DPDPA in 2026 what every research leader and brand must know before it is too late

This report examines what that means for market research agencies and the brands that commission research in India, the liability every leader is carrying right now, and why QuestionPro is the only research platform purpose-built for this new reality.

The Reckoning Has Arrived

India's market research industry and the brands that commission research have both operated for decades under a framework of implied consent, indefinite data retention, and flexible data sharing. That era is over. The Digital Personal Data Protection Act, 2023 (DPDPA), is not a consultation paper or a draft framework. It is the law of the land, signed by the President of India on August 11, 2023, with implementation rules notified in November 2025 and full enforcement of core obligations locked in for May 13, 2027.

For research agency leaders, this is not a compliance team problem to be delegated. For brand leaders, this is not a procurement team problem to ignore. This is an existential risk sitting on the desk of every CEO in this industry, on both sides of the research relationship. The Act imposes penalties of up to ₹250 crore per instance of violation. It gives the Data Protection Board quasi-judicial powers equivalent to a civil court. It grants every survey respondent the legal right to demand deletion of their data, the right to know who you shared it with, and the right to complain directly to a regulatory body if you fail them.

Critically, the Act holds the data fiduciary personally responsible for the compliance of every platform and vendor it uses. For a research agency, that means your survey platform. For a brand commissioning research, that means your agency. The liability travels the entire supply chain.

This report does three things. It explains precisely what DPDPA demands from both market research agencies and brands, in plain language that cuts through legal complexity. It maps the gap between what most organisations currently do and what the law now requires. And it makes an evidence-based case for why QuestionPro is the only research platform that has built DPDPA compliance into its architecture at the depth this law demands, for agencies and brands alike.

This is not about which platform has a privacy policy page. This is about which platform can prove consent was obtained, execute deletion on demand, manage parental consent for youth research, confine data to Indian servers, and produce an audit trail that will satisfy the Data Protection Board. Right now, only one platform can do all of that. That platform is QuestionPro.

1. What DPDPA Actually Says

The Constitutional Foundation

DPDPA 2023 rests on a nine-judge Supreme Court ruling from 2017, Justice K.S. Puttaswamy v. Union of India, which unanimously declared the right to privacy a fundamental right under Article 21 of the Constitution.

That ruling established that informational self-determination, the right of every Indian citizen to control what is collected and known about them, is a constitutional guarantee. DPDPA is the statutory embodiment of that guarantee.

What this means for research agencies and brands alike is profound: you are not merely dealing with a data regulation. You are dealing with a constitutional right.

Violating DPDPA is not a technicality. It is an infringement of a fundamental right that the highest court in India has placed alongside the right to life.

Who the Act Covers

Section 3 of the Digital Personal Data Protection Act (DPDPA) is intentionally broad in scope. The law applies to any organisation that processes digital personal data within India, regardless of whether the organisation itself is based in India or abroad. In addition, it extends to organisations located outside India if they process personal data in connection with offering goods or services to individuals in India.

This extraterritorial scope means that companies cannot avoid compliance simply by hosting data or operating their platforms outside the country. If the data belongs to Indian residents and the processing is linked to services, products, or interactions with Indian users, the Act applies.

Importantly, the DPDPA does not provide exemptions based on company size, sector, or operational scale. A small research agency, a SaaS platform, a multinational enterprise, and a startup collecting survey responses are all equally within scope if they process digital personal data. There is also no carve-out for market research, analytics, or consumer insight activities, even when the data is collected for statistical or research purposes.

For example, if a global consumer brand conducts a customer satisfaction survey targeting Indian consumers, the brand itself becomes a data fiduciary under the Act. At the same time, any research agency, survey platform, analytics vendor, or panel provider involved in collecting or processing that data may also fall within the regulatory framework. Compliance responsibility therefore becomes shared across the entire data processing chain, not just the organisation that directly interacts with the respondent.

In practice, this means that both the brand commissioning the research and the platform executing it must ensure lawful consent, purpose limitation, secure storage, and clear mechanisms for withdrawal and data erasure. The geographic location of servers, vendors, or research partners does not remove this obligation when Indian personal data is involved.

