DPDP Act 2023 · India
India's privacy law reaches the front gate.
DPDP-ready visitor records.
Every Indian school, college, and university is a Data Fiduciary under the DPDP Act, and anyone under 18 is a child whose data needs verifiable parental consent. LogBook360 builds qualifying consent, purpose limitation, retention, and erasure into the check-in itself.
Penalties reach INR 250 crore per breach, and the Rules 2025 compliance clock is already running.
DPDP Consent & Rights
Parent · R. Sharma08:40
Child pickup visit · Consent notice · Hindi · accepted
Vendor · A. Khan09:15
Canteen delivery · Purpose-limited · gate only
Guest speaker10:05
Annual day event · Consent logged · withdrawable
Erasure request #22112:30
Past visit record · Auto-purged · evidence kept
Informed, specific, withdrawable consent · §6
Where DPDP meets the gate
Four duties every campus Data Fiduciary owns
The Act is consent-first and children-strict. Visitor registers full of personal data, collected without notice, are exactly what it targets.
Duty
Consent that actually qualifies
The DPDP Act requires informed, specific, withdrawable consent with clear notice. A generic checkbox or admission-form clause does not qualify. LogBook360 captures consent at check-in, per purpose, in the visitor's language.
Duty
Children's data, under 18
India sets the child threshold at 18, and the Rules permit tracking in schools only for educational activity and child safety. Visitor management sits squarely in the safety lane; the records prove it.
Duty
Security safeguards and breach readiness
Data Fiduciaries must implement reasonable security safeguards and report breaches fast. Encrypted records, access controls, and exportable incident evidence keep the 72-hour window achievable.
Duty
Data principal rights, operational
Access, correction, and erasure requests stop being a scramble when every visitor record is searchable, exportable, and covered by retention rules with auto-purge.
Act mapping
DPDP requirements. LogBook360 controls.
§5-6
Requirement
Notice and qualifying consent
LogBook360 control
Purpose-specific consent at check-in with clear notice, multilingual, and withdrawable at any time
§8
Requirement
Data Fiduciary obligations
LogBook360 control
Security safeguards, accuracy, and accountability for every visitor record the institution holds
§9
Requirement
Children's personal data
LogBook360 control
Verifiable parental-consent flows; processing limited to educational activity and child safety
§11
Requirement
Right to access
LogBook360 control
A data principal's complete visit history served from one searchable log
§12-13
Requirement
Correction and erasure
LogBook360 control
Erasure workflows plus configurable retention with auto-purge, evidenced for the Board
§8(6) + Rules
Requirement
Breach intimation
LogBook360 control
Exportable, timestamped incident evidence to meet Data Protection Board reporting timelines
Rules 2025
Requirement
Retention and erasure schedules
LogBook360 control
Retention policies set per record class; deletion is automatic and logged
§16
Requirement
Cross-border conditions
LogBook360 control
Deployment options that keep visitor data within approved jurisdictions
Non-compliance risk
The penalty schedule is written in crores
The Data Protection Board assesses penalties per the Act's schedule, and schools sit in the strictest lane because they hold children's data.
IN
Data Protection BoardSecurity safeguards failure
Up to INR 250 crore
The highest tier in the penalty schedule applies to failures of reasonable security safeguards
Breach not notified
Up to INR 200 crore
Failing to intimate the Board and affected data principals of a personal data breach
Children's data obligations
Up to INR 200 crore
Processing children's data without verifiable parental consent or beyond permitted purposes
IN
Enforcement timelineRules notified
November 2025
The DPDP Rules 2025 made the Act operational with phased timelines
Core obligations
~18 months from notification
Consent, safeguards, breach reporting, and retention duties phase in; institutions are preparing now
Data Protection Board
Operational
Complaint-driven enforcement with published decisions
IN
Institutional falloutParent trust
Admissions impact
Schools hold children's data; privacy incidents draw immediate parent and press scrutiny
Board and trustee exposure
Governance findings
Penalties land on the institution; explanations land on its management
EdTech and vendor contracts
Flow-down obligations
Institutions must hold their processors, including visitor systems, to DPDP standards
Implementation
DPDP-ready visitor records in 4-5 weeks
1
Map personal-data flows
1 week
Catalog where visitor, parent, and contractor data is collected across campuses, and which records touch children's data.
2
Deploy LogBook360
1-2 weeks
Configure consent notices and languages, purpose limitation, retention schedules, and erasure workflows.
3
Train front-office staff
1 week
Reception teams learn consent capture and rights-request handling; training is documented.
4
DPO review and sign-off
1 week
Your Data Protection Officer reviews the consent log, rights workflows, and breach-evidence export.
Be DPDP-ready before the enforcement clock runs out
We'll walk your DPO and management through consent capture, children's-data handling, retention, and the breach-evidence export, across every campus you run.