The DPDP Act, in plain English: what travel businesses need to know

The DPDP Act is the most important law most travel agencies have not read. It changes what you can collect, how long you can keep it, and what you have to do when it leaks. The fines are real — up to 250 crore rupees per breach.

What the law actually says

• •Collect only the data you need to serve the booking. Passport scans, dates of birth, and dietary preferences fall under sensitive categories.
• •Get clear consent. Not buried in a 14-page T&C, but a specific yes for each purpose — booking, marketing, analytics.
• •Keep data only as long as legally required. Bookings: typically seven years for tax. Marketing data: until consent is withdrawn.
• •Honour deletion requests within a reasonable window — 30 days is the working benchmark.
• •Notify affected customers and the Data Protection Board within 72 hours of a breach.

The ten-step compliance checklist

1. 01Map every place customer data lives. Spreadsheets, DMs, inboxes, the lot.
2. 02Pick one system of record. Migrate everything else into it on a schedule.
3. 03Update the consent flow on every form, including WhatsApp opt-ins.
4. 04Add a data-deletion process that a single team member can run.
5. 05Encrypt passport scans at rest. Field-level encryption, not just disk.
6. 06Set retention rules for each data category, with automated cleanup.
7. 07Appoint a Grievance Officer. The law requires it for any meaningful business.
8. 08Publish a privacy policy in plain Hindi or English. Lawyers will rewrite it. Insist on a plain-language summary at the top.
9. 09Train your front line. The receptionist who handles passport copies needs to know the rules.
10. 10Run an annual review. The first year is the hardest; year two is upkeep.

We are not lawyers and this is not legal advice. But the spirit of the law is straightforward: collect less, store less, be honest, fix breaches fast.