Understanding Research, Statistical, and Archiving Exceptions Under the DPDP Act

If you're in an industry like banking, insurance, or healthcare, you're probably sitting on years of customer data that feeds your analytics, risk models, and business strategy.

The DPDP Act appears to make this really tough going forward — process personal data only with consent, only for a specific purpose, and delete it when you're done.

Read that literally and it sounds like you need to stop using data for research and analytics purposes.

Fortunately, Section 17(2)(b) of the DPDP Act creates an exemption from most of the Act's requirements when processing personal data for "research, archiving or statistical purposes."

But there are 2 mandatory conditions to this:

1. No individual decision-making can be made on the basis of this data
2. You must follow prescribed standards laid out in the DPDP Rules, 2025

This piece breaks down both conditions — what they actually permit, what they don't permit.

No individual decision-making

Without this hard boundary, the research exception can easily be used as a consent-avoidance loophole. Any organisation could label their data processing as "research," extract individual-level insights, and use them to target offers to specific customers without ever collecting consent.

Let's go through some examples to understand this hard boundary.

Banking Sector:

• Not individual decision making: You're analyzing five years of transaction data from 10 lakh customers to understand spending patterns across different demographics. You discover that customers aged 25–35 in metro cities have 40% higher digital payment adoption. You use this insight to decide your overall digital strategy.
• Individual decision making — not permitted without consent: You're analyzing five years of transaction data for a specific customer and tailoring a specific loan offer that you will market to them via cold calls, emails and SMS.

Insurance Sector:

• Not individual decision making: You're studying claims data to understand how air pollution levels correlate with respiratory health issues across different cities. You publish research showing higher claim frequencies in cities with poor air quality.
• Individual decision making — not permitted without consent: You are studying a customer's claims data and using that to increase his premium charges from the next payment cycle.

Healthcare Sector:

• Not individual decision making: You're analyzing patient records from the past decade to study the effectiveness of a particular diabetes treatment protocol. Your findings show that certain patient groups respond better to specific interventions. You publish this (after anonymizing the data) in a medical journal.
• Individual decision making — not permitted without consent: You are analyzing a patient's records from the past decade. You are using these findings to recommend a new type of drug or medical treatment to the patient.

The Standards You Must Follow Under the DPDP Rules

The DPDP Rules, 2025 (specifically Rule 16 and the Second Schedule) lay out 6 specific standards to avail this exception:

1. Processing Must Be Lawful

"Lawful processing" here means your research purpose must exist before you start processing, not be invented after the fact to justify data you've already been using.

In practice, this means documented research objectives, a defined methodology, and a clear separation between your research rationale and any commercial objectives. Have documented research charters that outline your scientific goals before processing begins — and create organisational silos that separate research teams and outputs from decision-making and operational segments. If your "research" conveniently produces outputs that feed directly into targeting specific customers ("my research told me to offer this new home loan offer to these customers") — then it's not research, it's clear consent avoidance.

2. Limit Data to What's Necessary

Before processing, your research design needs to have a very specific, justified scope:

Do you need 10 years of transaction history or would 2 years answer the same question?

Do you need exact addresses or would city-level data work?

Can you exclude sensitive fields — health conditions, religious identifiers — that don't contribute to the research objective?

Every additional data field you include is a field you need to secure, justify, and eventually delete — so a tighter research scope reduces your compliance burden.

3. Ensure Data Accuracy

The law is effectively mandating good research practice: validate data quality before analysis, handle missing or corrupted records appropriately, and don't distort data for preconceived conclusions.

This means you need data quality checks before the research pipeline starts. If your source data has known gaps or inconsistencies (and most historical datasets do), your research design must account for that. Document the gaps. Document how you're handling them. This is both good science and good compliance.

4. Retention Limits

Once your research is complete and you've extracted the insights, the underlying personal data must be deleted (unless another law requires you to retain it).

This means your research design needs to specify retention timelines upfront.

"We might need this later" is not a retention justification.

5. Security Safeguards

Research data is still personal data — and cannot be treated loosely.

A breach of your research database harms data principals exactly as much as a breach of your production systems. Implement safeguards like encryption, access controls, audit logs of processing activities, secure deletion practices, documented retention policies, and an incident response plan for breaches.

Ideally, the data used for research should not live on the same systems you use for customer-facing operations. Without that separation, research findings inadvertently flow into operational systems and operational decisions start getting justified as "research-based."

6. Ensure Data Principal Rights

Data principals didn't give consent for this processing — that's the whole point of the exception. But that doesn't mean they lose visibility.

While you don't need to collect consent for research processing, you must still disclose your research use of their data when a data principal exercises their Data Principal Rights.

They should be able to understand what research their data is being used for, and raise concerns or complaints. You need a process to handle queries specifically about research processing — maybe as part of your standard Grievance Redressal Flow.

FAQs

Q: Is historical data collection for analytics and research illegal under the DPDP Act?

A: Not necessarily. You can continue storing and processing such data provided that they don't drive individual decisions (like personalized pricing or targeted offers) — this would need consent-based processing. Analytics that inform general business strategy can continue under the research exception, provided you meet the prescribed standards.

Q: Can organisations act on urgent findings like fraud patterns from research data under the DPDP Act?

A: You can absolutely act on such findings at a systemic level (like implementing fraud controls).

For individual action (blocking a specific account, contacting a specific patient), you need proper consent-based processing or another legal basis (like emergencies).

Q: How long can organisations retain research and archival data under the DPDP Act?

A: As long as necessary for your purpose or as required by law. Once research is complete, delete the personal data (but maintain logs for one year and keep anonymized findings indefinitely).

Q: Does the DPDP Act's research exception apply to AI/ML model training?

A: No one is certain about this yet. Training models to understand patterns could qualify as research. But if those models are then used to make individual decisions (credit scoring, hiring, pricing), that's operational processing requiring consent. You need to carefully separate the research/training phase from the operational deployment phase.

Looking Ahead: What to Expect

The DPDP Act is new, and the Data Protection Board of India (DPB) hasn't issued detailed guidance yet. Over time, we can expect:

• Clearer definitions of what exactly counts as "legitimate research" vs. disguised marketing
• Sector-specific guidance — there already exist research and archiving requirements from sectoral regulators for healthcare, pharmaceutical and financial services-based research; further guardrails may be provided
• Case law — early enforcement actions will help clarify boundaries
• Best practice frameworks — industry bodies will likely develop voluntary standards

For now, the smart approach is conservative: if you're unsure whether something qualifies as research, seek legal advice. If you're on the fence about whether you need consent, err on the side of getting it.