The Actors the Law Defines

The Two Grounds on Which Data Can Be Processed

Section 4 of the DPDPA permits processing personal data on exactly two grounds. Not six grounds like the GDPR. Two. This eliminates the flexible 'legitimate interests' basis that many organisations have relied upon, and it is the single most commercially disruptive aspect of the Act for both research agencies and the brands they serve.

Ground 1: Consent

Consent is the default and primary ground. Under Section 6(1), valid consent must be simultaneously freely given, specific to a defined purpose, informed through a prior notice, unconditional, and unambiguous, and established by a clear affirmative action. Silence, pre-ticked boxes, or passive participation in a survey does not constitute consent under this Act.

The consent must also be withdrawable at any time, with a mechanism as easy to use as the consent itself. The burden of proving that consent was validly obtained falls entirely on the data fiduciary.

Ground 2: Certain Legitimate Uses

Section 7 defines nine narrow scenarios where processing can occur without consent, including processing required by law, medical emergencies, and public safety. Commercial market research does not qualify.

Research commissioned by a brand to inform product decisions, targeting strategies, or brand positioning fails this test entirely.

Both agencies and brands must treat consent as the only operative ground for commercial research activity.

2. The Obligations Carrying ₹250 Crore Penalties

What the Law Requires, From Every Organisation in the Research Chain

Section 8 of the DPDPA imposes obligations on every data fiduciary without distinction.

A research agency is a data fiduciary. A brand that receives and uses research data is also a data fiduciary. Both are independently obligated. Both face the same penalty schedule. The obligations below apply to both audiences unless specifically noted.

The Children's Data Crisis

Section 9 mandates verifiable parental or guardian consent for any data processing involving individuals under 18.

It absolutely prohibits tracking, behavioural monitoring, and targeted advertising directed at children. This provision affects both agencies running youth research and brands commissioning it.

The Rights Your Respondents Now Hold

DPDPA Chapter 3 transforms survey respondents from passive data subjects into legally empowered individuals with enforceable rights.

These rights run against every organisation that processes their data, including both the research agency that collected it and the brand that received it.

Right to Access: Any respondent can ask any data fiduciary what data it holds about them and who it was shared with. If a brand received respondent data from an agency, the respondent can ask the brand directly. You need records of every data receipt.

Right to Erasure: Any respondent can demand deletion from any party that holds their data. A brand holding a research dataset must be able to delete an identified individual from that dataset on request and prove it was done.

Right to Correction: A respondent who believes their data is inaccurate can demand correction from any fiduciary that holds it.

Right to Grievance Redressal: Every respondent must have readily available means to raise complaints against every fiduciary in the chain. Brands are not protected from complaints by the fact that an agency originally collected the data.

The Penalty Schedule

Beyond financial penalties, Section 37 grants the central government the power to direct the blocking of a data fiduciary's platform after repeated violations. For a research agency, that means your survey tool and panel portal. For a brand, that could mean your customer data platform or marketing technology stack if it holds research data. Not a fine. An operational shutdown.

3. The Specific Threat to Research Operations and Brand Supply Chains

Why This Industry Is in the Centre of the Storm

Market research is not adjacent to the data economy. It is the data economy in its most concentrated form.

Every project exists for the explicit purpose of collecting personal opinions, behaviours, and identities from individuals and converting them into commercial intelligence. That is precisely what DPDPA was designed to regulate.

There is no commercial sector more directly impacted by this legislation than the research industry and the brands it serves.

And yet both research agencies and brands have been slower than almost any other sector to engage with DPDPA's implications. While financial services firms and technology platforms have invested heavily in compliance infrastructure, most research agencies are still operating on 2019-era privacy practices, and most brands have not begun auditing the research supply chains they depend on. The law has moved. Neither industry has. That gap is now a liability held jointly.

For Research Agencies

Consent: The Architecture Your Agency Does Not Have

The single most operationally disruptive requirement of DPDPA for research agencies is the consent standard. Section 6 demands that consent be granular, purposive, documented, and withdrawable.

