioural and loyalty dataBundled marketing consent at checkoutSeparate marketing consent from purchase processingStart →

Recruitment & Staffing Agencies

CV databases, candidate consent, ATS, and cross-border placements

Most recruitment agencies store candidate data with no formal deletion process

Common Risk Areas

Candidate data without consent
CV sharing without disclosure
Indefinite data retention
Unvetted ATS vendors
Free Assessment →View Full Guide →

CA Firms & Accounting Practices

PAN, Aadhaar, payroll, client records, and cloud storage

CA firms process some of the most sensitive personal data in India

Common Risk Areas

Unencrypted Aadhaar copies
Broad staff access to client files
No retention policy
Unvetted cloud vendors
Free Assessment →View Full Guide →

Training Institutes & Coaching Centres

Student and parent data, admissions forms, minors, placement records

Most training institutes have no formal privacy notice for admissions

Common Risk Areas

No minor consent mechanism
Marketing pixels on forms
Placement data misuse
No data rights process
Free Assessment →View Full Guide →

D2C Brands & E-commerce Businesses

Marketing consent, analytics tools, WhatsApp campaigns, loyalty data

Most D2C checkout flows bundle marketing consent with purchase terms

Common Risk Areas

Bundled checkout consent
Undisclosed tracking pixels
No unsubscribe mechanism
Indefinite inactive data
Free Assessment →View Full Guide →

Last reviewed: March 2026

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.