
DPDP Rules 2025 for MedTech: What Medical Device and Health-Tech Companies Must Do to Stay Compliant
If your medical device collects, stores or transmits patient data, India’s data protection framework now places clear obligations on organizations that collect or process personal data, including many medical device and digital health companies. The government notified the Digital Personal Data Protection Rules, 2025 on 14 November 2025, providing the operational framework for implementing the DPDP Act, 2023. For MedTech and health-tech companies, this is the moment to treat data privacy as a core compliance task, not an afterthought.
What actually changed in November 2025
The DPDP Act passed in 2023, but it needed rules to become operational. Those rules arrived through gazette notification G.S.R. 846(E). They set out how personal data must be collected, secured, retained and deleted and they establish phased implementation timelines for different provisions. Some provisions, such as those covering the Data Protection Board of India, applied immediately. Others, including consent manager obligations, follow over the next year. The practical message is simple: the clock has started.
The roles you need to understand
The law works around two terms. A Data Principal is the individual the data belongs to, such as a patient. A Data Fiduciary is the organization that decides how and why that data is processed. In healthcare, the hospital, clinic, device maker or software provider is usually the Data Fiduciary. If you build a connected device, a diagnostic app or a remote monitoring platform, you are likely a Data Fiduciary and you carry the duties that come with it.
Core obligations for medical device and SaMD companies
- Consent and notice: you must give a clear, itemized notice explaining what data you collect and why and obtain valid consent for the specified purposes unless another lawful ground under the Act applies.
- Breach reporting: Personal data breaches must be reported to the Data Protection Board and affected individuals in accordance with the timelines and procedures specified in the Rules.
- Retention and erasure: keep personal health data only as long as the purpose requires, then delete it.
- Children’s data: processing a child’s data needs verifiable parental consent, though the Fourth Schedule exempts certain healthcare activities needed to provide health services.
If you are a Significant Data Fiduciary
Companies that handle large volumes of sensitive data can be classified as Significant Data Fiduciaries. They face stricter duties: appointing a Data Protection Officer, running annual Data Protection Impact Assessments, completing audits and carrying out tighter due diligence. Organizations processing large volumes of personal data or meeting other criteria notified by the Government may be designated as Significant Data Fiduciaries. So plan for it early. Non-compliance is expensive, with penalties reaching up to Rs 250 crore for failing to maintain reasonable security safeguards.
How DPDP compares to GDPR
If you already sell in Europe, some of this will feel familiar. Under the EU GDPR, health data is special-category data under Article 9 and needs explicit consent. The DPDP Act does not create a separate sensitive-data class, but it does not separately classify sensitive personal data in the way GDPR does, although organizations processing health information should generally apply enhanced governance and security controls because of the potential impact on individuals through breach duties and SDF classification. The big difference is that DPDP leans heavily on consent as the basis for processing. Building consent-first systems now helps you satisfy both regimes.
How DPDP Fits into Medical Device Compliance
The DPDP Act 2023 doesn’t replace existing medtech regulations, it adds a parallel compliance layer. Connected devices and digital health platforms in India now sit under two regimes at once: product/safety regulation via the Medical Device Rules, 2017 (enforced by CDSCO), and data protection via the DPDP Act and Rules, 2025. A device can be fully CDSCO approved and still fall short on DPDP if consent, breach notification, or retention practices aren’t in order, so compliance teams need to manage both tracks together.
In practice, this means:
- Data fiduciary status: Companies that determine the purpose and means of processing personal data through wearables, remote monitoring solutions, or diagnostic applications may qualify as Data Fiduciaries under the DPDP Act. Depending on the deployment model, hospitals, clinics, and other stakeholders may also have independent obligations.
- Privacy by design: Privacy and security controls, including data minimization, appropriate encryption, access controls and where feasible, on-device processing, should be incorporated throughout the product life–cycle rather than added after deployment.
- Consent and breach workflows: Consent capture, withdrawal, and breach-notification timelines must be engineered into the device/app itself, alongside CDSCO documentation.
- Standards convergence: While not mandatory under the DPDP Act, organizations are increasingly adopting standards such as ISO/IEC 27701 (Privacy Information Management) and ISO/IEC 42001 (AI Management Systems), alongside ISO 13485, to strengthen governance for AI-enabled and connected medical devices.
With the DPDP framework now in force and phased compliance timelines extending to May 2027, MedTech companies should integrate DPDP obligations into their existing CDSCO and Medical Device Rules compliance activities rather than treating them as separate programs.
What to do next
Start with a comprehensive data inventory to understand what personal data is collected, where it is stored, how it flows across your systems, who can access it, how long it is retained, and how it is securely deleted. Then align your consent, retention, breach response, and deletion processes with the applicable regulations.
NexorTest helps medical device and SaMD teams connect these privacy requirements to their wider regulatory and cybersecurity strategy, so compliance is built into the product rather than bolted on later.
Meet Our Regulatory Expert
Dr. Pabbisetty PBS Kumar
Chief Compliance Officer at NexorTest Technologies


