DPDP Rules 2025 for MedTech: What Medical Device and Health-Tech Companies Must Do to Stay CompliantĀ
If your medical device collects,Ā storesĀ or transmits patient data, India's data protection framework now places clear obligations on organizations that collect or process personal data, including many medical device and digital health companies. The government notified the Digital Personal Data Protection Rules, 2025 on 14 November 2025, providing the operational framework for implementing the DPDP Act, 2023. For MedTech and health-tech companies, this is the moment to treat data privacy as a core compliance task, not an afterthought.Ā
WhatĀ actually changedĀ in November 2025
The DPDP Act passed in 2023, but it needed rules to become operational. Those rules arrived through gazetteĀ notificationĀ G.S.R. 846(E). They set out how personal data must be collected, secured,Ā retainedĀ andĀ deletedĀ and theyĀ establishĀ phased implementation timelines for different provisions. Some provisions, such as those covering the Data Protection Board of India, appliedĀ immediately. Others, including consent manager obligations, follow over the next year. The practical message is simple: the clock has started.Ā
The roles you need to understand
The law works around two terms. A Data Principal is the individual the data belongs to, such as a patient. A Data Fiduciary is theĀ organizationĀ that decides how and why that data is processed. In healthcare, the hospital, clinic, deviceĀ makerĀ or software provider is usually the Data Fiduciary. If you build a connected device, a diagnosticĀ appĀ or a remote monitoring platform, you areĀ likely aĀ DataĀ FiduciaryĀ and you carry the duties that come with it.
Core obligations for medical device and SaMD companies
Consent and notice: you must give a clear, itemizedĀ notice explaining what data you collect and whyĀ andĀ obtain valid consent for the specified purposes unless another lawful ground under the ActĀ applies.Ā
Breach reporting:Ā Personal data breaches must be reported to the Data Protection Board andĀ affectedĀ individualsĀ in accordance withĀ the timelines and procedures specified in the Rules.Ā
Retention and erasure: keep personal health data only as long as the purpose requires, thenĀ deleteĀ it.Ā
Children's data: processing a child's data needs verifiable parental consent, though the Fourth Schedule exempts certain healthcare activities needed to provide health services.
If you are a Significant Data Fiduciary
Companies that handle large volumes of sensitive data can be classified as Significant Data Fiduciaries. They face stricter duties: appointing a Data Protection Officer, running annual Data Protection Impact Assessments, completingĀ auditsĀ and carrying out tighter due diligence.Ā Ā OrganizationsĀ processing large volumes of personal data or meeting other criteria notified by the Government may beĀ designatedĀ as Significant Data Fiduciaries.Ā SoĀ plan for it early. Non-compliance is expensive, with penalties reaching up to Rs 250 crore forĀ failing to maintainĀ reasonable security safeguards.
How DPDP compares to GDPR
If you already sell in Europe, some of this will feel familiar. Under the EU GDPR, health data is special-category data under Article 9 and needs explicit consent. The DPDP Act does not create a separate sensitive-data class, but itĀ does not separately classify sensitive personal data in the way GDPR does, althoughĀ organizationsĀ processing health information should generally apply enhanced governance and security controls because of the potential impact on individualsĀ through breach duties and SDF classification. TheĀ big differenceĀ is that DPDP leans heavily on consent as the basis for processing. Building consent-first systems now helps you satisfy both regimes.
How DPDP Fits into Medical Device Compliance
The DPDP Act 2023Ā doesn'tĀ replace existing medtechĀ regulations,Ā it adds a parallel compliance layer. Connected devices and digital health platforms in India now sit under two regimes at once: product/safety regulation via the Medical Device Rules, 2017 (enforced by CDSCO), and data protection via the DPDP Act and Rules, 2025. A device can be fully CDSCOĀ approved and still fall short on DPDP if consent,Ā breachĀ notification, or retention practicesĀ aren'tĀ in order,Ā soĀ compliance teams need to manage both tracks together.Ā
In practice, this means:Ā
Data fiduciary status:Ā Companies thatĀ determineĀ the purpose and means of processing personal data through wearables, remote monitoring solutions, or diagnostic applications may qualify asĀ Data FiduciariesĀ under the DPDP Act. Depending on the deployment model, hospitals, clinics, and other stakeholders may also have independent obligations.Ā
Privacy by Design: Privacy and security controls, including dataĀ minimization,Ā appropriate encryption, access controls and whereĀ feasible, on-device processing, should be incorporated throughout the productĀ life-cycleĀ rather than added after deployment.Ā
Consent andĀ breachĀ workflows: Consent capture, withdrawal, and breach-notification timelines must be engineered into the device/app itself, alongside CDSCO documentation.Ā
Standards convergence: While not mandatory under the DPDP Act,Ā organizationsĀ are increasingly adopting standards such as ISO/IEC 27701 (Privacy Information Management) and ISO/IEC 42001 (AI Management Systems), alongside ISO 13485, to strengthen governance for AI-enabled and connected medical devices.
With the DPDP framework now in force and phased compliance timelines extending to May 2027, MedTech companies should integrate DPDP obligations into their existing CDSCO and Medical Device Rules compliance activities rather than treating them as separateĀ programs.Ā
What to do nextĀ
Start with a comprehensive data inventoryĀ to understand what personal data is collected, where it is stored, how it flows across your systems, who can access it, how long it isĀ retained, and how it is securelyĀ deleted. Then align your consent, retention,Ā breachĀ response, and deletion processes with the applicable regulations.Ā
NexorTestĀ helps medicalĀ deviceĀ and SaMD teams connect these privacy requirements to their wider regulatory and cybersecurity strategy, so compliance is built into the product rather than bolted on later.
Sources: DPDP Rules, 2025 NotifiedĀ Electronics And Information Technology NotificationĀ

















