DPDPA by Industry
Different sectors face different DPDPA risks. Choose your industry for tailored guidance, specific risk areas, and a free readiness assessment.
This page is for businesses that know DPDPA matters but need to understand where the risk actually sits in their own sector. The law is the same. The operational mess is different.
Same law. Different data flows. Different fixes.
Not sure what personal data you hold?
Map it in ~3 minutes across 276 business types, then come back for the full assessment.
Need a DPDPA-ready privacy notice?
Generate a tailored Notice Pack — full notice, mini-notices, consent text and a rights block — from a few plain questions.
| Industry | Main personal data types | Highest DPDPA risk | First fix | Assessment |
|---|---|---|---|---|
| Recruitment Agencies | CVs, candidate profiles, Aadhaar/PAN, background documents | CV databases without consent or deletion policy | Add consent at submission; define retention periods | Start → |
| CA Firms | PAN, Aadhaar, payroll records, bank details, tax filings | Broad staff access to sensitive client documents | Role-based access controls and DPAs with cloud vendors | Start → |
| Training Institutes | Student names, contacts, minor data, placement records | Processing minors' data without verifiable parental consent | Implement parental consent mechanism for under-18 students | Start → |
| D2C Brands | Checkout details, marketing lists, behavioural and loyalty data | Bundled marketing consent at checkout | Separate marketing consent from purchase processing | Start → |
| Clinics & Diagnostic Labs | Prescriptions, lab reports, diagnostic images, patient and family contacts | Sharing reports over WhatsApp without verifying the recipient | Verify recipient identity before sharing; control WhatsApp/email sharing | Start → |
| Schools & Colleges | Children's data, parent records, admission/ID docs, marks, photos, transport and CCTV | Minors' data and public student photos without parental consent | Document parent/guardian consent and a photo-consent + removal process | Start → |
| Law Firms & Legal Consultants | Client KYC, PAN/Aadhaar, contracts, affidavits, evidence files, court and sensitive records | Sensitive case files unrestricted and ex-staff/intern access lingering | Classify sensitive matters; move to matter-based, need-based access | Start → |
| Real Estate Brokers & Property Firms | Buyer/tenant KYC, PAN/Aadhaar, income/loan docs, rent & sale agreements, property papers | KYC and leads forwarded through WhatsApp broker groups | Secure KYC intake; share leads only with instruction or documented purpose | Start → |
| Hotels, Hospitality & Travel | Guest IDs, passport/visa copies, booking records, itineraries, C-Form data, CCTV and access logs | Passport copies over WhatsApp and indefinite guest-record retention | Secure ID/passport intake; set retention & deletion rules for guest records and CCTV | Start → |
| Pharmacies & Online Pharmacies | Prescriptions, medicine history, doctor details, delivery addresses, health indicators | Prescription images on WhatsApp and medicine-history used without consent | Secure prescription intake; limit delivery/vendor access; consent for refill messaging | Start → |
| Fintech, NBFC & Digital Payments | KYC, PAN/Aadhaar, bank statements, bureau data, UPI, repayment history, collection notes | Bank/bureau data via WhatsApp/DSAs and profiling on bundled consent | Secure KYC intake; traceable consent; role-based, monitored agent access | Start → |
| Gyms, Salons & Spas | Membership data, fitness/body measurements, health declarations, consultation notes, customer photos | Customer photos used without consent and health/body data without access control | Photo consent + removal process; restrict health-data access; control staff phones | Start → |
Recruitment & Staffing Agencies
CV databases, candidate consent, ATS, and cross-border placements
“Most recruitment agencies store candidate data with no formal deletion process”
Common Risk Areas
CA Firms & Accounting Practices
PAN, Aadhaar, payroll, client records, and cloud storage
“CA firms process some of the most sensitive personal data in India”
Common Risk Areas
Training Institutes & Coaching Centres
Student and parent data, admissions forms, minors, placement records
“Most training institutes have no formal privacy notice for admissions”
Common Risk Areas
D2C Brands & E-commerce Businesses
Marketing consent, analytics tools, WhatsApp campaigns, loyalty data
“Most D2C checkout flows bundle marketing consent with purchase terms”
Common Risk Areas
Clinics & Diagnostic Labs
Prescriptions, lab reports, WhatsApp sharing, home collection, and patient records
“Most clinics and labs share reports over WhatsApp without verifying the recipient”
Common Risk Areas
Schools & Colleges
Children's data, parent consent, school apps, CCTV, attendance, transport and student photos
“Most schools publish student photos and results without separate parental consent”
Common Risk Areas
Law Firms & Legal Consultants
Client KYC, case files, evidence, junior/intern access, court & vendor sharing, closed matters
“Most firms confuse client confidentiality with DPDPA readiness — they are not the same”
Common Risk Areas
Real Estate Brokers & Property Firms
Buyer/tenant KYC, PAN/Aadhaar, agreements, WhatsApp lead sharing, broker networks, loan partners
“Most firms keep old buyer/tenant databases indefinitely for future deals”
Common Risk Areas
Hotels, Hospitality & Travel
Guest IDs, passport copies, booking records, OTA sharing, WhatsApp confirmations, travel documents, CCTV
“Hotels and travel agencies often keep ID and passport copies long after checkout”
Common Risk Areas
Pharmacies & Online Pharmacies
Prescriptions, medicine history, health indicators, WhatsApp orders, refill reminders, delivery partners
“Medicine history can reveal health conditions even without a diagnosis field”
Common Risk Areas
Fintech, NBFC & Digital Payments
KYC, PAN/Aadhaar, bank & bureau data, UPI, credit profiling, DSAs, collection agents, vendor platforms
“Fintech data moves across a large partner and agent ecosystem — the biggest practical risk”
Common Risk Areas
Gyms, Salons & Spas
Membership data, health/body measurements, consultation notes, customer photos, WhatsApp campaigns, staff phones
“Before-after photos and health/body data are high-impact, even though it isn't a clinic”
Common Risk Areas
Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal advice.