Consent, Purpose Limitation, and Database Design Under DPDPA

Purpose limitation has to reach the database layer

The DPDP Act requires personal data processing to be tied to lawful purposes, including consent or certain legitimate uses. For a product team, this means the privacy notice and consent flow should not live in isolation from the database design.

If a system collects a phone number for account verification, teams should know where that number is stored, which services read it, whether it appears in logs, whether it is exported to analytics, and when it should be deleted or masked. That map is the bridge between legal language and operational control.

Design records around purpose

A useful data model does not need to expose legal complexity to every engineer. It does need enough metadata for teams to avoid accidental overuse of personal data.

• Attach business purpose and retention category to sensitive fields or datasets.
• Separate required product fields from optional marketing, analytics, and enrichment fields.
• Avoid copying personal data into logs, debug tables, and temporary exports unless there is a defined need.
• Keep evidence of consent source, notice version, and withdrawal state where relevant.
• Review downstream transformations so derived datasets do not escape governance.

Netrik as a purpose-drift check

Netrik scans can help teams compare expected personal data locations against actual findings. If personal data appears in a table or bucket with no declared purpose, that is a governance signal. The response might be deletion, masking, access restriction, or updating the processing register.

This gives privacy and engineering teams a common artifact: not a vague assurance that data is controlled, but a list of concrete locations and decisions.