Skip to content
checkDPDP

Industry guide · #3 most exposed · Critical risk

DPDP Act for Healthtech & Pharma in India

Hospitals, diagnostic chains, healthtech apps, pharma manufacturers, telemedicine platforms and insurance-tech process health PII — the single most sensitive personal-data category recognised under the Act. DPDP overlaps with the Ayushman Bharat Digital Mission rules and the Clinical Establishments Act, creating a stacked compliance burden that is heavier than any other sector except BFSI.

Penalty exposure cap

₹250 cr

Section 8 security failures land at ₹250 cr; a children-on-paediatric-platform leak adds Section 9 ₹200 cr on top. Insurance-tech additionally inherits IRDAI obligations.

Realistic effort

140–320 hrs (8–18 weeks)

DPO + Medical Records lead + InfoSec + Legal

Annual budget

₹6–25 lakh / yr for tooling, DPO, audit

Tooling + DPO retainer + audit

Sector regulators

MoH&FW (via ABDM/NHA) · IRDAI (insurance-tech) · CDSCO (pharma) · CERT-In

Stack on top of DPDP — comply with both

Why this industry

How DPDP hits Healthtech & Pharma differently

Health data combines extreme sensitivity (Section 33(2) aggravating factor) with high-volume processing (lab reports, prescriptions, claims). A breach is irreversible (you cannot reissue someone’s medical history the way you can a card). MeitY has explicitly signalled healthcare as a priority Significant Data Fiduciary class.

What you must do

Specific DPDP obligations for this sector

Section 5 + Section 6

Granular consent per purpose (treatment vs research vs marketing)

A single "I agree" at hospital admission does not cover research or third-party sharing. Each purpose needs its own captured consent.

Section 9

Parental consent for paediatric records

Under-18 patients trigger verifiable parental consent and prohibit behavioural tracking — applies to paediatric apps, child health records, school health screenings.

Section 16 + ABDM policy

India residency for ABDM-linked records

ABDM mandates India residency for health records — DPDP is permissive but ABDM is not. Default to India.

Rules · breach notification

72-hour breach notification

Stacks on top of any CERT-In, ABDM and insurance regulator notification windows. Single playbook handles all.

Section 8(7)

Retention limited to medical necessity

Indefinite retention "for research" is not defensible — define a retention schedule by record type (lab, imaging, billing).

What to ship

Minimum control set + realistic time to land each

Effort estimates assume an in-house engineer + an external CMP/DPO partner where indicated. Cumulative time gets you to a defensible posture; full SDF maturity adds 1–2 quarters on top.

  1. 1

    Granular consent banner with research / marketing categories

    1 day · Banner builder

  2. 2

    Paediatric age-gate + parental consent handshake

    1–2 weeks engineering

  3. 3

    Itemised privacy notice covering treatment + research + sharing

    2 days · Notice template

  4. 4

    ABDM-aligned consent manager integration (if you store ABHA-linked records)

    2–4 weeks

  5. 5

    Vendor inventory + DPAs for labs, imaging, telemedicine providers

    3–4 weeks

  6. 6

    Retention schedule per record type

    1 week clinical + legal

  7. 7

    Section 8 security audit (HIPAA-adjacent controls usually cover most of it)

    4 weeks external auditor

What goes wrong

Real-world enforcement scenarios

Lab results email leak (wrong recipient on a bulk send)

Section 5 + Section 8(5) — gravity factor is high because health data. Mid-band penalty likely; reputational impact higher than the fine.

Telemedicine app records consultations without per-session consent

Section 6 violation — withdrawal and deletion requests will flood in. Build the consent log first.

Paediatric platform tracks under-18 behaviour for "engagement"

Section 9 prohibition — outright ban, ₹200 cr band. No mitigation; remove the tracking.

Close these first

The three highest-impact gaps for this sector

  1. 1

    No purpose-specific consent (treatment vs research vs marketing collapsed into one)

    Split consent capture per purpose at the point of collection — front-of-house redesign.

    Open the fix →
  2. 2

    No defined retention schedule by record type

    Clinical + legal workshop to fix retention windows — a one-week project.

    Open the fix →
  3. 3

    Paediatric records collected without parental verification

    Build the age-gate + parental handshake before any new product launch.

    Open the fix →

See your sector-specific score in 60 seconds

Calculate your Healthtech / Pharma risk →Run a free site scan

Healthtech / Pharma · FAQ

Sector-specific questions, answered

How does DPDP interact with ABDM?

ABDM is the dominant framework for ABHA-linked records — DPDP is the general Act. Where they overlap, the stricter rule applies (usually ABDM).

Are diagnostic labs Significant Data Fiduciaries?

National chains processing tens of millions of patients should plan as if designated. Smaller single-city labs are Possible but unlikely first-wave.

Do I need a DPO for a hospital?

Mandatory if designated SDF, recommended for any hospital with 50K+ records. The IT Act 43A reasonable security obligation also implies you need an accountable contact.

Compare across sectors

Other industries' DPDP exposure

BFSI & Fintech

Critical

Highest DPDP exposure of any Indian sector — payment data, KYC, credit profiles all in scope.

Diagnostic Labs & Pathology Chains

Critical

Patient PII + lab results + Aadhaar-linked KYC — the most stacked DPDP exposure of any sub-sector inside healthcare.

Edtech

Critical

Children's data is the headline restriction — verifiable parental consent, no tracking, no targeted ads.