The impact of Digital Personal Data Protection Rules, 2025, on industrial products and the construction sector

The new Digital Personal Data Protection Rules, 2025 (DPDP), have restructured data storage rules for multiple industries, including industrial products and construction (IP&C). Under this rule, any IP&C company that stores personal data in digital systems is, in effect, now in the data business and will be treated as a data fiduciary, according to the Ministry of Electronics and Information Technology.

The DPDP Rules, 2025, introduce obligations that come into force in May 2027, creating new expectations for how organisations collect, use, secure, and delete personal data.

Phasing in a new regulatory paradigm

While the sector has seen significant technology adoption over the past few years, the DPDP framework is driving a shift in the culture of data management and transparency, with its impact being felt at every level of operations.

Under the new rules, consent must be specific and properly documented, breaches must be reported without delay, and personal data must be erased once its purpose is fulfilled. Significant data fiduciaries will face annual audits and risk assessments, while consent managers must retain proof of permissions for at least seven years or longer if required. Additionally, the Data Protection Board must complete inquiries within six months with no extensions, making compliance more measurable and time-bound.

Data handling touchpoints of the IP&C sector

Personal data within IP&C organisations is spread across multiple systems and workflows, despite the sector traditionally not being viewed as data-intensive.

Key touchpoints include Human Resource Management Systems (HRMS) containing employee and contractor records such as payroll, training, health and insurance data; closed-circuit television footage, biometric attendance logs, access registers and visitor records from factories and project sites. It also includes vendor and subcontractor information, including PAN details, bank information, contact numbers and KYC documents.

Customer portals are used for annual maintenance contract (AMC) tickets, warranty support and remote diagnostics, and they store personal details of customer engineers. Industrial Internet of Things dashboards link machine identifiers with operators, timestamps and site information. Additionally, digital processes support government-linked schemes where the company may act as a data processor.

The big question: How will the change present itself on the ground?

The impact will not be limited to IT teams or legal departments. DPDP obligations will translate into operational changes across plants and projects.

Surveillance and site systems: Under Rule 6, CCTV feeds, biometric attendance data, and digital registers are classified as personal data. These systems now require encryption, access restrictions and one-year retention of access logs. A stolen hard drive, leaked attendance sheet or compromised DVR becomes a reportable breach under Rule 7, requiring notification to affected individuals and the Board.

HR and labour management: Under Rule 3, every worker must receive a clear privacy notice explaining what data is collected and for what purpose. Under Rule 14, workers must be able to view and correct their information, raise grievances, and assign nominees. This requires rethinking onboarding forms, site gate passes, training logs, medical reports, and labour rosters.

The sector must also define responsibility between principal employers and subcontractors. Contracts must specify who the data fiduciary is, who the processor is, who handles rights requests, and who is liable in the event of a breach.

Regulated personal data: Vendor and subcontractor contact information, often stored in shared folders or spreadsheets, is now regulated personal data. Organisations must issue notices explaining the purpose, define retention periods, and enable access or correction requests.

Digital platforms: Original equipment manufacturers offering connected services, such as remote equipment monitoring, diagnostic dashboards or predictive maintenance, may cross thresholds that classify them as significant data fiduciaries.

If so, annual data protection impact assessments (DPIAs), audits and oversight of automated systems that influence workers and technicians become mandatory.

No open-ended data storage: The industry has historically stored data indefinitely, often without clearly defined retention rules. Under Rule 8, data must be erased after its purpose is complete unless another law requires longer storage.

Organisations must distinguish between personal data and technical project data and accurately track retention timelines. Additionally, companies must notify individuals 48 hours before data deletion. This requires systems that can flag, review, and execute these obligations without manual effort.

Cross-border data transfers: Rule 15 allows cross-border transfers unless specifically restricted. Multinational companies using global HRMS platforms, centralised Enterprise Resource Planning systems or overseas support centres must map which personal data leaves India, under which workflows and to which jurisdictions.

Construction site practices: The biggest challenge will arise at project sites, where practices such as using paper registers, sharing computers, transferring files via USB and using WhatsApp lists are standard. Such approaches are difficult to justify under DPDP, which assumes structured access controls and auditable systems.

Change in contracts: Standard Engineering, Procurement and Construction contracts will need to reflect defined roles, breach timelines, audit provisions, cross-border positions and deletion commitments. Commercial discussions will encompass data responsibilities, technical delivery and pricing.

Conclusion

With the DPDP Rules, 2025, personal data management becomes a frontline responsibility for IP&C companies. Compliance will require process redesign, better digital infrastructure, and new contractual frameworks. Organisations that begin early and treat data governance as an operational discipline will be better prepared to meet regulatory expectations and maintain trust across their workforce, partners, and customers.

(The authors are Partners, Deloitte India. Views are personal.)