Sectoral Data Compliance

Healthcare companies handle some of the most sensitive personal data. In addition to the DPDP Act, healthtech and healthcare companies must comply with clinical trial data requirements under the Drugs and Cosmetics Act and the New Drugs and Clinical Trial Rules, telemedicine regulations (Telemedicine Practice Guidelines, 2020), electronic health record standards, and medical device data regulations. If operating in the EU, health data is a special category under the GDPR requiring explicit consent or another specific legal basis. Patient consent, data minimisation, secure storage, and restricted access are critical. We advise healthtech companies on building compliance frameworks that cover both general data protection and sector-specific health data obligations.

Edtech platforms process data of students, often including children under 18. Under the DPDP Act, processing children’s data requires verifiable parental consent, and certain processing activities (such as tracking, behavioural monitoring, and targeted advertising directed at children) are restricted. The GDPR imposes similar restrictions and sets the age of digital consent at 16 (or lower in some member states). Edtech platforms must also address student data privacy in their terms with educational institutions, comply with advertising and marketing restrictions when engaging with minors, and ensure that data is not used for purposes beyond what is necessary for the educational service. We advise edtech companies on structuring their data practices to comply with children’s data requirements.

Fintech companies face overlapping data obligations. The DPDP Act applies to all personal data processing. The RBI’s data localisation directive requires payment system data to be stored in India. The RBI’s digital lending guidelines restrict the collection and use of borrower data. PCI DSS compliance is required for entities handling card data. The Account Aggregator framework has its own consent and data sharing architecture. CERT-In requires reporting of cybersecurity incidents within six hours. Anti-money laundering rules under PMLA require retention of customer records for specified periods. We advise fintech companies on building a unified compliance framework that addresses all of these overlapping requirements.

Gaming companies process player data including account information, gameplay data, payment data, and often behavioural and location data. Under the DPDP Act, consent is required for data collection. If the game is accessible to children, parental consent and restrictions on data processing apply. The IT Rules impose obligations on online gaming intermediaries, including user verification and content moderation. State-level gaming regulations may impose additional requirements. If the game involves virtual digital assets, NFTs, or in-game currency, additional tax and regulatory obligations arise. If the game is available globally, the GDPR and other international frameworks may apply. We advise gaming companies on data compliance across these overlapping regulatory requirements.

Hospitality businesses collect guest data including identity documents, contact information, payment data, loyalty programme data, and in some cases, biometric data for check-in. The DPDP Act applies to all personal data collected from guests. Foreign guest data may trigger GDPR obligations if you serve EU nationals. Payment data must comply with PCI DSS. CCTV and surveillance footage constitutes personal data and requires appropriate notices and retention policies. Loyalty programmes involve profiling and marketing, which require clear consent. The Foreign Registration Act requires hotels to report foreign guest data to the FRRO, which creates a legal obligation to collect certain data but does not exempt that data from data protection requirements. We help hospitality businesses build data compliance programmes that balance operational needs with regulatory obligations.