DPDPA medtech privacy compliance India analysis

In India, the medical devices sector is regulated by the Central Drugs Standard Control Organisation (CDSCO) under the Drugs and Cosmetics Act, 1940 (the Act) and the Medical Device Rules, 2017.

India’s medical devices sector has become an important pillar of the healthcare ecosystem. Traditionally, medical devices were understood as physical products used for diagnosis, monitoring, or treatment. Today, however, the medtech ecosystem extends far beyond hardware. It includes telemedicine platforms, AI-enabled diagnostic tools, wearable health devices, remote monitoring systems, and software embedded into medical equipment.

In India, the medical devices sector is regulated by the Central Drugs Standard Control Organisation (CDSCO) under the Drugs and Cosmetics Act, 1940 (the Act) and the Medical Device Rules, 2017. Unlike many jurisdictions where pharmaceuticals and medical devices are regulated separately, India classifies medical devices as “drugs” under Section 3(b) of the Act.

The sector is also witnessing rapid growth. India’s med-tech market is expected to reach nearly USD 12 billion by 2030.1 At the same time, the nature of medical devices is changing rapidly. Earlier, devices such as ECG machines were standalone systems located within hospitals or clinics. Today, the same functions are performed through connected wearables such as smartwatches and remote monitoring devices. These systems continuously collect, process, and transmit health data across applications, cloud servers, software providers, hospitals, and device manufacturers.

This transformation has made medtech a significant processor of personal data, particularly sensitive health-related data. Under the Digital Personal Data Protection Act, 2023 (DPDPA), “personal data”2 means any data through which a living individual can be identified. Digitised healthcare systems allow caregivers to analyse and share patient data more efficiently. It is reducing cost, but at the same time, it is leading to generation of voluminous amounts of personal data. This increased connectivity also increases risk. Connected devices, hospital networks, legacy systems, and third-party software integrations create multiple points of vulnerability for cyberattacks and unauthorised access to patient information, as per a report published by Philips.3

The issue becomes even more important considering India’s dependence on imported medical devices, which currently account for nearly 70—80 per cent of the sector. Many devices transmit data across jurisdictions or rely on foreign software infrastructure, creating additional compliance and cybersecurity considerations. Under Section 164 DPDPA, personal data may be transferred outside the Indian borders subject to any orders (general or special) of the Central Government.5 Medtech industry needs to be cognizant of the restriction or legal conditions imposed by the Central Government of India under this clause.

DPDPA and the medtech sector

The DPDPA introduces a new layer of compliance obligations for the med-tech ecosystem. The law provides for financial penalties of up to INR 250 crores for certain contraventions. Given the volume and sensitivity of health data processed by med-tech entities, compliance will become a major operational requirement.

One of the key obligations under the DPDPA is notice and consent management.6 Medtech entities processing patient information must ensure that valid consent mechanisms exist before personal data is processed or shared. In cases where device manufacturers or software providers do not directly collect patient information, formal data processing agreements with hospitals and healthcare providers become important. These agreements should clearly address issues such as cross-border data transfers, grievance redressal, retention timelines, and management of data principal rights.

Another major requirement relates to reasonable security safeguards.7 Since medical devices are increasingly connected to networks, manufacturers and operators must implement strong technical protections within devices and software systems. Encryption, masking, tokenisation, secure authentication systems, access controls, backup mechanisms, and logging systems are becoming essential.8 In many cases, cybersecurity and privacy compliance are now overlapping obligations.

The DPDPA also increases the importance of Data Protection Impact Assessments (DPIA).9 DPIA’s help organisations assess the necessity, proportionality, and risks involved in personal data processing activities. Since medtech devices routinely process sensitive health information, DPIA can play an important role in identifying privacy risks arising from connected devices, cloud integrations, AI tools, and cross-border transfers of patient information.

Perhaps the most important concept for the medtech industry is Privacy by Design (PbD). Medtech ecosystem is composed of tangible and intangible products. Adherence to principles of PbD will help them to ensure compliance with DPDPA law.

