Imagine hiring a chartered accountant to file your tax returns. You give them access to your income statements, bank records, and investment proofs — everything they need for that specific job. Now imagine they decide to hold onto all of it indefinitely, share your financial history with a third party, and use your spending patterns to offer you insurance products you never asked about. You would rightfully call that a breach of trust. The DPDPA 2023 applies exactly this logic to every entity that collects personal data in India, through three foundational principles that sit at the heart of the law.
The first is Purpose Specification — data can only be collected for a clearly stated reason, and used only for that reason. The second is Data Minimisation — only the data genuinely required for that stated purpose should be collected, nothing more. The third is Retention Restriction — once the purpose is fulfilled, the data must be deleted. It cannot be held “just in case” or quietly repurposed. Together, these three principles fundamentally challenge the default behaviour of most digital businesses today, which has been to collect as much as possible, store it indefinitely, and figure out the use later.
For Indian businesses that have built data lakes and personalisation engines on broad, undifferentiated collection, this requires a serious rethink. The question is no longer “what data can we get?” but “what data do we actually need, for what specific purpose, and how long do we genuinely need it?” That is a harder question to answer, but it is also a more honest one. Companies that build their data practices around these three principles will not just be compliant — they will likely end up with cleaner, more useful data and stronger user trust in the long run.