DPDP Rules, 2025 are now in effect. See where your business stands, in 3–5 minutes.Find out — free →

DPDPA by Industry

Different sectors face different DPDPA risks. Choose your industry for tailored guidance, specific risk areas, and a free readiness assessment.

This page is for businesses that know DPDPA matters but need to understand where the risk actually sits in their own sector. The law is the same. The operational mess is different.

Same law. Different data flows. Different fixes.

Start here · Free · No email

Not sure what personal data you hold?

Map it in ~3 minutes across 276 business types, then come back for the full assessment.

Personal Data Discovery
Next step · Free · Preview without email

Need a DPDPA-ready privacy notice?

Generate a tailored Notice Pack — full notice, mini-notices, consent text and a rights block — from a few plain questions.

Notice Generator
IndustryMain personal data typesHighest DPDPA riskFirst fixAssessment
Recruitment AgenciesCVs, candidate profiles, Aadhaar/PAN, background documentsCV databases without consent or deletion policyAdd consent at submission; define retention periodsStart →
CA FirmsPAN, Aadhaar, payroll records, bank details, tax filingsBroad staff access to sensitive client documentsRole-based access controls and DPAs with cloud vendorsStart →
Training InstitutesStudent names, contacts, minor data, placement recordsProcessing minors' data without verifiable parental consentImplement parental consent mechanism for under-18 studentsStart →
D2C BrandsCheckout details, marketing lists, behavioural and loyalty dataBundled marketing consent at checkoutSeparate marketing consent from purchase processingStart →
Clinics & Diagnostic LabsPrescriptions, lab reports, diagnostic images, patient and family contactsSharing reports over WhatsApp without verifying the recipientVerify recipient identity before sharing; control WhatsApp/email sharingStart →
Schools & CollegesChildren's data, parent records, admission/ID docs, marks, photos, transport and CCTVMinors' data and public student photos without parental consentDocument parent/guardian consent and a photo-consent + removal processStart →
Law Firms & Legal ConsultantsClient KYC, PAN/Aadhaar, contracts, affidavits, evidence files, court and sensitive recordsSensitive case files unrestricted and ex-staff/intern access lingeringClassify sensitive matters; move to matter-based, need-based accessStart →
Real Estate Brokers & Property FirmsBuyer/tenant KYC, PAN/Aadhaar, income/loan docs, rent & sale agreements, property papersKYC and leads forwarded through WhatsApp broker groupsSecure KYC intake; share leads only with instruction or documented purposeStart →
Hotels, Hospitality & TravelGuest IDs, passport/visa copies, booking records, itineraries, C-Form data, CCTV and access logsPassport copies over WhatsApp and indefinite guest-record retentionSecure ID/passport intake; set retention & deletion rules for guest records and CCTVStart →
Pharmacies & Online PharmaciesPrescriptions, medicine history, doctor details, delivery addresses, health indicatorsPrescription images on WhatsApp and medicine-history used without consentSecure prescription intake; limit delivery/vendor access; consent for refill messagingStart →
Fintech, NBFC & Digital PaymentsKYC, PAN/Aadhaar, bank statements, bureau data, UPI, repayment history, collection notesBank/bureau data via WhatsApp/DSAs and profiling on bundled consentSecure KYC intake; traceable consent; role-based, monitored agent accessStart →
Gyms, Salons & SpasMembership data, fitness/body measurements, health declarations, consultation notes, customer photosCustomer photos used without consent and health/body data without access controlPhoto consent + removal process; restrict health-data access; control staff phonesStart →

Recruitment & Staffing Agencies

CV databases, candidate consent, ATS, and cross-border placements

Most recruitment agencies store candidate data with no formal deletion process

Common Risk Areas

Candidate data without consent
CV sharing without disclosure
Indefinite data retention
Unvetted ATS vendors

CA Firms & Accounting Practices

PAN, Aadhaar, payroll, client records, and cloud storage

CA firms process some of the most sensitive personal data in India

Common Risk Areas

Unencrypted Aadhaar copies
Broad staff access to client files
No retention policy
Unvetted cloud vendors

Training Institutes & Coaching Centres

Student and parent data, admissions forms, minors, placement records

Most training institutes have no formal privacy notice for admissions

Common Risk Areas

No minor consent mechanism
Marketing pixels on forms
Placement data misuse
No data rights process

D2C Brands & E-commerce Businesses

Marketing consent, analytics tools, WhatsApp campaigns, loyalty data

Most D2C checkout flows bundle marketing consent with purchase terms

Common Risk Areas

Bundled checkout consent
Undisclosed tracking pixels
No unsubscribe mechanism
Indefinite inactive data

Clinics & Diagnostic Labs

Prescriptions, lab reports, WhatsApp sharing, home collection, and patient records

Most clinics and labs share reports over WhatsApp without verifying the recipient

Common Risk Areas

WhatsApp report sharing
Family sharing without verification
Shared logins / ex-staff access
Indefinite patient-record retention

Schools & Colleges

Children's data, parent consent, school apps, CCTV, attendance, transport and student photos

Most schools publish student photos and results without separate parental consent

Common Risk Areas

Minors without parent consent
Student photos posted publicly
CCTV / biometric / GPS monitoring
Indefinite student-record retention

Law Firms & Legal Consultants

Client KYC, case files, evidence, junior/intern access, court & vendor sharing, closed matters

Most firms confuse client confidentiality with DPDPA readiness — they are not the same

Common Risk Areas

Sensitive files stored with regular matters
Ex-staff / intern access lingering
Evidence shared over WhatsApp/email
Indefinite closed-matter retention

Real Estate Brokers & Property Firms

Buyer/tenant KYC, PAN/Aadhaar, agreements, WhatsApp lead sharing, broker networks, loan partners

Most firms keep old buyer/tenant databases indefinitely for future deals

Common Risk Areas

PAN/Aadhaar shared over WhatsApp
Leads in co-broker WhatsApp groups
Ex-staff / old broker access
Indefinite old-lead retention

Hotels, Hospitality & Travel

Guest IDs, passport copies, booking records, OTA sharing, WhatsApp confirmations, travel documents, CCTV

Hotels and travel agencies often keep ID and passport copies long after checkout

Common Risk Areas

Passport copies over WhatsApp/email
OTA & travel-vendor sharing
Ex-staff / shared PMS logins
Indefinite guest-record retention

Pharmacies & Online Pharmacies

Prescriptions, medicine history, health indicators, WhatsApp orders, refill reminders, delivery partners

Medicine history can reveal health conditions even without a diagnosis field

Common Risk Areas

Prescription images over WhatsApp
Medicine-history reveals health data
Delivery-staff over-access
Indefinite prescription retention

Fintech, NBFC & Digital Payments

KYC, PAN/Aadhaar, bank & bureau data, UPI, credit profiling, DSAs, collection agents, vendor platforms

Fintech data moves across a large partner and agent ecosystem — the biggest practical risk

Common Risk Areas

Bank/bureau data over WhatsApp/DSAs
Profiling with bundled consent
Agents exporting customer lists
Indefinite KYC & rejected-lead retention

Gyms, Salons & Spas

Membership data, health/body measurements, consultation notes, customer photos, WhatsApp campaigns, staff phones

Before-after photos and health/body data are high-impact, even though it isn't a clinic

Common Risk Areas

Customer photos used without consent
Health/body data in WhatsApp/staff notes
Staff personal phones & shared logins
Indefinite photo & record retention

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.