Compliance - Last updated: 30 April 2026

DPDP Act 2023 Compliance Checklist for Rented Laptop Fleets

Published by Techvity IT Solutions

The 60-second answer

Under the Digital Personal Data Protection (DPDP) Act 2023, your organisation is the Data Fiduciary for employee and customer data processed on rented laptops; the rental vendor is a Data Processor under Section 8. You need a written DPA, security safeguards on every device, breach-response runbook, NIST 800-88 wipe at return and grievance redressal. Penalties run up to INR 250 crore per the Schedule.

Why this matters in 2026

The DPDP Act 2023 was notified on 11 August 2023 by MeitY and the Data Protection Board of India is being constituted with rules under finalisation. India saw 129 reported personal data breaches in CY 2024 per industry trackers and a single misplaced or unwiped laptop is one of the most common incident types. Indian B2B IT leaders renting fleets above 25 units cannot delegate compliance to "the vendor" - the duty sits on the Fiduciary.

IDC India estimates the corporate endpoint base at over 30 million units in 2025, of which a material share is rented or leased. Every one of those rentals is a Data Processor relationship under Section 8.

The 11-point checklist

  1. 1

    Sign a Data Processing Agreement (DPA) with the rental vendor

    Per Section 8(1), the contract must specify purpose, security safeguards and end-of-engagement data destruction. Include vendor obligations to assist with Data Principal rights requests.

  2. 2

    Document the purpose and lawful ground (Section 4-6)

    Map every category of personal data processed on the rented laptops to its purpose: payroll, customer support, sales CRM, etc. Where consent under Section 6 is the basis, capture it in writing or recorded form.

  3. 3

    Implement device-level security baseline

    Enforce full-disk encryption (BitLocker/FileVault), endpoint detection, password policy, and screen-lock idle-time limits. Section 8(5) requires reasonable security safeguards.

  4. 4

    Enrol every laptop in MDM with remote-wipe capability

    Microsoft Intune, Jamf or similar must be installed at provisioning. Confirm in contract that the vendor preserves your MDM enrolment from issue through return.

  5. 5

    Maintain an asset register with Data Principal mapping

    Each laptop's serial number, assigned employee, business unit, types of personal data processed and deployment date - so a Data Principal request can be actioned at the device level.

  6. 6

    Define the breach response runbook

    Time-boxed steps for containment, forensics, Board notification (DPDP Section 8(6)) and Data Principal notification, plus CERT-In intimation within 6 hours per the 2022 Directions.

  7. 7

    Train end-users on Data Principal rights

    Section 11-14 grants rights to access, correction, erasure and grievance redressal. Field-staff must know how to escalate a request from a Data Principal whose data is processed on a rented laptop.

  8. 8

    Set up a grievance redressal mechanism

    Section 13 requires a published, working grievance redressal process - typically a published email, response SLAs and an escalation path to the Board. Add this to your privacy notice.

  9. 9

    Validate cross-border data transfer status

    Section 16 allows transfer except to countries notified by the Central Government as restricted. If the rental vendor uses cloud back-ends outside India, document the legal basis.

  10. 10

    Trigger NIST SP 800-88 wipe at de-provisioning

    On every laptop return - end of contract, swap-out, employee separation - require a Purge-level wipe and a vendor-issued wipe certificate retained for 5 years for audit.

  11. 11

    Annual review and Significant Data Fiduciary check

    Section 10 may classify your organisation as a Significant Data Fiduciary, triggering DPO appointment, Data Protection Impact Assessment (DPIA) and independent audits. Re-assess annually.

Data Principal rights you must support (Sections 11-14)

Whether the laptop is rented or owned, the Data Principal retains the same rights. Build the operational muscle to deliver each of the following on a rented fleet:

  • Right to information (Section 11): a clear summary of personal data being processed
  • Right to correction and erasure (Section 12): ability to fix or delete records on demand
  • Right of grievance redressal (Section 13): a working channel and SLA
  • Right to nominate (Section 14): appoint another individual to exercise rights in case of death/incapacity

Consent under Section 8 - the essentials

Section 6 of the DPDP Act 2023 requires consent that is "free, specific, informed, unconditional and unambiguous", with a clear affirmative action. Section 8 of the Act lays out Fiduciary duties tied to that consent: limiting processing to the stated purpose, ensuring accuracy, deploying reasonable security safeguards, breach intimation, retention only as long as necessary, and engaging Processors (including rental vendors) only under contract.

Practical implication for rented fleets: your end-user consent flows must reference the device used for processing, and your vendor contract must trace back to those purposes. Verbal acceptance is not consent.

Breach notification: what the runbook should say

Two clocks tick at once

CERT-In Cybersecurity Directions 2022: qualifying cyber incidents must be reported within 6 hours of noticing them.

DPDP Act 2023 Section 8(6): the Data Fiduciary must intimate the Data Protection Board and each affected Data Principal of a personal data breach. The exact timeline will be specified in DPDP Rules - assume same-day in your runbook.

