DPDP Act 2023: What PG Operators Need to Know

What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law. Passed by Parliament in August 2023, it establishes rules for how organisations collect, store, process, and share personal data of individuals in India.

If you run a PG, hostel, or co-living space, this law applies to you. Every time you collect a resident's name, phone number, Aadhaar number, or payment details, you are processing personal data — and the DPDP Act governs how you must handle it.

Key Terms You Need to Know

• Data Principal: The individual whose data is being collected (your residents, staff, visitors).
• Data Fiduciary: The entity that determines why and how data is collected (that's you — the PG operator).
• Data Processor: An entity that processes data on behalf of the fiduciary (e.g., RentFlow, your payment gateway).
• Consent: Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous. Pre-ticked checkboxes don't count.

What PG Operators Must Do

1. Obtain Clear Consent

Before collecting any personal data from a resident — name, phone, Aadhaar, photos — you must clearly explain what data you're collecting and why. The consent must be voluntary. You cannot refuse accommodation solely because a resident refuses optional data collection.

2. Use Data Only for Stated Purposes

If you collect a resident's phone number for rent reminders, you cannot use it for marketing third-party services without separate consent. Data must be used only for the purpose stated at the time of collection.

3. Keep Data Secure

You have a legal obligation to implement "reasonable security safeguards" to protect personal data. Paper registers in unlocked drawers don't meet this standard. Digital systems with encryption, access controls, and audit trails do.

4. Honour Data Rights

Residents have the right to:

• Access their personal data (ask what you've stored about them)
• Correct inaccurate data
• Request deletion of their data (with certain exceptions)
• File a grievance if they believe their data rights are being violated

5. Appoint a Grievance Officer

The DPDP Act requires every Data Fiduciary to designate a person who can address data-related grievances from Data Principals. This person's contact details should be accessible to your residents.

6. Report Data Breaches

If personal data is compromised — whether through a hack, a lost device, or an employee sharing data without authorisation — you must notify the Data Protection Board of India. The notification timeline is expected to be within 72 hours once rules are finalised.

Penalties for Non-Compliance

The DPDP Act prescribes significant penalties:

• Failure to take security safeguards: up to ₹250 crore
• Failure to notify data breaches: up to ₹200 crore
• Non-compliance with obligations regarding children's data: up to ₹200 crore

While enforcement is expected to begin gradually, the direction is clear: data protection compliance is not optional.

How RentFlow Helps You Comply

RentFlow is designed with DPDP compliance built in:

• Encrypted storage: All resident data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.3).
• Access controls: Role-based permissions ensure only authorised staff can access resident data.
• Audit trails: Every data access and modification is logged with timestamps and user identity.
• Data export: Residents can request their data, and you can export it in a structured format.
• Data deletion: When a resident moves out and requests deletion, you can remove their data with a clear audit trail.
• Aadhaar security: If you verify resident identity via Aadhaar, RentFlow stores only an irreversible hash — the original number is never retained.

What You Should Do Today

1. Audit your data collection: List every piece of personal data you collect from residents. Ask: do I need this? Do residents know I'm collecting it?
2. Create a privacy notice: A simple document explaining what data you collect, why, and how residents can exercise their rights.
3. Secure your records: Move from paper to digital. If you're already digital, review your access controls.
4. Designate a grievance officer: This can be you, a manager, or any responsible person in your organisation.
5. Review your software: Ensure the platforms you use (including property management tools) are DPDP-compliant.

Data protection compliance isn't a one-time project — it's an ongoing practice. But with the right tools and awareness, it's entirely manageable. RentFlow is here to help you get there.