Data>Nuance
All insights
CommentaryLegal framework

Sensitive personal data: SPDI rules and the DPDP framework

How older SPDI terminology and the DPDP Act should be distinguished in current privacy assessments.

Data>Nuance

Indian businesses may encounter the term sensitive personal data in existing policies and contracts drafted under the SPDI Rules. The DPDP Act uses a different structure and should not be presented as if it contains the same classification terminology.

Why the distinction matters

Legacy documents may still inform contractual and security review, while an implementation programme for the DPDP Act must be mapped to its own requirements and any applicable rules.

Before reusing legacy wording, review the processing purpose, safeguards, notice language and current regulatory basis. Accurate labelling is essential for a credible privacy programme.

This publication is general information and is not legal advice for a specific organisation or matter.

Continue reading

Notice and consent

Consent records under the DPDP Act

A practical guide to building consent records under the DPDP Act for product, legal, marketing and compliance teams in India.

Read insight

Notice and consent

Legitimate uses under the DPDP Act for business teams

A practical guide for Indian business teams deciding when a DPDP Act legitimate use may apply and how to record the decision responsibly.

Read insight

Start with context

Book a focused DPDP Act consultation.

Bring an upcoming launch, notice review, data mapping question, incident readiness issue or implementation deadline. We will help identify the right next step.

Book consultation Submit a brief