DPDP 2023 Compliance
for Builders: The ₹250 Crore
Liability Explained
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 (DPDPA) is India's first comprehensive data privacy law, passed by Parliament in August 2023. The implementing Rules were notified on November 13, 2025, making the full compliance framework effective.
The Act governs how organisations collect, store, process, and share personal data — defined as any data that can directly or indirectly identify a living individual. For a real estate developer, this covers virtually every data point you hold about homebuyers: their names, PAN, Aadhaar, bank account details, mobile numbers, email addresses, income disclosures, and loan information.
The Act creates two primary roles. The Data Fiduciary is the entity that determines why and how personal data is processed — that is you, the developer. The Data Processor processes data on behalf of the Fiduciary — platforms like ReraDesk, your CRM vendor, or your escrow bank's software system.
Does DPDP apply to real estate developers?
Yes — unambiguously. The Act covers any entity that processes digital personal data of Indian residents, regardless of industry. Real estate developers collect some of the most sensitive personal data in the economy:
- Identity data: Full name, PAN, Aadhaar (last 4 digits), passport, voter ID — collected for KYC under PMLA 2002
- Financial data: Bank account numbers, income range, home loan sanction letters, EMI schedules — collected for AoS execution and home loan NOC
- Contact data: Mobile number, email, residential address, WhatsApp — used for progress updates and OC handover
- Marketing data: Site visit dates, broker attribution, campaign click IDs — used for sales attribution
- Nominee and co-applicant data: Spouse or co-buyer personal details — collected during booking
Every homebuyer whose data you hold is a Data Principal under the Act. They have legally enforceable rights against you — including the right to access their data, correct it, withdraw consent, and demand erasure.
The penalty structure
The DPDPA introduces a tiered penalty structure administered by the Data Protection Board of India (DPBI). Penalties are civil, not criminal — but the amounts are serious:
| Violation | Maximum penalty |
|---|---|
| Failure to implement reasonable security safeguards — leading to data breach | ₹250 Crore |
| Failure to notify DPBI of breach within 72 hours | ₹200 Crore |
| Processing children's data without parental consent / age verification | ₹200 Crore |
| Failure to fulfil Data Principal rights requests (access, correction, erasure) | ₹50 Crore |
| Failure to register as Significant Data Fiduciary (if applicable) | ₹50 Crore |
| Minor violations / procedural non-compliance | ₹10,000 – ₹10 Crore |
These are per-incident penalties. A developer who suffers a breach affecting 500 homebuyers and fails to notify within 72 hours faces two separate grounds of penalty — potentially ₹450 Crore in combined exposure.
Your five core obligations as a Data Fiduciary
1. Collect data only with valid consent
You cannot process a homebuyer's personal data unless you have a valid legal basis. For most of the data you collect, that basis is either contractual necessity (data needed to execute the AoS) or explicit consent (data for marketing communications). The Act requires consent to be:
- Free — not bundled as a non-negotiable condition of the booking
- Specific — tied to a clearly stated purpose
- Informed — the buyer must understand what they are consenting to
- Unambiguous — active opt-in, not pre-ticked boxes
- Withdrawable — the buyer can withdraw consent at any time
In practice, this means every homebuyer interaction must be preceded by a clear data notice, and marketing communications require explicit opt-in. Verbal assurances do not meet the standard — you need a timestamped, auditable consent record.
2. Publish a clear privacy notice
You must provide every Data Principal with a notice that explains: what data you collect, why you collect it, how long you retain it, who you share it with, and how they can exercise their rights. The notice must be in plain language — not legal boilerplate. If you deal with homebuyers in languages other than English, the notice should be available in their preferred language.
3. Implement security safeguards
The Act requires "reasonable security safeguards" — a standard that DPBI will interpret in context. At minimum, for a real estate developer this means:
- Encrypted storage for all homebuyer personal data (AES-256 at rest, TLS 1.3 in transit)
- Access controls — only authorised personnel can view buyer PAN, bank details, Aadhaar
- Data minimisation — do not collect data you do not need
- Vendor contracts — all platforms you share data with must have Data Processing Agreements (DPAs)
- Incident response plan — a documented procedure for what to do if data is compromised
4. Respond to Data Principal rights requests
Homebuyers have the right to: access a summary of their data, correct inaccurate data, nominate a person to exercise rights on their behalf, raise grievances with your Data Protection Officer, and withdraw consent and request erasure of data you are not legally required to retain.
You must respond to access and correction requests within 30 days. You must have a designated Data Protection Officer (or contact) who can be reached easily. Ignoring rights requests is itself a violation.
