DPDP 2023 for Pharmacies: What Retailers Must Know

Your pharmacy already has a data problem. The DPDP Act just made it a legal one.

Every pharmacy in India collects personal data. This is not a controversial statement, and it is not a new development. You have been collecting it for years: customer phone numbers scribbled in billing registers, prescription records filed in drawers or logged in your POS system, purchase histories tied to loyalty programs, WhatsApp numbers gathered for order-ready notifications. The data was always there. What changed on 11 August 2023 is that Parliament decided this data now has a legal framework around it, and that framework comes with consequences that most pharmacy owners have not yet begun to think about.

The Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential assent and is now law. The rules under the Act are being finalized by MeitY (Ministry of Electronics and Information Technology), and the Data Protection Board of India has been constituted to enforce it. When enforcement begins in earnest, every pharmacy in the country that collects customer data — which is every pharmacy in the country — will need to demonstrate compliance. The penalties for non-compliance range from ₹10,000 for minor procedural failures up to ₹250 crore for serious violations. That upper bound is designed for large corporations, but even the lower tiers of penalties are enough to threaten the solvency of an independent pharmacy doing ₹5-10 lakh a month.

This is not a distant, abstract regulatory concern. This is a specific set of obligations that applies to your shop, your data, and your current practices.

What the DPDP Act actually says (the parts that matter for pharmacies)

The Act is built around a few core concepts that map directly onto how pharmacies operate.

Data Principal is the person whose data you are collecting — your customer. Data Fiduciary is the entity collecting and processing that data — your pharmacy. The Act places obligations on the fiduciary (you) to protect the rights of the principal (your customer). This is the fundamental relationship the entire law is organized around.

Consent is the mechanism by which data collection becomes lawful. Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous. Each of those words is doing real legal work. "Free" means the customer cannot be penalized for refusing consent. "Specific" means you need consent for each distinct purpose. "Informed" means the customer must know what data you are collecting and why. "Unconditional" means you cannot bundle consent with other conditions (like refusing to sell medicines unless the customer shares their phone number). "Unambiguous" means silence or pre-ticked boxes do not count — the customer must take an affirmative action to grant consent.

Purpose limitation means you can only use data for the specific purpose for which consent was given. If a customer gave you their phone number for prescription notifications, you cannot use that number for promotional SMS campaigns about your Diwali discount scheme without obtaining separate consent for marketing communications.

Data retention means you cannot keep personal data indefinitely. Once the purpose for which data was collected has been fulfilled, or the customer withdraws consent, you must delete the data. The days of maintaining customer databases going back ten years because you never bothered to clean them are over. (Or more precisely: those days are numbered, and the number is whatever timeline MeitY sets in the final rules.)

The seven types of personal data your pharmacy is probably collecting right now

Most pharmacy owners, when asked what personal data they collect, will say "just phone numbers for billing." This significantly underestimates the actual data footprint of a typical pharmacy. Here is what a standard pharmacy operation actually collects and stores:

• Customer phone numbers — used for billing, loyalty programs, order notifications, and (often without explicit consent) promotional messages
• Prescription records — which contain the customer's name, the prescribing doctor's name, the diagnosis (implicit in the prescription), and the medication details
• Purchase history — what each customer bought, when, how often, and at what price, often linked to a phone number or loyalty ID
• Aadhaar or ID details — collected for Schedule H1 drug sales registers as required by the Drugs and Cosmetics Act
• Delivery addresses — for home delivery services, increasingly common in urban pharmacies
• WhatsApp contact information — used for sending prescription photos, order confirmations, and marketing messages
• Payment details — UPI IDs, sometimes partial card numbers, stored in billing or POS systems

Some of this data collection is legally mandated (Schedule H1 registers require customer identification), and the DPDP Act does provide exceptions for data processing required by law. But the majority of the data pharmacies collect goes well beyond what is legally required, and that surplus data is squarely within the Act's scope.

A note on health data

Prescription records and purchase histories for medicines constitute health data, which is among the most sensitive categories of personal information. While the DPDP Act does not create a separate category for health data in the way the EU's GDPR does, MeitY has indicated that the rules may impose additional obligations for sensitive personal data. Even without specific rules, health data breaches attract the most severe enforcement attention in every jurisdiction that has implemented data protection law. A pharmacy leaking prescription records is a fundamentally different news story than a grocery store leaking purchase histories, and the Data Protection Board will treat it accordingly.

What changes pharmacies must make now

The practical changes fall into four categories: consent collection, data handling, customer rights, and documentation. None of these are optional once enforcement begins.

Consent collection

Every pharmacy needs a clear, simple consent mechanism for data collection. This does not need to be complicated, but it does need to exist and it does need to be documented.

