The Offline Data Trap

Ask most business owners what data their company holds, and the answer comes quickly: customer accounts, email lists, purchase records, maybe employee payroll files. All of it digital, all of it in systems. The DPDP Act applies to digital data, so the scope is clear. The compliance team knows what to look at.

This is a comfortable picture. It is also incomplete — and the gap between it and reality is where some of the most significant DPDP Act exposure sits.

What the Act Actually Says

The Digital Personal Data Protection Act, 2023 covers digital personal data — personal data in digital form. That much is widely understood. What is less appreciated is the second half of the definition: the Act also applies to personal data that was originally collected in non-digital form and has subsequently been digitised.

The Act does not care where the data journey began. It cares where it ends up. The moment personal data moves into digital form — regardless of how it was originally collected — the full framework applies.

"The Act does not care where the data journey began. It cares where it ends up." — Shashank Sharma

The Data You May Have Forgotten You Hold

Consider what this means in practice. A bank branch collects a paper KYC form from a new customer. The form is scanned and uploaded to the bank's document management system. That scanned image — and every field extracted from it — is now digital personal data under the DPDP Act.

A hospital receives a handwritten prescription from a patient. The prescription details are entered by a pharmacist into the hospital's electronic health record system. That entry is digital personal data. So is the scanned copy of the original prescription.

A company collects a physical employment application from a walk-in candidate. The HR team photographs it, attaches it to the candidate's profile in their recruitment software, and manually keys the key details into the system. All of it — the photo, the keyed data — is now in scope.

An event organiser collects attendee registrations on paper at the venue. At the end of the day, a staff member enters the names, phone numbers, and email addresses into a spreadsheet. That spreadsheet is personal data under the DPDP Act, subject to consent requirements, retention limits, and all other obligations the Act imposes.

Why This Creates Real Exposure

The compliance programmes most businesses have built — where they exist at all — are typically oriented around digital collection points: website forms, app onboarding screens, checkout flows. These are the visible, designed touchpoints where consent can most easily be obtained and recorded.

Offline-to-digital data flows are different. They are often informal, distributed across departments, and handled by people who are not thinking about data protection at all. The receptionist who photographs a visitor's business card and saves it to a contacts app. The sales executive who photographs a signed term sheet and uploads it to the shared drive. The accounts team that scans and files supplier invoices containing individual contact details. None of these are technology decisions. They are daily habits — and each of them creates digital personal data within the meaning of the Act.

The Consent Question No One Has Asked

The more uncomfortable issue is consent. When a customer filled in a paper form three years ago, was the purpose of collecting that data adequately explained? Was it made clear that the data would be digitised, retained indefinitely, and potentially shared with third-party systems? Was consent to all of that obtained in a manner that would satisfy the DPDP Act's standard — free, specific, informed, unconditional, and unambiguous?

For most businesses, the honest answer is no. Legacy data collected before the DPDP Act came into force presents a genuine question about whether that data can continue to be processed — and on what basis. The Act does not provide an amnesty for pre-existing data. It requires that data processing be lawful, and consent is the primary basis for that lawfulness.

Where To Start

A meaningful DPDP Act compliance programme cannot begin and end with a review of your digital systems. It needs to include a deliberate audit of how personal data enters your organisation in physical form and where it goes once it does.

That means mapping the offline-to-digital conversion points across the business: HR onboarding, customer intake processes, visitor management, paper-based contracts, physically collected feedback, in-person event registrations. It means asking, for each of those flows, whether adequate consent was obtained at the point of collection, and whether the purpose for which the data was collected has been properly communicated.

It also means establishing a policy for legacy data — deciding, on a defensible basis, which historical data you have sufficient consent to retain, which data should be deleted, and how future physical collection processes will be designed to meet the Act's standards from the point of collection onward.

The businesses that conduct this audit now will find the exercise manageable. Those that wait until they receive a complaint or inquiry from the Data Protection Board will find it considerably less so.

Notes

Digital Personal Data Protection Act, 2023, Section 2(t): "personal data" means any data about an individual who is identifiable by or in relation to such data. Section 2(n) defines "digital personal data" as personal data in digitised form. ↩