What virtually every Indian research agency currently uses is the exact opposite: a single omnibus consent clause embedded in survey introductory text, covering all possible purposes, irrevocable by design, and undocumented in any auditable form.

This is a complete architectural failure. Your current consent mechanism is invalid under DPDPA.

Respondents who completed your surveys under that consent have, in law, not consented to the purposes for which you processed their data. Your entire existing panel may need to be treated as data collected without valid consent.

Panel Management: The Time Bomb in Your Database

The indefinite retention of panel member profiles is the most pervasive and legally dangerous practice in the Indian research industry.

Under DPDPA Section 8(7), this is illegal from May 2027. Section 8(8) introduces the dormancy clause: if a data principal has not engaged with the data fiduciary for a prescribed period, the retention is deemed to have expired, and deletion is mandatory. Not archived. Not moved to cold storage. Deleted.

For agencies whose panel databases are a core business asset, this provision is a direct threat to the financial value of that asset.

Every day it sits in noncompliant storage, it is a liability, not an asset. The only way to convert it back into a legitimate business resource is to rebuild it on a DPDPA-compliant foundation.

For Brands

The Research Supply Chain: Your Hidden Liability

Every brand that commissions market research in India is sitting on a supply chain liability it has not yet quantified. When your agency collects survey responses, you are the downstream recipient of personal data collected on your behalf.

Under DPDPA Section 8(1), if you instruct the agency to collect data and use it for your commercial purposes, you may be the data fiduciary for that collection, not merely a client. The distinction matters enormously.

If you are the data fiduciary for data your agency collected, then every obligation in the act runs against you. The validity of the consent. The security of the storage. The breach notification timeline. The respondent's right to erasure from your systems.

These are not your agency's problems to solve on your behalf. They are your problems, and your agency is your data processor, which means your failures are your liability regardless of what your agency did or did not do.

Data Sharing: The Disclosure Your Consent Notices Do Not Have

When an agency delivers a research dataset to a brand, personal data has been shared with a third party. Section 11 gives respondents the right to know exactly who received their data. Section 5 requires that this sharing be disclosed in the privacy notice at the point of consent.

If the agency's consent notice does not name the brand or the brand category as a recipient, every dataset delivery is a breach. Both parties are exposed.

Brands that incorporate research data into CRM systems, targeting platforms, or analytics infrastructure are creating a second, independent processing activity that may require its own consent basis. The original research consent does not automatically cover downstream brand analytics use.

The Significant Data Fiduciary Designation

Section 10 empowers the central government to designate organisations as significant data fiduciaries based on data volume and sensitivity. Large research agencies processing millions of Indian respondents are candidates.

So are brands that hold substantial consumer research databases. SDF designation requires an India-resident data protection officer, annual data protection impact assessments, and independent annual audits submitted to the board.

The designation can arrive with little warning.

4. The Compliance Gap: An Honest Assessment

Where the Industry Stands Today

Most Indian market research agencies have not begun meaningful DPDPA compliance transformation. Most brands have not audited the research supply chains they depend on.

The following tables map current practice against DPDPA requirements. They are not comfortable reading for either audience.

For Research Agencies

For Brands

The uncomfortable truth is that no amount of policy writing, training, or good intentions closes these gaps. Both agencies and brands require infrastructure, specifically a research platform capable of supporting granular consent collection, automated deletion, rights request management, audit trail generation, and compliant data processing agreement execution. The platforms most widely used in India were not built to provide any of that.

5. Why QuestionPro Is the Only Platform That Solves This

Platform Choice Is Now a Legal Liability Decision for Agencies and Brands

Section 8(1) of the DPDPA states that a data fiduciary is responsible for the compliance of its data processors. For research agencies, the survey platform is a data processor. For a brand, the research agency is a data processor.

The compliance of every link in the chain is the legal responsibility of the link above it. Choosing a non-compliant survey platform is the agency's decision to absorb all risk. Choosing a non-compliant agency is the brand's decision to absorb the same risk.

The only way to break this chain of absorbed liability is to ensure that the foundational platform of the research supply chain is built for DPDPA compliance. That platform is QuestionPro.

