What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•4 min read

DPDP Compliance: Pharmacies & Medical Stores India

Indian pharmacies & medical stores need DPDP compliance. Learn exact requirements, costs, and a step-by-step approach from Sushant Pasamarty.

Sushant Pasumarty19 May 2026

DPDP Compliance for Pharmacies & Medical Stores: Quick Answer

Yes, the Digital Personal Data Protection (DPDP) Act, 2023, absolutely applies to pharmacies and medical stores in India. If your business collects, stores, or processes any personal data – from customer names and contact details to prescription histories and payment information – you are a Data Fiduciary under DPDP.

This means you have legal obligations to protect this data, obtain proper consent, and manage data principal (customer) rights. Failure to comply can result in significant penalties, including fines up to ₹250 Crores.

What DPDP Means Right Now for Pharmacies

The DPDP Act is enacted, and while the exact enforcement date for all provisions is pending, it is expected in 2024. The government has clearly signalled its intent for robust data protection. Pharmacies and medical stores, handling sensitive health-related data, are likely to be under particular scrutiny.

💡 Key Insight: The 'personal data' collected by pharmacies includes customer names, addresses, phone numbers, email IDs, payment details, and crucially, prescription information, which often reveals health conditions. This health data is considered sensitive and requires higher protection.

What Pharmacies & Medical Stores Actually Need to Do for DPDP Compliance

Sushant Pasamarty, founder of Meridian Bridge Strategy, outlines the essential steps for pharmacies:

Identify and Map All Personal Data: Understand every piece of personal data you collect, why you collect it, where it's stored, and who has access to it. This includes patient records, sales data, employee data, and vendor information.
Review and Update Consent Mechanisms: Ensure that you are obtaining clear, specific, and unambiguous consent from customers for every purpose their data is used. Existing data may require fresh consent if it doesn't meet DPDP standards.
Implement Robust Data Security: Protect personal data from breaches, unauthorized access, and misuse. This involves technical and organisational measures, including access controls, encryption, and regular security audits.
Establish a Grievance Redressal Mechanism: Appoint a Data Protection Officer (DPO) or an equivalent contact point for data principals to exercise their rights (e.g., right to access, correction, or erasure of their data).
Update Vendor Contracts (Data Processor Agreements): If you use third-party software, cloud storage, or delivery services that process customer data, ensure your contracts (Data Processing Agreements or DPAs) reflect DPDP requirements.

What DPDP Compliance Costs for Pharmacies & Medical Stores

The cost of DPDP compliance for a pharmacy or medical store depends on its size, complexity of operations, and current data handling practices. Meridian Bridge Strategy offers structured services to meet these needs, led by Sushant Pasamarty, who has extensive experience in identity verification, cybersecurity, and regulatory due diligence.

Tier	What it includes	Price Range	Duration
Data Mapping	Map every personal data flow: who collects it, where it goes, which vendors touch it	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis (consent, DPAs, grievance, breach, deletion)	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations with a 90-day roadmap	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation Support + DPO Training + Final Readiness Opinion	₹7L – ₹12L	3-6 months

For a small medical store with straightforward data flows, a Data Mapping or DPDP Readiness Audit might be a sufficient starting point, costing between ₹1.5L and ₹6L. This helps identify immediate risks and compliance gaps. Larger pharmacies or chains with multiple branches, complex IT systems, or extensive customer loyalty programs will likely benefit from a comprehensive DPDP Workshop or Full DPDP Consulting, ranging from ₹5L to ₹12L, to ensure end-to-end readiness and ongoing support.

✅ Pro Tip: The pricing reflects the depth of analysis, documentation, and expert guidance provided. A higher investment often means more detailed gap identification, a clearer implementation roadmap, and direct support for complex scenarios.

When to Start Your DPDP Compliance Journey

The time to start is now. While specific enforcement dates for all rules are awaited, proactive compliance mitigates risks and builds customer trust. Delaying could lead to rushed implementations, overlooked vulnerabilities, and potential penalties once the Act is fully enforced.

Next Step for Pharmacies & Medical Stores

Understanding your specific DPDP compliance costs and requirements is the first step. Sushant Pasamarty and the MBS team can guide you. Use our free online calculator on dpdpworkshop.com to get an initial estimate of your compliance costs. For a deeper dive, consider a DPDP Readiness Audit or our 1-Day DPDP Workshop to identify and address your unique gaps.

Frequently Asked Questions

Does DPDP apply to small local medical stores?

Yes, if a medical store collects any personal data of its customers or employees, it is considered a Data Fiduciary and must comply with the DPDP Act, regardless of its size. The volume or sensitivity of data handled might influence the complexity of compliance, but not the applicability.

What kind of 'sensitive' health data do pharmacies collect under DPDP?

Pharmacies frequently collect prescription details, which often reveal specific medical conditions, medications being taken, and other health-related information. This type of data falls under 'sensitive personal data' which requires stricter handling and consent under data protection principles.

Do pharmacies need to get fresh consent from existing customers for DPDP?

If the consent previously obtained from existing customers does not meet the explicit, specific, and unambiguous standards required by DPDP, then fresh consent may be necessary. Sushant Pasamarty recommends an audit to determine if your existing consent mechanisms are compliant or require updates.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →