IMPACT OF DPDP ACT AND RULES ON PHARMACEUTICAL COMPANIES

This Article examines the impact of the Digital Personal Data Protection Act, 2023 (“DPDP Act/Act”) on pharmaceutical companies in so far as the collection, processing, storage and sharing of personal and sensitive health data is concerned. While the Act strengthens a patient’s privacy, and data protection, it also poses operational, legal and financial challenges, especially for multinational players handling cross-border data transfers and legacy data systems.

INTRODUCTION

On 13^th November, 2025, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025 (“Rules”). The Rules impose strict regulations regarding how the organizations should collect, store, process, transfer and safeguard the personal data of individuals. The implementation of these Rules has directly impacted several healthcare stakeholders, including hospitals, pharmaceutical companies and digital health platforms since the core activities of pharmaceutical companies are data intensive and involves handling sensitive patient data.

The Act has introduced certain legal and strategic implications to ensure that the personal data of the patients remains safeguarded while also recognizing the need to process and use such data for lawful purposes.[1] With the passing of the DPDP Act, the pharmaceutical companies will be required to exercise additional care, especially during investigations to ensure the integrity and confidentiality of personal data.

LOSS FACED BY PHARMACEUTICAL COMPANIES DUE TO DATA BREACHES

In case of pharmaceutical companies, the patient whose personal health/trial data is being used is the ‘Data Principal’ and the drug manufacturer, hospital or pharmaceutical industry which are responsible for processing the data, under most circumstances, operate as a ‘Data Fiduciary’. According to IBM 2021 Cost of a Data Breach Report, the pharmaceutical industry suffered a huge loss amounting to over $5 million, due to breach of data, ranking third highest among all industries. There has been a significant rise in the number of data breaches impacting several big pharmaceutical companies in recent years. The data breach of patient records has led to several consequences including identity theft, financial fraud, and in some cases, the patients have even suffered physical harm where the medical information has fallen into wrong hands. Therefore, it is imperative that pharmaceutical companies should prioritize data privacy and implement measures to safeguard sensitive information.[2]

IMPLICATIONS OF DATA PRIVACY BREACHES ON PHARMACEUTICAL COMPANIES

• Financial Losses- Data privacy breaches can result in revenue losses due to operational disruptions and significant legal expenditure
• Legal Liabilities- The patients, healthcare providers and regulatory bodies may initiate legal proceedings against the pharmaceutical companies if such companies fail to protect the sensitive data received.
• Reputational damage- Breaches of data protection obligations can compromise the goodwill of a company and may adversely affect its relationships across the healthcare ecosystem.

KEY CHALLENGES FOR PHARMACEUTICAL COMPANIES UNDER DPDP ACT

Under Section 6(4) of the DPDP Act the Data Principal has the right to withdraw their consent with respect to processing of their personal data at any time. Once the Data Principal withdraws their consent, the Data Fiduciary is under an obligation to stop processing their data unless they are lawfully permitted to do so. The granting of this right to the Data Principal can be very challenging for the healthcare industries since medical history serves as an important tool for providing quality medical care. For example, where a doctor requires access to prior medical history of a patient in order to prescribe appropriate medication, withdrawal of consent for processing such medical history may significantly impair the ability of the doctor to provide optimal treatment.

Section 8(7) of the DPDP Act requires a Data Fiduciary to erase the personal data if the Data Principal withdraws consent or where it is determined that the purpose for which such data was processed is no longer being served. For example, a patient may withdraw consent to disclose medical records to a particular doctor, while continued retention of those records remains essential for sharing with other treating doctors in the future.[3]

FRAMEWORK FOR PROTECTION OF PERSONAL DATA

The protection of personal and sensitive data in the pharmaceutical sector may be supported through the following practices:

• Data Minimization- Companies may limit the collection and retention of personal data to what is necessary for legitimate business purposes. The practice of data minimization reduces the volume of personal data processed and retained, thereby lowering the risk of unauthorized access, accidental disclosure or misuse.
• Access Controls- Robust role-based access controls may be implemented including multi-factor authentication and periodic access reviews. Additionally, regular audits shall be conducted to ensure that only authorized personnel can access the personal data.
• Encryption- Personal Data, both in transit and at rest shall be encrypted using current industry standard, algorithms and protocols, in order to prevent the risk of unauthorized access and data breaches.
• Secure data storage- Personal data shall be stored only in secure, encrypted databases or reputable DPDP compliant cloud environments that enforce strict access controls, logging and monitoring with appropriately designed backup and recovery mechanisms.
• Employee training- Personnel of the Company may receive structured and periodic training on data privacy and security best practices, including secure handling of personal data identifying and reporting any possible breach, fostering a culture of awareness regarding privacy.
• Third Party Risk Management- Pharmaceutical companies shall conduct due diligence exercises and carefully monitor third-party vendors and partners accessing personal data ensuring that such third parties are bound by strict contractual, technical and organizational data‑protection and security requirements and are periodically assessed for compliance.

CONCLUSION

Data privacy is both a legal and ethical commitment within the pharmaceutical industry and a need for a stringent healthcare safety and privacy setup is a matter of utmost priority. It is crucial to preserve confidentiality and ensure data privacy in medical records since healthcare information is directly linked to public confidence. Keeping in view the recent cyber-attacks on healthcare organizations such as AIIMS and ICMR, it has become necessary that the security and regulation of healthcare personal data within India is strengthened and the DPDP ensures that this takes place by giving patients broader rights and increasing compliance obligations on Data Fiduciaries.

[1] Sahil Kanuga and Sara Sundaram, “Reshaping investigations in the pharma industry: Ensuring compliance under the DPDP Act”, Express Pharma, https://www.expresspharma.in/reshaping-investigations-in-the-pharma-industry-ensuring-compliance-under-the-dpdp-act/ (accessed 19^th December, 2025).

[2] “Data Privacy Challenges and Solutions for Pharmaceutical Companies”, Privacy Pillar, https://privacypillar.com/data-privacy-for-pharmaceutical-industry/ (accessed 19^th December, 2025).

[3] AMLEGALS, “Data Privacy”, AMLEGALS STRATEGIC LAWYERING, https://amlegals.com/impact-of-the-digital-personal-data-protection-act-2023-on-the-healthcare-industry/ (accessed 22^nd December, 2025).