What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

advanced faq•4 min read

CCTV Cameras & DPDP Compliance: What Indian Businesses Need

Understand if your CCTV cameras need DPDP compliance. Learn about consent, data retention, and security measures under India's DPDP Act. Get cost insights.

MBS

Meridian Bridge Strategy11 May 2026

Does the silent gaze of your CCTV cameras now require a privacy policy? For Indian businesses, the answer is increasingly yes. Installing security cameras in an office, retail space, or factory inevitably captures images and, at times, sounds of individuals – employees, customers, visitors. This visual data, especially if identifiable, squarely falls under the ambit of 'personal data' as defined by India's Digital Personal Data Protection Act, 2023 (DPDP Act). Failing to acknowledge this can turn a simple security measure into a significant compliance liability.

Quick answer

Yes, your CCTV cameras likely need DPDP compliance. Any CCTV system that captures images or sounds of identifiable individuals processes 'personal data' under the DPDP Act. This means businesses (Data Fiduciaries) must implement measures for consent, data minimisation, secure storage, and clear policies to avoid penalties.

Why CCTV Data Falls Under DPDP

The DPDP Act defines personal data broadly as any data about an individual who is identifiable by or in relation to such data. CCTV footage, by its very nature, captures visual and sometimes audio information that can identify people – their faces, movements, and often their presence at a specific time and location.

Even if the primary purpose is security, the incidental collection of personal data triggers DPDP obligations. This applies whether the footage is live-monitored, recorded, or used for analytical purposes like footfall tracking or queue management.

💡 Key Insight: The DPDP Act does not differentiate based on the intention behind data collection, but on whether personal data is collected. If your CCTV system captures identifiable individuals, it falls under DPDP.

Key Compliance Requirements for CCTV Systems

Bringing your CCTV operations into DPDP compliance requires a multi-faceted approach, moving beyond just technical setup to address legal and ethical data handling.

Notice & Consent Mechanisms

Data Fiduciaries must provide clear and prominent notice about CCTV surveillance. This usually means visible signage at entry points and within surveillance zones, informing individuals that they are being recorded, the purpose of collection, and who to contact for DPDP-related requests. While explicit consent for general surveillance might be impractical, the Act allows for processing under 'legitimate uses' for employment or public interest. However, clear notice remains paramount.

Data Minimisation & Retention

The DPDP Act mandates data minimisation, meaning you should only collect data that is necessary for the stated purpose. For CCTV, this implies reviewing camera placements to avoid capturing unnecessary areas. Data retention policies are also critical: footage should only be stored for as long as genuinely required for its purpose (e.g., security incident investigation), and then securely deleted.

Security Measures

CCTV footage, especially if sensitive, must be protected against unauthorised access, disclosure, alteration, or destruction. This involves secure storage (encrypted servers), access controls (only authorised personnel can view footage), and robust cybersecurity practices to prevent breaches.

✅ Pro Tip: Implement a clear 'CCTV Policy' outlining purposes, retention periods, access controls, and a process for Data Principal requests. This demonstrates accountability and aids employee training.

Typical cost range

The cost of making your CCTV systems DPDP compliant isn't primarily about the cameras themselves, but the data management, policy, and technical infrastructure surrounding them. For most Indian businesses, this falls within the range below:

Category	Estimated Cost Range (₹)	Key Components
Policy & Legal Review	₹50,000 - ₹2 Lakh	CCTV policy drafting, legal opinion on legitimate uses, privacy notices.
Technical & IT Infrastructure	₹1 Lakh - ₹5 Lakh	Upgrading storage, access controls, encryption, network security for CCTV footage.
Data Mapping & Impact Assessment	₹75,000 - ₹3 Lakh	Identifying all cameras, data flows, assessing risks, creating a DPIA if needed.
Training & Awareness	₹25,000 - ₹1 Lakh	Training security, IT, and HR staff on CCTV data handling and DPDP responsibilities.

What drives the cost

Several factors will significantly influence your total DPDP compliance budget for CCTV systems:

Number & Type of Cameras: More cameras, especially those with advanced analytics (facial recognition, behavioral analysis), increase complexity and data volume.
Existing Infrastructure: Older, analogue CCTV systems may require substantial upgrades to digital, secure, and networked solutions. Modern IP camera systems are easier to adapt.
Data Retention Period: Longer retention periods demand more storage and more robust, scalable security solutions, increasing costs.
Integration with Other Systems: If CCTV data is integrated with HR systems (e.g., for attendance) or marketing (e.g., footfall analytics), the data mapping and security requirements become more intricate.
Third-Party Vendors: Reliance on external security agencies or cloud storage for footage requires rigorous vendor due diligence and DPDP-compliant data processing agreements.

Consequences of Non-Compliance

Ignoring DPDP compliance for CCTV is not just a theoretical risk. The Data Protection Board of India (DPBI) can impose significant financial penalties. For breaches related to fulfilling obligations of Data Fiduciaries (like implementing reasonable security safeguards), penalties can go up to ₹250 Crore per instance. Non-compliance also carries severe reputational damage, eroding trust among employees, customers, and partners.

⚠️ Warning: An unsecure CCTV system can lead to a data breach. Such incidents can incur heavy fines under the DPDP Act and severely damage your brand reputation. For more details, see DPDP Penalty Structure.

Next step

Don't let your security system become a liability. Understanding the nuances of DPDP compliance for CCTV is crucial. Our DPDP Workshop offers a focused, practical approach to assessing your current systems, identifying gaps, and building a robust compliance roadmap tailored to your business operations.

Check Your DPDP Cost

Use the free calculator first. Then decide if your team needs the DPDP Readiness Workshop.

Check My DPDP Cost

Book a Workshop Call →