DPDP 2023, for clinic owners who don't read law.
If you run a clinic in India and store patient data on a computer, this law applies. Here is the one-page version.
The 5 things you must do
Tell patients what data you collect and why. A printed notice at the front desk plus a consent line on intake forms is the floor.
Get explicit consent before sharing data with anyone — labs, insurance, even the doctor’s WhatsApp group. “Implied consent” is not a thing under DPDP.
Let patients access, correct, and delete their data on request. Including old paper records you’ve digitised.
Appoint someone — anyone, with a name and a phone number — as your Data Protection point of contact. The administrator is fine.
Be able to detect breaches. If patient data leaks, you have 72 hours to notify the regulator. Not 72 working days. 72 hours.
The 3 things you can ignore (for now)
Significant Data Fiduciary classification. Applies to platforms, not individual clinics. Unless you operate across multiple hospitals at scale, this is not your problem yet.
Cross-border localisation rules. Currently in flux. If your software vendor stores data in India (ask them — see below), you are covered.
DPDP-specific certifications. None exist as of May 2026. Save your money.
The one question to ask any vendor
Where do you store our patient data, geographically?
If the answer is “the US” or “we’ll get back to you” — that’s a procurement red flag. If the answer is “in India, in [named region]” — you’re fine.
Our answer
All Lucoze patient data lives in Indian data centres. Nothing crosses the border. Backups stay in India. We pay ~38% more for it than US hosting would cost. Why we made that call.
This is not legal advice. It’s what we’d want our own families’ clinic to do.