Confidentiality Is Not Compliance. You Now Need Both.
An NDA protects your secrets. The Digital Personal Data Protection Act protects other people’s. When the information you share is personal data, a confidentiality clause is the floor, not the ceiling.
Confidentiality protects your secrets. The DPDPA protects everyone else’s.
For decades, the NDA was the complete answer to the question “how do we share sensitive information safely?” That era has ended. The moment the information you disclose includes personal data, customer records, employee details, health information, behavioural data , a private promise of secrecy is no longer enough.
The Digital Personal Data Protection Act, 2023, with its Rules notified in November 2025 and obligations being brought into force in phases, converts confidentiality from a bilateral bargain into a statutory duty owed to the individual whose data it is. An NDA is now the floor of your obligations, never the ceiling.
Where the NDA stops and the DPDPA begins.
Each gap below is something a confidentiality clause was never designed to address, and which the DPDPA now requires. This is why an NDA alone leaves you exposed.
Consent & Lawful Basis
An NDA says nothing about whether the data subject ever consented to their personal data being shared. The DPDPA makes notice and consent (or another lawful ground) a precondition, a duty no confidentiality clause can satisfy.
Purpose Limitation
An NDA limits use to a defined commercial purpose. The DPDPA additionally requires that personal data be processed only for the specified, lawful purpose for which consent was given, a separate, statutory constraint.
Breach Notification
A traditional NDA is silent on what happens after a leak. The DPDPA framework contemplates notification obligations to the Data Protection Board and affected individuals, obligations that must be written into the agreement.
Erasure & Retention
NDAs speak of return or destruction on demand. The DPDPA introduces data-retention and erasure duties tied to the purpose and the data principal’s rights, a different trigger and a different standard.
Cross-Border Transfer
An NDA does not address where personal data may lawfully travel. The DPDPA regulates transfer of personal data outside India, a dimension every cross-border confidentiality arrangement must now account for.
Fiduciary & Processor Roles
The DPDPA assigns specific duties to Data Fiduciaries and Data Processors. An NDA that treats both parties as mere “disclosing” and “receiving” parties misses the statutory roles that now govern liability.
The NDA and the Data Processing Agreement, two instruments, one architecture.
The NDA
Protects your proprietary and confidential information, trade secrets, strategy, pricing, know-how. A private bargain between two parties, enforced through contract law.
Governs: secrecy, permitted use, return and destruction, remedies for breach.
The Data Processing Agreement
Protects the individual’s personal data, governing how a processor handles it on a fiduciary’s behalf. A statutory necessity under the DPDPA, owed beyond the two contracting parties.
Governs: lawful processing, purpose limitation, security, breach notification, erasure, transfer.
Where personal data moves between parties, you need both, drafted to work together, not in contradiction. We design the confidentiality and data-protection architecture as a single coherent system, so that secrecy and compliance reinforce rather than undercut each other.
The Confidentiality Library
Five deep dives and a practice overview, a complete map of how confidentiality is built, negotiated, and defended.
The NDA Practice
A confidentiality architecture built to hold under negotiation, scrutiny, and the courtroom.
Read more A Field GuideTypes of NDAs
Unilateral, mutual, multilateral, employee, M&A, technology, cross-border, and when each one actually fits.
Read more The AnatomyAnatomy & Key Clauses
Every clause that decides whether your NDA protects you, or quietly fails the day you need it.
Read more Our MethodHow We Deal With NDAs
The TCL Framework applied to confidentiality, discovery, calibration, negotiation, execution, lifecycle.
Read more When It Matters MostBreach & Enforcement
Injunctions, damages, criminal remedies and cross-border enforcement when confidentiality is breached.
Read moreWhen the secret is someone’s personal data, an NDA is only half the answer.
Our team aligns your confidentiality agreements with the Digital Personal Data Protection Act and its Rules, so your contracts protect your secrets and discharge your statutory duties at once.