In 2026, data is no longer just an asset; it is a legal responsibility. With the full enforcement of India’s Digital Personal Data Protection Act (DPDPA), the landscape of market research has shifted from “collect all you can” to “collect only what is consented to.”
For organisations conducting surveys in India, compliance is no longer optional; it is a prerequisite for trust and operational continuity. In this guide, we explore how to navigate the DPDPA using QuestionPro’s India-first compliance suite.
1. The Power of the “Notice of Purpose”
Under Section 5 of the DPDPA, every survey must be preceded by a clear, itemised notice. You can no longer bury data usage terms in a 20-page “Terms and Conditions” document.
Using QuestionPro’s personalised headers, researchers can present a standalone notice that details:
- The specific categories of personal data being collected.
- The explicit purpose of the research.
- How respondents can exercise their rights to withdraw or delete their data.
- Contact details for your Grievance Redressal Officer.
2. Implementing Affirmative Consent
The era of pre-ticked boxes and “implied consent” is officially over. The DPDPA mandates that consent must be free, specific, informed, unconditional, and unambiguous.
QuestionPro allows you to build “Affirmative Action” workflows. This means respondents must manually check a box or click a specific “I Agree” button after reviewing the notice.
Furthermore, the platform maintains a verifiable log of consent, providing you with an audit trail that includes timestamps and the exact version of the notice the respondent agreed to.
3. Sovereign Data: The India Data Centre
A major pillar of the 2026 regulatory environment is data residency. While the DPDPA allows some cross-border transfers, many highly regulated industries like BFSI, healthcare, and government sectors now mandate that personal data stay within Indian borders.
To address this, QuestionPro launched a dedicated India Data Centre. This ensures that all respondent data, from collection to analysis, resides physically on servers in India. This localised hosting eliminates cross-border legal friction and provides the “sovereignty” that internal audit teams now demand.
4. Enabling “Right to Erasure” and Data Portability
The DPDPA empowers Indian citizens (data principals) with the right to access, correct, and erase their data. If a respondent completes your survey but later decides they want their information removed, your system must be able to comply “within a reasonable time”.
QuestionPro’s automated data subject rights (DSR) portal allows respondents to submit requests for data deletion or correction directly. This reduces the manual burden on your Data Protection Officer (DPO) and ensures you remain compliant with Section 12 of the Act.
5. Protecting the “Digital Child”
The DPDPA is particularly strict regarding users under 18. Processing a child’s data requires verifiable parental consent and prohibits any tracking or behavioural monitoring that could be detrimental to their well-being.
When conducting youth-focused research, use QuestionPro’s age-gating and parental verification workflows. These tools ensure that you are not just checking a box but actively verifying the guardian’s authority before any personal data is processed.
DPDPA Compliance Checklist for 2026
| Requirement | Traditional Survey Setup | DPDPA-Compliant Setup |
| Data Hosting | Global/AWS US-East | Local India Data Centre |
| Consent Type | Pre-ticked / Bundled | Affirmative / Granular |
| Privacy Notice | Link in Footer | Standalone Itemized Header |
| Language | English Only | Multilingual (22 Scheduled Languages) |
| Data Erasure | Manual/Email Request | Automated DSR Portal |
Is your research strategy ready for the 2026 audit?
Book a demo with QuestionPro’s Indian team
Frequently Asked Questions (FAQs)
Answer: To conduct DPDPA-compliant surveys, you must provide a clear “Notice of Purpose” before collection, obtain explicit (non-bundled) consent, and ensure data is stored securely. Using a platform like QuestionPro that offers local India data residency and automated consent logging is essential for meeting the 2026 legal standards.
Answer: Non-compliance with the DPDPA can lead to significant financial penalties, with fines reaching up to ₹250 crore for failing to take “reasonable security safeguards” to prevent data breaches. For research involving children, fines can go up to ₹200 crore for non-fulfillment of protective obligations.
Answer: While the Act allows cross-border transfers to certain notified jurisdictions, many Indian enterprises and government bodies now require local data residency as a primary security measure. Using an India-based data centre, like the one offered by QuestionPro, ensures you meet both the legal minimum and the higher security standards of the BFSI and public sectors.
Answer: The “Right to Erasure” means you must delete a respondent’s personal data once the purpose is fulfilled or consent is withdrawn. Modern survey platforms provide “Data Subject Rights” portals where respondents can independently request the deletion of their records, which then triggers an automated purge across your database and any third-party processors.
Ensuring DPDPA compliance isn’t just about avoiding fines; it’s about building a foundation of trust with the Indian public. By respecting privacy today, you ensure the integrity of your insights tomorrow.