PbD is built around seven foundational principles10:

1. proactive not reactive,

2. privacy as the default setting,

3. privacy embedded into design,

4. full functionality without unnecessary trade-offs,

5. end-to-end security,

6. visibility and transparency,

7. respect for user privacy.

These principles are particularly relevant in healthcare technology because devices continuously process highly sensitive information. For example, a wearable heart-monitoring device may analyse ECG data locally on the device and only transmit summarised alerts or insights to the cloud, instead of continuously transferring raw identifiable health information. Embedding privacy into the product itself can significantly reduce privacy risks.

As per the Central Government Notification dated 14 November 2025, the DPDPA is in-force. Data fiduciaries will need to achieve compliance with the DPDPA by 14 May 2027.11 The term data fiduciary12 means those entities which decide the means and purposes of processing of personal data. It includes medtech product manufacturers, hospitals, software providers, health-tech platforms and cloud operators, etc.

Voluntary standards and best practices

Apart from statutory compliance, there are also voluntary standards that can strengthen privacy and cybersecurity governance within the sector.

1. One such standard is IS/ISO13 27701:2025, which relates to Privacy Information Management Systems (PIMS). The standard helps organisations establish and maintain structured privacy governance frameworks and is relevant for both device manufacturers and healthcare institutions.

2. Another important standard is ISO 42001:2023 relating to Artificial Intelligence Management Systems. As AI tools become increasingly integrated into diagnostics, imaging, remote monitoring, and clinical decision-making, structured governance of AI systems is becoming increasingly important.

Conclusion

The medtech industry is no longer limited to standalone medical equipment. It has evolved into a connected digital ecosystem where devices, software, cloud infrastructure, and patient data constantly interact with one another.

With the enforcement of the DPDPA, the sector will now need to view privacy compliance as a core operational requirement rather than merely a legal obligation. Manufacturers, hospitals, software providers, and platform operators will all need to reassess how health data is collected, transferred, stored, and secured.

As healthcare becomes increasingly data-driven, privacy, cybersecurity, and product design will become central to the future of the medtech industry in India.


*Tech Lawyer, Senior Manager, Legal and Regulatory Affairs, K&S Digiprotect Services Pvt. Ltd. Author can be reached at: adv.amanvarma@gmail.com.

1. Suresh Subramanian, “India’s MedTech Transformation: Paving the Path to Global Leadership” EY India Report (26-11-2024), available at <https://www.ey.com/en_in/insights/health/india-s-medtech-transformation-paving-the-path-to-global-leadership>.

2. DPDPA, 2023, S. 2(t) “Definitions”.

3. Whitepaper on Philips “Cyberattacks — A Threat to Patient Safety” available at <https://www.documents.philips.com/assets/20250401/c1e7bc3723844132b0b8b2b20138a080.pdf>.

4. DPDPA, S. 16 “Cross border transfer of personal data”.

5. DPDP Rules, 2025, R. 15 “Transfer of personal data outside the territory of India”.

6. DPDPA, Ss. 5 “Notice” and 6 “Consent”.

7. DPDPA, S. 8(5) “General obligations of data fiduciaries”.

8. DPDP Rules, 2025, R. 6 “Reasonable security safeguards”.

9. DPDPA, S. 10 “Obligations of significant data fiduciaries”.

10. These principles originated in early 1990’s by Ms Ann Cavoukian, former Information and Privacy Commissioner of Ontario, available at <https://share.google/ZAB2kbsdGMDlxi4X8> last accessed 12-5-2026.

11. Press Release, DPDP Rules, 2025 Notified A Citizen-Centric Framework for Privacy Protection and Responsible Data Use (17-11-2025), available at <https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655&reg=3&lang=2>.

12. DPDPA, S. 2(i) “Definitions”.

13. Indian Standard/International Organisation for Standards.

Join the discussion

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.