Consent Management That Holds Up in Court

QuestionPro's consent management framework is the most complete implementation of DPDPA Section 6 available in any research platform. Where other platforms offer a single consent toggle or a link to a privacy policy page, QuestionPro provides a fully featured consent architecture designed from the ground up for DPDPA's requirements.

Granular Purpose-Specific Consent

Survey designers embed separate, individually selectable consent items for each processing purpose: survey participation, panel recruitment, data sharing with the commissioning brand, follow-up research invitations, and any other project-specific purpose. Each item stands alone and is stored independently. No bundling. This means brands can demonstrate that the data they received was consented to at the exact level of specificity the Act requires. No other research platform operating in India provides this today.

Integrated Privacy Notice Builder

DPDPA Section 5 requires a privacy notice to accompany or precede every consent request. QuestionPro's built-in notice builder generates compliant notices including the data fiduciary's identity, all processing purposes, data categories collected, retention periods, third-party recipients, including the commissioning brand, and the respondent's rights exercise instructions, all served before a single checkbox appears. Every other platform treats this as an afterthought.

Immutable Consent Audit Trail

Every consent event is timestamped, tagged with collection method metadata, and stored in an immutable audit log. When the Board's investigators ask for evidence that a specific respondent consented to a specific purpose on a specific date, QuestionPro generates that record in seconds. Brands receiving data collected through QuestionPro receive this provenance record. Brands receiving data from any other platform receive no such record. This is the only platform that can answer that question definitively.

One-Click Withdrawal Triggering Automated Deletion

Section 6(4) requires consent withdrawal to be as easy as consent itself. QuestionPro's self-service withdrawal portal triggers an automated deletion workflow cascading across the respondent's survey responses, panel profile, and all connected databases. The deletion is logged, timestamped, and verifiable. On every other platform, deletion is a manual process, meaning it is unreliable, slow, and undocumented.

India Data Residency: Ready Now, Not Later

Section 16 of the DPDPA and Rule 13(4) of the DPDP Rules establish the framework for mandatory data localisation. The Central Government has not yet issued restriction notifications, but the power exists and will be exercised. Agencies processing Indian respondent data on international servers are operating on borrowed time. Brands that specify research platforms for agency use should be specifying platforms with India residency options before those notifications arrive, not after.

QuestionPro offers India-based data residency as a configurable option. Data collected from Indian respondents can be stored exclusively on servers physically located in India. No other major research platform makes this available as a deployable option today.

Respondent Rights Fulfilment at Scale

The rights under DPDPA Sections 11 to 14 are enforceable against both agencies and brands. One per cent of a 100,000-person panel exercising their right to access in a single month is 1,000 requests simultaneously directed at every organisation in the data supply chain. The only viable solution is automation. QuestionPro is the only research platform with a respondent rights management module built to DPDPA's specifications.

Automated Access Request Fulfilment

Respondents submit access requests through a self-service portal. QuestionPro automatically compiles all data held about that individual across every survey, panel profile update, and consent record, then generates a structured, readable report with SLA-monitored timelines. Agencies using QuestionPro can produce this report for any respondent. Brands whose agencies use QuestionPro can evidence the data provenance they received. No other platform offers this.

Verified Deletion Workflow

Erasure requests trigger QuestionPro's automated deletion protocol. Identified data is removed from active surveys, panel profiles, and analytics databases. The deletion is logged with a verification record that proves compliance with the standard the board's investigators expect.

If your agency's current platform cannot produce a deletion verification record, your brand cannot prove to the board that a respondent's erasure request was fulfilled.

Grievance Redressal Integration

QuestionPro's integrated grievance module provides response time tracking, SLA monitoring, and escalation workflows.

Section 13 requires grievance mechanisms to be readily available. Other platforms have no grievance infrastructure. For brands, an agency without a functioning grievance mechanism is a direct supply chain liability.

Panel Management Built for DPDPA's Lifecycle Requirements

QuestionPro's InsightHub panel management platform is the only panel solution in the Indian market with DPDPA's storage limitation and dormancy provisions built into its data lifecycle architecture.