5. Notify DPBI within 72 hours of a breach
This is the most operationally demanding obligation. If you suffer a personal data breach — whether through a cyberattack, an accidental email to the wrong recipient, or a CRM export that ends up in the wrong hands — you must notify the Data Protection Board of India within 72 hours of discovery. You must also notify affected Data Principals (homebuyers) in a manner specified in the Rules.
Where DPDP and RERA intersect
RERA and DPDP create overlapping obligations around the same homebuyer data. This is not accidental — RERA mandated disclosure and transparency; DPDP now mandates how that disclosed data must be protected. The intersection creates practical implications:
| Data type | RERA obligation | DPDP obligation |
|---|---|---|
| Buyer PAN and Aadhaar | Collect for KYC (PMLA) | Encrypt, limit access, retain only as long as legally required |
| Bank account details | Required for AoS and refund processing | Cannot share with third parties without consent; must delete after legal retention period |
| Marketing contact details | Not required by RERA — discretionary | Requires explicit consent; must honour withdrawal |
| Site visit and broker attribution | Not required by RERA | Legitimate interest basis permissible — but must be disclosed in privacy notice |
| Progress update communications | Required by RERA §11 | Contractual necessity basis — consent not strictly required, but data handling must still be secure |
The practical challenge: RERA forces you to collect and use homebuyer data extensively. DPDP now requires that every use of that data is lawful, secure, and documented. Builders who assumed RERA compliance covered their data obligations are now exposed on a second front.
Practical compliance steps for builders
- 1Conduct a data mapping exercise. List every category of personal data you hold, where it is stored, who has access to it, how long you keep it, and which vendors you share it with. This is the foundation of every other compliance step.
- 2Implement a consent collection mechanism. For every new booking, collect written or digital consent before processing marketing data. Use a simple two-page consent form covering: identity data (contractual necessity), financial data (contractual necessity), marketing communications (explicit consent), and site analytics (explicit consent).
- 3Appoint or designate a Data Protection Officer. This does not need to be a full-time role. Your CA, legal counsel, or a senior employee can be designated. Publish their contact details on your RERA project page and website.
- 4Review and sign DPAs with all vendors. Every vendor who processes homebuyer data on your behalf — your CRM, your CA's software, your escrow bank's platform — must have a Data Processing Agreement in place. Without it, you remain liable for their handling of your buyers' data.
- 5Build a breach response playbook. Document what happens in the first 72 hours after a suspected breach is discovered: who is notified, who makes the DPBI notification, what information is included in the notification, and how affected homebuyers are contacted.
- 6Set up a data retention and deletion schedule. Map each data category to its legal retention requirement. KYC data under PMLA must be retained for 5 years post-relationship; GST-related records for 7 years; marketing opt-in data until consent is withdrawn. Everything else should be deleted on schedule.
How ReraDesk addresses DPDP for builders
ReraDesk is designed as a Data Processor, not a Data Fiduciary. We process homebuyer data only on your instruction and under a Data Processing Agreement. The platform includes built-in DPDP compliance tooling:
- Consent Vault: Generate per-buyer consent URLs, track consent status (active / withdrawn / pending), and handle withdrawal requests that trigger erasure queuing.
- Data Map: Pre-built data mapping across six categories (Identity, Contact, Financial, Site Visit, Preferences, Marketing) with legal basis and retention periods for each.
- Notice Generator: Generate a DPDPA §7 compliant consent notice in plain language for each project, customised with your RERA number and DPO contact.
- Breach Simulator: Walk through the 6-step 72-hour breach response protocol to train your team and test your incident response before a real incident occurs.
- SHA-256 audit trail: Every data access and processing event is timestamped and immutable — admissible under §65B IT Act 2000 for DPBI investigations.
What to do in the next 90 days
| Timeline | Action | Priority |
|---|---|---|
| Immediately | Conduct data mapping — list all personal data categories and current storage | Critical |
| Within 30 days | Designate a DPO and publish contact details | Critical |
| Within 30 days | Review and update booking forms to include DPDPA-compliant consent notice | Critical |
| Within 45 days | Sign DPAs with all vendors holding homebuyer data | High |
| Within 60 days | Build breach response playbook and test it with your team | High |
| Within 90 days | Implement digital consent collection system for all new bookings | High |
| Ongoing | Respond to Data Principal rights requests within 30 days | Mandatory |
This guide is based on the DPDPA 2023 and DPDP Rules 2025 as notified. DPBI enforcement guidelines may be issued subsequently and could modify compliance requirements. This is not legal advice. Consult a qualified data privacy counsel for advice specific to your organisation and project portfolio.