DPDP Act 2023 Readiness for Rented IT Fleets

A working playbook for Indian companies that rent corporate laptops: how the Digital Personal Data Protection (DPDP) Act 2023 changes vendor due-diligence, what to put in your Data Processing Agreement, and the operational controls Techvity applies between every rental cycle.

Background: what the DPDP Act 2023 actually does

The Digital Personal Data Protection Act, 2023 was enacted by Parliament in August 2023 and notified by the Ministry of Electronics and Information Technology (MeitY). It is India's first comprehensive personal-data law and applies to the processing of digital personal data within India, as well as to processing outside India where it relates to the offering of goods or services to Data Principals in India. The law creates two principal roles — Data Fiduciary (the entity that determines purpose and means of processing) and Data Processor (the entity that processes on behalf of a Fiduciary) — and an oversight body, the Data Protection Board of India.

For a typical Indian enterprise that rents 200 corporate laptops, this means: your company is the Data Fiduciary in respect of any personal data those laptops touch (employee email, HR records, customer data your sales team works with). Your rental vendor — Techvity, in this case — becomes a Data Processor at the moment a returned device hits its warehouse with that personal data still resident.

Where rented IT intersects with the Act

The four main intersection points are:

  1. Notice and consent at issuance. If you provision a rented device to an employee, your existing employment notice already covers most processing under the "legitimate use" basis in Section 7 of the Act. No re-papering is usually needed.
  2. Storage limitation during the rental. The Act requires data to be erased once the purpose is no longer being served and no legal retention applies. That obligation flows down to the device when an employee leaves or the rental is returned.
  3. Processor controls at return. The vendor must process data only on your documented instructions, apply reasonable technical and organisational measures, and assist with breach response. This is where the Data Processing Agreement (DPA) does the heavy lifting.
  4. Erasure and evidence. A defensible end-of-life process requires both the act of sanitisation and a documentary record. Without the certificate, an audit cannot verify the law's erasure principle was met.

What your DPA should say

Treat the DPA as the Data Fiduciary's "documented instruction" under the Act. The clauses that matter most for IT rental are:

  • Purpose limitation. The vendor processes returned-device data only for the purpose of intake reconciliation and sanitisation, never for analytics, training, or onward use.
  • Sanitisation standard. Name the standard explicitly — "NIST SP 800-88 Rev 1, Clear / Purge / Destroy as appropriate to the media" — and require a per-device certificate.
  • Breach notification. 24-hour notification from vendor to customer on any suspected incident affecting customer data. The customer remains the entity obligated to notify the Data Protection Board.
  • Sub-processors. A flat-list with right-of-objection, especially for logistics partners and e-waste recyclers.
  • Audit rights. One on-site audit per year on reasonable notice; a documented SOC- or ISO-style assurance report in lieu, when available.
  • Geographic scope. No cross-border transfer of customer data without written instruction; sanitisation occurs at the named Indian facility.
  • Retention. Sanitisation evidence retained for at least 7 years; raw customer data not retained beyond intake.

The Techvity operational pipeline

Every device that leaves a customer environment via end-of-rental return, AMC retirement, or buyback flows through the same controlled pipeline:

  1. Sealed pickup with a chain-of-custody manifest signed at customer premises.
  2. Insured transit to the Bangalore facility for fleets above a value-threshold; sealed bags for inner-city.
  3. Intake check-in against serial number, model, and customer asset tag.
  4. Sanitisation via NIST-aligned method (cryptographic erase, ATA Secure Erase, multi-pass overwrite, or physical destruction).
  5. Re-verification sample on a fixed percentage of the batch.
  6. Certificate issuance per device plus a consolidated CSV.
  7. Records retained for 7 years in an access-controlled archive.

Working with the Data Protection Board

The Data Protection Board is the regulator established under the Act with powers to inquire, direct, and impose financial penalties. Penalties can reach up to ₹250 crore for certain breaches, including failure to take reasonable security safeguards. The practical implication for rented IT: you cannot point to your vendor and say "they had it." You remain the Data Fiduciary and need to demonstrate that you put reasonable contractual and technical controls in place. Techvity's evidence pack — DPA, sanitisation SOP, per-device certificates, audit log — is designed to be that demonstration.

Practical next steps for a 200-seat fleet

  1. Map your fleet: which roles, which data categories, which retention rules.
  2. Sign the DPA before the next batch of devices ships back. Use the clauses above as a checklist.
  3. Run one tabletop drill per year that includes vendor breach notification within the 24-hour window.
  4. Archive sanitisation certificates in your GRC tool against the original PO and asset register.
  5. Re-verify alignment annually. The DPDP rules and the Board's practice will evolve as enforcement matures.

Frequently asked questions

Does the DPDP Act 2023 apply to laptops rented from a vendor?

Yes, indirectly. The DPDP Act regulates personal data, not hardware. But if a rented laptop holds personal data of Indian residents (employee or customer), the renting company is the Data Fiduciary and the rental vendor — when handling returned devices — is a Data Processor. Both have statutory duties under the Act.

What clauses should a DPA with a laptop rental vendor contain?

Purpose limitation, data minimisation, the named NIST 800-88 sanitisation standard, breach notification timelines, sub-processor list, audit rights, and a deletion certificate obligation. The DPA should also restate that personal data cannot be transferred outside India without an explicit instruction from the Data Fiduciary.

What is Techvity's role under the DPDP Act?

Techvity acts as a Data Processor in respect of any personal data resident on customer-rented devices. We process such data only on documented instructions from the customer (Data Fiduciary), apply technical and organisational measures aligned to NIST 800-88, and issue a Certificate of Data Destruction at the end of the engagement.

Who notifies the Data Protection Board in case of a breach?

Notification to the Board and to affected Data Principals is the statutory obligation of the Data Fiduciary (the customer). Techvity, as Processor, is contractually required to notify the customer of any incident affecting their data within the agreed window — typically 24 hours of detection — so the customer can meet its onward notification duties.

Are there special rules for children's or employees' data?

The Act treats children's personal data with elevated protection (verifiable parental consent, no behavioural tracking). Employee data has a lawful basis under 'legitimate use' for employment purposes, but standard purpose limitation, accuracy, and erasure obligations still apply. Rented devices used for HR functions therefore inherit the same controls.

How does Techvity evidence end-of-life data destruction?

Each device returned at end-of-rental flows through our chain-of-custody pipeline: receipt log, NIST 800-88 sanitisation (Clear, Purge, or Destroy as appropriate to the media), and a per-device Certificate of Data Destruction PDF plus consolidated CSV for fleet-level audit. Records are retained for 7 years.

References

  • Digital Personal Data Protection Act, 2023 — Government of India, Ministry of Electronics and Information Technology (MeitY).
  • NIST Special Publication 800-88 Rev 1 — Guidelines for Media Sanitization.
  • ISO/IEC 27001:2022 — Information Security Management Systems.