DPDPA by Industry
Different sectors face different DPDPA risks. Choose your industry for tailored guidance, specific risk areas, and a free readiness assessment.
This page is for businesses that know DPDPA matters but need to understand where the risk actually sits in their own sector. The law is the same. The operational mess is different.
Same law. Different data flows. Different fixes.
| Industry | Main personal data types | Highest DPDPA risk | First fix | Assessment |
|---|---|---|---|---|
| Recruitment Agencies | CVs, candidate profiles, Aadhaar/PAN, background documents | CV databases without consent or deletion policy | Add consent at submission; define retention periods | Start → |
| CA Firms | PAN, Aadhaar, payroll records, bank details, tax filings | Broad staff access to sensitive client documents | Role-based access controls and DPAs with cloud vendors | Start → |
| Training Institutes | Student names, contacts, minor data, placement records | Processing minors' data without verifiable parental consent | Implement parental consent mechanism for under-18 students | Start → |
| D2C Brands | Checkout details, marketing lists, behavioural and loyalty data | Bundled marketing consent at checkout | Separate marketing consent from purchase processing | Start → |
Recruitment & Staffing Agencies
CV databases, candidate consent, ATS, and cross-border placements
“Most recruitment agencies store candidate data with no formal deletion process”
Common Risk Areas
CA Firms & Accounting Practices
PAN, Aadhaar, payroll, client records, and cloud storage
“CA firms process some of the most sensitive personal data in India”
Common Risk Areas
Training Institutes & Coaching Centres
Student and parent data, admissions forms, minors, placement records
“Most training institutes have no formal privacy notice for admissions”
Common Risk Areas
D2C Brands & E-commerce Businesses
Marketing consent, analytics tools, WhatsApp campaigns, loyalty data
“Most D2C checkout flows bundle marketing consent with purchase terms”
Common Risk Areas
Last reviewed: March 2026
Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal advice.