Automated Retention Tracking: Every panellist's profile is tagged with consent dates and configured retention periods. When periods expire, deletion workflows trigger automatically. No panellist is retained beyond their consent period.

Dormancy-Triggered Deletion: Panellists who have not engaged for a configurable dormancy period are flagged for re-consent outreach or automatic removal, directly operationalising Section 8(8) of DPDPA. No other panel platform has this capability.

Parental Consent Workflows for Youth Research: For panels including respondents under 18, QuestionPro provides verifiable parental consent collection, age verification, and guardian authentication workflows. This is the only platform that makes Section 9-compliant youth research operationally possible. Without it, both the agency running youth research and the brand commissioning it are non-compliant.

Segmented Consent Scoping: Panellists can consent to specific research categories and opt out of others, enabling purpose-limited panel management that no other platform supports.

The Data Processing Agreement No Other Platform Offers

Section 8(2) requires every data processor to be engaged under a valid contract with data protection obligations. QuestionPro is the only major research platform that provides a DPDPA-compliant data processing agreement as a standard contract document for Indian clients.

For agencies, this DPA resolves the most immediate Section 8(2) exposure on day one of migration. For brands, an agency on QuestionPro is an agency that can show them a DPDPA DPA. An agency on any other platform cannot.

The research platforms most widely used in India today offer only GDPR-based DPAs. GDPR compliance is not DPDPA compliance. An agency operating under a GDPR DPA carries the entire DPDPA liability alone. A brand that believes its agency's GDPR DPA provides DPDPA protection is dangerously mistaken.

Breach Response: The 6-Hour Problem

Section 8(6) requires immediate notification to the Data Protection Board and all affected respondents in the event of a personal data breach. The DPDP Rules are expected to align with CERT-In's existing 6-hour reporting requirement.

For a research agency or a brand that discovers a breach on a Friday evening, that is not a Monday morning problem.

QuestionPro provides real-time anomaly detection, incident response playbooks, and templated breach notifications formatted for both board submission and respondent communication.

Every other platform leaves breach response entirely to the agency, meaning an informal, uncoordinated, undocumented response that will not satisfy board investigators.

The Capability Comparison

6. What Happens to Organisations That Get This Wrong

The board will act, and it will act early.

The Data Protection Board of India is not a passive registry. It is a body with quasi-judicial powers equivalent to a civil court under the Code of Civil Procedure, 1908. It can receive complaints from respondents, act on government references, and launch investigations on its own initiative. It can summon witnesses, compel document production, inspect premises, and issue interim orders during active investigations; and impose penalties reaching ₹250 crores.

Regulators worldwide establish credibility through early, high-profile enforcement actions. The first enforcement cases under DPDPA will be chosen for their deterrent value. They will involve organisations large enough to matter, violations clear enough to be unchallengeable, and penalties severe enough to generate headlines. Research agencies handling large panels under invalid consent mechanisms, and the brands that have been commissioning research through them, are precisely the kind of enforcement candidates that establish regulatory intent.

The Client Supply Chain Pressure

Research agency leaders who believe DPDPA is an internal compliance matter are missing the commercial dimension. Global brands, financial services firms, healthcare companies, and technology platforms operating in India all face their own DPDPA obligations. They are already, or will shortly be, auditing their supply chains for compliance risk. A research agency that is a demonstrable liability through inadequate consent mechanisms, insecure data handling, or non-compliant panel practices will be removed from approved vendor lists.

Conversely, a research agency that can produce a QuestionPro DPA, demonstrate a DPDPA-compliant consent audit trail, and evidence a functioning respondent rights portal becomes a compliance asset in a client's supply chain. That is a commercially decisive differentiation available exclusively through QuestionPro.

The Brand's Procurement Exposure

Brand procurement and marketing teams that have not yet incorporated DPDPA compliance into their research agency evaluation criteria are creating measurable legal exposure for their organisations.

