Global Guides • 6 mins
India Market Access: The DPDP 2023 Guide for London Healthtech Companies
A definitive guide for London-based privacy leads bridging the GDPR-to-DPDP delta to unblock Indian enterprise healthtech deals and achieve compliance before the 2027 deadline.
Last updated:
Why DPDP 2023 Reaches Your London Headquarters
Your London-based healthtech company processes patient records, telemedicine flows, and diagnostics data. If those flows involve offering goods or services to Data Principals within India, the Digital Personal Data Protection Act, 2023 applies to you. Section 3(b) of the Act establishes this extraterritorial scope clearly. It does not matter that your servers sit in the UK or that you lack a physical Indian subsidiary. Furthermore, under Section 3(a), the Act applies whether personal data is collected originally in digital form or in non-digital form and digitized subsequently. The only exceptions to this scope, per Section 3(c), are personal data processed by an individual for personal or domestic purposes, or data that the Data Principal (or someone under a legal obligation) has made publicly available. For B2B or B2C enterprise healthtech, these exemptions rarely provide cover. If your platform targets Data Principals in India, your privacy program must adapt immediately. Indian enterprise procurement teams know this and now mandate strict DPDP posture checks during vendor security reviews.
Mapping The GDPR To DPDP Delta For Healthtech
Your UK GDPR program provides a strong foundation, but a one-program-many-regimes approach requires understanding the specific GDPR-to-DPDP delta. Both regulatory regimes require data minimization, purpose limitation, and robust vendor oversight. However, DPDP diverges sharply in execution. Under Section 4(1), processing must be for a "lawful purpose" - defined in Section 4(2) as any purpose not expressly forbidden by law - and relies primarily on consent or specific "certain legitimate uses." The broad UK GDPR concept of "legitimate interests" does not exist in India's framework. Instead of a balancing test, you must establish explicit, unconditional consent unless a strict statutory use applies. Furthermore, DPDP 2023 applies uniformly to all digital personal data without any separate classifications for health records. Instead of treating health data as a special category, your volume and the risk associated with processing diagnostics or patient data matter for Significant Data Fiduciary designation. Your global suite might claim India coverage, but superficial mapping fails under regulatory scrutiny.
The Compliance Gaps That Block Indian Deals
Several operational gaps routinely block Indian enterprise deals. First is the cross-border transfer mechanism. Under Section 16(1) of the Act, transfers outside India are generally permitted unless the Central Government restricts transfer to a notified negative list of countries. You must shift your cross-border strategy; DPDP relies entirely on this negative list approach rather than requiring proactive country-level approvals. However, you must also pay close attention to Section 16(2). The DPDP Act explicitly states that it does not override any other Indian law providing a higher degree of protection or restriction on data transfers. If Indian sectoral regulations mandate localization for specific patient records, Section 16 will not exempt you from those stricter rules. Second is breach intimation. The DPDP Rules, 2025 mandate that you notify affected Data Principals without delay, while submitting a detailed report to the Data Protection Board within 72 hours. Finally, consent mechanics require itemised notices in multiple languages under the Rules, 2025. Your current English-only UK cookie banner will not suffice.
A 90 Day India Ready Action Plan
Privacy leads can close these gaps in 90 days without hiring external Indian counsel by following a phased approach. 1. Map your telemedicine and hospital integration data flows specifically for Indian Data Principals, noting exactly where data is collected digitally or digitized subsequently. 2. Update your consent gateways to present the itemised, multi-lingual notices required by the DPDP Rules, 2025. 3. Revise your incident response playbooks to include the 72-hour Data Protection Board notification workflow and direct intimation to Data Principals without delay. 4. Evaluate your data volume and risk profile to determine if your healthtech operations trigger Significant Data Fiduciary obligations. If designated, you must appoint a resident Data Protection Officer in India and conduct independent data audits. 5. Audit your data ingestion for publicly available data. While Section 3(c) exempts data made public by the user, improperly scraping data without verifying its lawful public status remains a major compliance risk.
Procurement Proofing Your Security Reviews
Indian hospital networks and enterprise buyers now demand concrete evidence on demand during security reviews. A credible privacy solution must generate verifiable artifacts quickly. Buyers will ask for your consent record ledger, demonstrating exactly when and how a Data Principal agreed to processing. They will scrutinize your vendor oversight framework to ensure your sub-processors comply with DPDP data deletion mandates, as the primary Data Fiduciary remains fully liable for a processor's actions under the Act. You must also present a compliant grievance redressal mechanism with documented response times. Relying on generic global privacy policies will flag your platform as a compliance risk and stall your procurement cycles before you even reach the pricing discussion.
The Cost Of Waiting For The Deadline
You have exactly 311 days remaining until the DPDP hard compliance deadline of 13 May 2027. Treating this solely as a future legal problem risks current revenue. Indian enterprise healthtech deals take months to negotiate, and a late-stage privacy objection can derail a major hospital integration. Waiting forces your sales team to answer "no" or "partially compliant" to standard DPDP compliance questionnaires from Indian buyers. Retrofitting itemised consent and 72-hour breach workflows at the last minute requires hundreds of expensive engineering hours and pulls product teams away from core roadmap features. Building these capabilities now ensures seamless market access and protects your deal pipeline.
Identify Your Compliance Gaps Today
Scan your India-facing healthtech stack and get a gap report before your next enterprise deal review. Visit freescan.complydp.com to identify your exact GDPR-to-DPDP deltas today.
Sources
- Section 3: Application of Act
- Section 4: Lawful Processing and Consent
- Section 16: Cross-Border Transfers
Frequently asked questions
Does the DPDP Act apply to UK companies without an Indian office?
Yes. Under Section 3(b) of the DPDP Act, 2023, the law applies to processing outside India if it is connected to offering goods or services to Data Principals within India. Your physical location does not exempt you. Furthermore, Section 3(a) applies to data collected digitally or digitized subsequently.
Can we rely on our UK GDPR program for Indian compliance?
No, a direct copy will fail during enterprise security reviews. While principles like data minimization overlap, the GDPR-to-DPDP delta includes strict itemised consent rules, a completely different cross-border transfer mechanism, and the absence of 'legitimate interests' as a lawful basis under Section 4.
Are health records treated differently under DPDP?
No. The DPDP Act, 2023 treats all digital personal data uniformly without any separate classifications. However, processing high volumes of high-risk health data may lead to classification as a Significant Data Fiduciary, triggering stricter compliance obligations like appointing a resident Data Protection Officer in India.
How does DPDP handle cross-border data transfers to the UK?
Under Section 16(1), transfers outside India are permitted by default unless the Central Government restricts specific countries via a notified negative list. It does not require prior country-level approvals. However, Section 16(2) ensures that any stricter Indian sectoral localization laws still apply and must be adhered to.
What is the DPDP breach notification timeline?
The DPDP Rules, 2025 require you to intimate affected Data Principals without delay. You must also submit a detailed breach report to the Data Protection Board within 72 hours, which marks a significant operational departure from standard UK GDPR incident workflows.
ComplyDP