What the DPDP Act means for your DNA data
India's Digital Personal Data Protection Act treats genetic information as sensitive personal data. The detail of how that protection works in practice is still being filled in - and it matters for anyone considering a consumer DNA test.
Genetic data is, in many ways, the most permanent form of personal information you generate. It cannot be revoked, it identifies you uniquely, and a fragment shared by a relative implicates you too. The DPDP Act, passed in 2023, recognises genetic data as a category requiring heightened consent and stricter handling.
What the Act says
Companies that collect genetic data must obtain clear, informed consent before processing it. They must store it securely, limit retention to what is necessary, and honour deletion requests. The fines for non-compliance are substantial enough to change behaviour, particularly for smaller direct-to-consumer testing companies.
Where the gaps remain
The bigger questions are still being clarified through implementation rules. What happens when a relative's test reveals information about you? How does deletion work when raw data has already been shared with research partners? Does anonymisation actually anonymise in the genetic context? These are live questions, and the answers will shape what 'taking a DNA test in India' means over the next five years.
What readers should do
Before testing, read the company's data policy specifically. Look for: where data is stored, who has access, retention period, what happens to your sample after analysis, and the deletion process. Companies serious about Indian compliance will surface these clearly. The ones that bury them in legal boilerplate are usually the ones to avoid.
- DPDP Act 2023 text and explanatory notes
- Commentary on genetic-data provisions
- Comparative analyses with GDPR special-category rules