• At the billing counter: When collecting a phone number, the customer must be informed why you need it and what you will use it for. A simple printed notice at the counter stating the purpose of data collection is a minimum starting point.
• For WhatsApp/SMS marketing: You need separate, explicit opt-in consent for promotional messages. The customer agreeing to receive order notifications is not consent to receive marketing. These are distinct purposes requiring distinct consent.
• For loyalty programs: The terms of your loyalty program must clearly state what data is collected, how it is used, and how customers can opt out.
• Digital consent records: Verbal consent is difficult to prove. A digital record of consent — even something as simple as a timestamped entry in your billing system showing the customer opted in — is dramatically stronger evidence than "we asked them and they said yes."

**Pro tip:** Create a simple one-page consent form (in your local language and English) that covers data collection for billing, notifications, and marketing as three separate checkboxes. Keep signed copies or digital records. This single document addresses the majority of your consent obligations for walk-in customers.

Data handling and storage

How you store and manage customer data matters as much as how you collect it.

• Access controls: Not every employee needs access to the full customer database. Your billing staff needs phone numbers. Your pharmacist needs prescription records. Your delivery person needs addresses. The DPDP Act expects you to implement reasonable security safeguards, and role-based access is the most basic version of this.
• Data minimization: Only collect what you actually need. If you do not run a delivery service, do not collect addresses. If you do not send SMS promotions, do not collect phone numbers for that purpose. Every piece of unnecessary data is unnecessary liability.
• Retention limits: Establish a policy for how long you retain customer data. For regulatory records (like Schedule H1 registers), follow the retention periods mandated by the Drugs and Cosmetics Act. For everything else, retain only as long as there is an active customer relationship or a legitimate business need.
• Secure storage: Paper records in unlocked drawers do not constitute reasonable security safeguards. Customer data — whether digital or physical — must be stored securely, with access limited to authorized personnel.

Customer rights

The DPDP Act grants data principals (your customers) specific rights that you must be prepared to honor:

• Right to access: Customers can ask what data you hold about them. You must be able to answer this question.
• Right to correction: Customers can request corrections to inaccurate data. You must have a process for this.
• Right to erasure: Customers can request deletion of their data (subject to legal retention requirements). You must be able to delete customer records when requested and document that deletion.
• Right to grievance redressal: You must provide a mechanism for customers to raise data-related complaints. This can be as simple as a designated contact person, but it must exist.

Documentation and audit trails

This is where most pharmacies will struggle, because documentation is the gap between "we do the right thing" and "we can prove we do the right thing." The Data Protection Board will not take your word for it. They will want to see:

• Records of consent obtained (when, from whom, for what purpose)
• Data access logs (who accessed what data and when)
• Data deletion records (proof that erasure requests were fulfilled)
• Security incident records (if a breach occurred, what happened and what you did about it)
• Staff training records (evidence that employees understand data handling obligations)

The penalty framework is designed to scale, and that is what makes it dangerous

The DPDP Act structures penalties in a way that distinguishes between degrees of non-compliance:

These upper limits are clearly calibrated for major corporations and technology companies. A pharmacy will not face a ₹250 crore penalty. But the "breach of any other provision" category at ₹50 crore gives the Data Protection Board enormous discretion to impose penalties that are proportionate to the business but still substantial. For an independent pharmacy, even a ₹1 lakh penalty — a tiny fraction of the statutory maximum — represents two to three months of profit. And penalties compound: each instance of non-compliance is a separate violation. If you have 500 customer records collected without proper consent, that is potentially 500 separate violations, not one.

The Board has not yet issued detailed enforcement guidelines, and the initial approach will likely focus on awareness and warnings rather than maximum penalties. But waiting for enforcement to begin before starting compliance work is the regulatory equivalent of waiting for the fire to start before buying a fire extinguisher. The time to prepare is when there is no urgency, because once the urgency arrives, the preparation window has closed.

How digital inventory and pharmacy management systems help with DPDP compliance

Most of the DPDP Act's requirements for small businesses map directly onto capabilities that modern pharmacy management software already provides. The gap is not that the technology does not exist — it is that most pharmacies are still running on a combination of paper registers, basic billing software, and WhatsApp, none of which produce the documentation trail that the DPDP Act demands.

Consent management becomes dramatically simpler when your billing system can record a consent flag against each customer record with a timestamp. Instead of maintaining separate paper consent forms, the consent is captured at the point of data collection — when the customer first gives their phone number or signs up for notifications. ShelfLifePro for Pharmacies includes digital customer records with consent tracking built into the workflow, so the documentation happens as a natural byproduct of the billing process rather than as a separate compliance exercise.