Vendor obligations to write into your contract

Vendor obligationWhy it matters under DPDP Act
Background-checked technicians for on-site repairMitigate insider data exposure during physical handling
NIST SP 800-88 Purge wipe with certificateDischarges Section 8(7) data destruction obligation
Tamper-evident packaging during transitDemonstrates reasonable security safeguards in transport
Sub-processor disclosure listSection 8(2) allows engaging Processors only with Fiduciary's authorisation
Audit rights and ISO/IEC 27001 attestationIndependent assurance of vendor controls
Same-day breach notification commitmentEnables your downstream Section 8(6) timely notification

The data wipe certificate - what it must contain

Minimum fields
  • Device serial number and asset tag
  • Make, model, storage type and capacity
  • Wipe method (NIST SP 800-88 Clear / Purge / Destroy)
  • Tool used and version (e.g. Blancco, KillDisk)
  • Verification result and operator name
  • Date, location and witness signature

Penalties: what is at stake

The Schedule to the DPDP Act 2023 caps penalties at:

  • Up to INR 250 crore for failure to take reasonable security safeguards leading to a personal data breach
  • Up to INR 200 crore for failure to notify the Board or affected Data Principals
  • Up to INR 150 crore for breach of additional obligations of a Significant Data Fiduciary
  • Up to INR 50 crore for breach of any other duty
  • Up to INR 10,000 on a Data Principal for filing false complaints

Penalties are imposed by the Data Protection Board following an inquiry; appeal lies to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29.

Talk to a vendor that signs the DPA

Get our standard DPA + wipe-certificate template

Techvity issues a NIST 800-88 Purge wipe certificate on every returned laptop and signs DPDP Act-aligned Data Processing Agreements with our enterprise clients. Indicative pricing on request.

Request quoteDPDP compliance hub

Frequently asked questions

Does the DPDP Act 2023 apply to rented laptops in India?

Yes. The DPDP Act 2023 applies whenever digital personal data is processed in India, irrespective of the device's ownership. If your employees process customer or employee personal data on rented laptops, your organisation is the Data Fiduciary and the rental vendor is typically a Data Processor under Section 8(1). Both carry obligations.

What is the role of the rental vendor under the DPDP Act?

The rental vendor is a Data Processor that handles devices on which personal data is stored. Under Section 8 of the DPDP Act 2023, the Data Fiduciary (your organisation) must enter a written contract with the Processor specifying purpose, security safeguards and post-engagement data destruction. A reputable vendor will sign a Data Processing Agreement and issue a wipe certificate on de-provisioning.

What is a data wipe certificate and is it mandatory?

A data wipe certificate is a vendor-issued attestation - typically aligned to NIST SP 800-88 Rev 1 - confirming that personal data has been irretrievably destroyed from a returned laptop. It is not explicitly named in the DPDP Act, but it is the standard evidence used to discharge Section 8(7) obligations on data erasure after the purpose is served. Treat it as mandatory in your vendor contracts.

What are the breach notification timelines under the DPDP Act?

Section 8(6) requires the Data Fiduciary to intimate the Data Protection Board of India and each affected Data Principal in case of a personal data breach. The exact timeline will be set in the DPDP Rules notified by MeitY; CERT-In's six-hour timeline under Section 70B(6) of the IT Act 2000 already applies to cybersecurity incidents. Plan for both - assume same-day notification.

Can a Data Principal demand erasure of data on a rented laptop?

Yes. Under Section 12(3), a Data Principal has the right to erasure of personal data once the purpose is no longer served or consent is withdrawn. Your IT operations must be able to locate, isolate and wipe specific records on a rented laptop within a reasonable time, and your vendor must support this through MDM-based remote wipe and forensic deletion procedures.

What penalties apply for DPDP Act non-compliance?

The Schedule to the DPDP Act 2023 sets graded penalties: up to INR 250 crore for failure to take reasonable security safeguards leading to a breach; up to INR 200 crore for failing to notify the Board or the Data Principal of a breach; up to INR 50 crore for breach of duties of a Significant Data Fiduciary. These penalties are imposed by the Data Protection Board.

Do small businesses get any exemption under the DPDP Act?

Section 17(3) allows the Central Government to exempt certain Data Fiduciaries (including startups) from specified obligations such as data retention notices and impact assessments, based on volume and nature of data processed. The exemption is not blanket - core duties around purpose limitation, security and breach notification remain.

How does the DPDP Act interact with the IT Act and CERT-In rules?

The DPDP Act does not displace the IT Act 2000 or CERT-In's 2022 Cybersecurity Directions; it sits alongside them. CERT-In requires six-hour reporting of qualifying cyber incidents and 180-day log retention; the DPDP Act adds personal-data-specific obligations. Compliance teams should run a single mapped framework that covers both.

Related Techvity resources

Sources: Digital Personal Data Protection Act 2023 (MeitY); Information Technology Act 2000 Section 70B; CERT-In Directions of 28 April 2022; NIST SP 800-88 Rev 1; ISO/IEC 27001:2022. Call our enterprise desk at +91 80733 80811.