Under DPDPA Section 8(1), a brand that instructs an agency to collect personal data on its behalf, and that agency uses a non-compliant platform, cannot claim the agency's failure as a defence. The brand bears co-responsibility.

The brands that revise their agency briefing processes now, that require a QuestionPro DPA as a condition of engagement, and that specify DPDPA-compliant consent architecture in project briefs are the brands that will navigate this regulatory environment without incident.

The brands that continue issuing research briefs without DPDPA compliance requirements are building liability with every project.

The Respondent Trust Collapse

There is a further dimension that operates independently of regulatory enforcement. Indian consumers are becoming increasingly aware of their data rights.

When respondents discover that the agency which surveyed them and the brand on whose behalf the survey was run have held their data indefinitely, shared it without disclosure, and have no deletion mechanism, the reputational damage is not contained to a board complaint. It becomes a social media incident, a media story, and a brand crisis simultaneously for the agency and for every brand whose research was conducted through that agency.

The research industry's foundational asset is the trust of respondents. DPDPA compliance, operationalised through QuestionPro, is an investment in the trust infrastructure that the industry's commercial model depends upon for agencies and for the brands that rely on research quality to make their commercial decisions.

7. The Compliance Roadmap: What to Do Right Now

The Timeline Is Tighter Than It Looks

Core DPDPA obligations come into full force on May 13, 2027. That is approximately fifteen months from the date of this publication. Re-consenting a large panel, redesigning survey consent architecture, executing DPAs with all vendors, building a respondent rights portal, training staff, and documenting breach protocols are collectively a twelve-to-eighteen-month programme of work. For brands, auditing every research agency in their approved list and restructuring all research contracting for DPDPA compliance is an equally substantial undertaking. There is no comfortable starting runway remaining for either audience.

What QuestionPro Migration Delivers Immediately

For agencies, migrating to QuestionPro delivers five immediate, tangible compliance outcomes that no other migration path provides. For brands, specifying QuestionPro as the required platform for their research engagements delivers the same five outcomes across their entire research supply chain simultaneously.

1. A DPDPA-compliant Data Processing Agreement is executed on day one, resolving the most immediate Section 8(2) exposure for both the agency and the brand.

2. The immutable consent audit trail begins generating from the first survey deployed, creating a provenance record that both the agency and the brand can rely on.

3. The respondent rights portal is live from deployment, satisfying Section 13 immediately for the agency and creating a data provenance record the brand can evidence.

4. Dormancy tracking activates across the panel database, converting an indefinite illegal retention liability into a managed, compliant data lifecycle.

5. India data residency can be activated immediately, ensuring both the agency and the brand are prepared for localisation notifications rather than scrambling when they arrive.

8. The Competitive Advantage of Acting Now

Compliance as a Differentiator - For Agencies

The agencies that achieve verifiable DPDPA compliance earliest will find that compliance is not just a legal obligation but a commercial differentiator. As brand procurement teams incorporate DPDPA compliance requirements into agency briefings and RFPs, which will happen in financial services, healthcare, and technology sectors before mid-2026, the agencies that can evidence compliance will win mandates that non-compliant competitors cannot access.

The ability to tell a client, 'Our survey platform has India data residency; our panellists have provided DPDPA-valid consent we can prove; our youth research runs a verified parental consent workflow; and our vendor contracts include a DPDPA DPA,' is a proposition that closes business. Only QuestionPro gives an agency the infrastructure to make that statement truthfully.

Compliance as a Procurement Standard - For Brands

The brands that move first to require DPDPA-compliant research platforms from their agencies will not merely avoid regulatory exposure. They will gain a research supply chain that produces data with verified consent provenance, that can respond to respondent rights requests in a legally defensible timeframe, and that reduces the brand's independent liability exposure with every project.

Brands that specify QuestionPro as their required or preferred research platform are not adding a constraint to their research operations. They are building a compliance infrastructure that protects them across every research engagement, with every agency, in every category. That infrastructure is available now. The brands that wait for enforcement before requiring it will find that their agencies are scrambling to catch up at the moment the brand's own supply chain is being scrutinised by the board.