Access logs and audit trails are a standard feature of any decent digital system but are physically impossible to maintain with paper records. When a staff member looks up a customer's purchase history, the system logs who accessed what and when. When a customer's data is modified or deleted, the system records it. This audit trail is exactly what the Data Protection Board will expect to see during any compliance review, and it requires zero additional effort from your staff because the system generates it automatically.

Data retention and deletion are straightforward in a digital system and nightmarish in a paper-based one. When a customer requests data erasure, you can delete their record and the system logs the deletion. Try doing that with five years of handwritten registers — you would need to physically locate and redact every mention of that customer across hundreds of pages, and you would almost certainly miss some.

Customer data access requests can be fulfilled in minutes when customer records are digital, searchable, and organized. A customer asks "what data do you have about me?" and you can generate a report immediately. With paper records, this same request could take your staff hours to answer, if they can answer it at all.

**Pro tip:** The cheapest way to comply with the DPDP Act is not to hire a compliance consultant. It is to run your pharmacy on a digital system that produces compliance-ready documentation as a side effect of normal operations. The consultant costs ₹50,000 and gives you a report. The system costs a fraction of that monthly and gives you ongoing compliance.

The WhatsApp marketing problem (and it is a bigger problem than you think)

A significant number of Indian pharmacies use WhatsApp as a primary communication channel — for order notifications, prescription sharing, promotional messages, and general customer engagement. Under the DPDP Act, every one of these uses requires specific consent, and promotional messages require separate opt-in consent distinct from transactional notifications.

The common practice of adding all customer phone numbers to a WhatsApp broadcast list for promotional messages is, under the DPDP Act, a violation of purpose limitation and consent requirements. If the customer gave you their number for billing purposes, using it for marketing is unauthorized processing of personal data. The fix is straightforward but requires discipline:

• Maintain separate lists for transactional messages (order ready, prescription reminder) and promotional messages (offers, new products, seasonal campaigns)
• Only add customers to the promotional list with explicit opt-in consent
• Provide a clear opt-out mechanism for every promotional message
• Document the consent for each customer on the promotional list

This is genuinely inconvenient for pharmacies that have built their marketing around WhatsApp broadcast lists. But the alternative — continuing to send unsolicited promotional messages after the DPDP Act is enforced — carries penalty risk that far exceeds the marketing value of those messages.

A practical DPDP compliance checklist for pharmacies

Here is what you can do this month to move from "completely unprepared" to "reasonably positioned":

• Audit your data — List every type of personal data you collect, where it is stored, who has access, and what it is used for. This is your starting point.
• Create a consent mechanism — Design a simple consent form or digital consent capture for new customers. Start collecting documented consent immediately for all new data collection.
• Separate transactional and marketing consent — If you use WhatsApp or SMS for both notifications and promotions, create separate opt-in processes for each.
• Implement access controls — Ensure that customer data access is limited to staff who need it for their specific role.
• Establish a data retention policy — Define how long you keep different types of customer data. Delete data that has no current business purpose or legal retention requirement.
• Designate a grievance contact — Identify one person in your pharmacy who handles customer data requests and complaints. This does not need to be a full-time role, but the responsibility must be assigned.
• Move to a digital system with audit trails — If you are still managing customer data through paper registers and basic billing software, this is the single highest-impact change you can make for DPDP compliance. A system like ShelfLifePro gives you consent records, access logs, data management, and the documentation trail that the Act demands, without adding compliance work to your daily routine.
• Train your staff — Every person who handles customer data (which is essentially every person in your pharmacy) needs to understand the basics: what consent means, what customers can request, and how to handle data properly.

Compliance cost goes up every month you wait

The DPDP Act is law. The Data Protection Board exists. The rules are being finalized. Enforcement will begin — the only variable is the date.

There is a window right now — call it twelve to eighteen months — where you can build compliant practices into your pharmacy's operations gradually, test them, and have them running before anyone shows up to check. Retrofitting compliance under time pressure, after the first enforcement actions make the news, costs an order of magnitude more than doing it now.

Pharmacy sits at the intersection of data sensitivity and regulatory attention: health records, prescription data, customer medical histories. The Data Protection Board will get to healthcare retail. The pharmacies with digital audit trails in place will produce their records and move on. The ones without will find out what the penalty framework feels like.

ShelfLifePro helps Indian pharmacies maintain DPDP-compliant digital records with built-in consent tracking, access logs, and audit trails — alongside batch-level expiry management and Schedule H compliance. [Start your free trial today](/get-started/) and get your pharmacy future-ready before enforcement begins.