Respondent Quality as a Business Outcome

There is a counterintuitive benefit to rigorous consent practices that both agencies and brands should understand. When respondents know exactly what they are consenting to, give consent deliberately and with full information, and have confidence that their data will be deleted on request, their engagement quality changes. Response depth increases. Completion rates improve. The quality of open-ended responses rises. Respondents who trust the process produce better research. QuestionPro's transparent consent architecture is simultaneously a compliance requirement and a research quality investment.

The Window Is Closing

The advantage available to early movers narrows every month. The agencies that migrate to QuestionPro in Q2 2026 will enter the May 2027 enforcement date with twelve months of compliance maturity, a fully re-consented panel, documented audit trails, a practised breach response protocol, and trained staff. The brands that specify QuestionPro in Q2 2026 will enter enforcement with a research supply chain that is already auditable and defensible.

The agencies that delay until late 2026 will enter enforcement under deadline pressure, with an untested system and no demonstrated compliance track record to offer the board as mitigation. The brands that delay will find their research supply chains are their weakest DPDPA link at the exact moment regulators are looking for early enforcement examples.

The Decision in Front of You

The Digital Personal Data Protection Act, 2023, has changed the rules of Indian market research permanently and completely. The question is not whether your agency or your brand will operate under DPDPA. You will. The question is whether you will operate under it as a prepared, compliant, credible organisation or as a reactive one managing a compliance crisis.

Every survey your agency runs today uses a consent mechanism that will not pass DPDPA scrutiny. Every panellist in your database was recruited without the consent standard the Act requires. Every research dataset your brand holds was delivered under an agency contract that does not meet the processor obligations DPDPA imposes. Every time identifiable respondent data is shared without documented disclosure in the original consent notice, a right held under constitutional law is being breached.

The infrastructure to fix all of this exists. It is QuestionPro. It is the only research platform with granular, documented, withdrawable consent management. The only platform with Indian data residency. The only platform with automated deletion verification. The only platform with parental consent workflows for youth research. The only platform offering a DPDPA-compliant Data Processing Agreement as a standard contract. The only platform with dormancy-triggered panel deletion built into the data lifecycle.

The compliance window is open. It will not stay open. Research leaders and brand marketing leaders who treat this document as a reason to begin a procurement process are already behind the agencies and brands who treated the November 2025 DPDP Rules notification as their starting gun.

The next move is yours.

To speak with QuestionPro's India Privacy and Compliance Team
www.questionpro.com/in | [email protected]

Appendix: DPDPA Reference for Agencies and Brands

Critical Sections and Their Implications

Key Dates

August 11, 2023: DPDPA receives presidential assent. The Act is the law of the land.

November 13, 2025: DPDP Rules 2025 notified. Data Protection Board provisions in force. The enforcement apparatus is live.

November 13, 2026: Consent manager provisions operative. Centralised consent management becomes mandatory infrastructure.

May 13, 2027: Core DPDPA obligations fully enforceable. Sections 3 through 17 come into full force. There are no extensions.

Glossary

Data Fiduciary: The organisation that determines why and how personal data is processed. This is your agency. This is also your brand.

Data Principal: The individual whose data is being processed. This is your respondent.

Data Processor: A third party processing data on the fiduciary's behalf under contract. This is your survey platform. Your agency can also be your brand's data processor.

Significant Data Fiduciary (SDF): A government-designated fiduciary facing enhanced obligations, including DPO, DPIA, and independent audit.

DPIA: Data Protection Impact Assessment. Mandatory annually for significant data fiduciaries.

DPO: Data Protection Officer. Mandatory for Significant Data Fiduciaries. Must be a resident in India.

DPA: Data Processing Agreement. Mandatory contract between every data fiduciary and every data processor.

Personal Data Breach: Any unauthorised access, disclosure, loss or destruction of personal data. Mandatory notification to the board and affected respondents.

This document is based on the Digital Personal Data Protection Act, 2023 (No. 22 of 2023) and the DPDP Rules 2025. It is intended for informational purposes and does not constitute legal advice. Research agencies and brands should seek qualified DPDPA legal counsel for their specific circumstances.