What is a DPDP Act 2023-compliant video surveillance platform in India?

Why the DPDP Act applies to CCTV

India's Digital Personal Data Protection Act, 2023 (DPDP Act) governs the processing of "digital personal data" relating to an identifiable individual. Video surveillance squarely falls within scope because recorded footage routinely captures faces, vehicle number plates, biometric face templates and behaviour that can identify a person. The organisation operating the cameras is a Data Fiduciary and is accountable for how that footage is collected, stored, shared and deleted. Unlike the EU's GDPR, the DPDP Act is India-specific, applies to processing within India (and to processing abroad that offers goods or services to people in India), and is backed by penalties that can reach hundreds of crores for significant failures.

Core obligations a compliant VMS must support

• Lawful purpose and notice. Footage must be tied to a specific, documented purpose (security, safety, incident investigation). The platform should make purpose, controllers and retention transparent.
• Purpose limitation and retention limits. The Act requires data to be erased once the purpose is served. A compliant VMS enforces configurable, automatic retention schedules rather than indefinite storage.
• Data residency. Operators are expected to keep footage within India unless transfers are permitted. In-country, STQC-tested storage materially reduces cross-border risk.
• Security safeguards. Reasonable security measures, role-based access control, encryption and tamper-evident audit logging are needed to evidence who viewed or exported footage.
• Data-principal rights. Individuals can request access to, and erasure of, their personal data; the platform must be able to locate and act on a specific person's footage.
• Privacy by design. Redaction and privacy masking of bystanders, and minimisation of who can see raw identities, demonstrate proportionality.

How VMukti maps to the DPDP Act

VMukti's Cloud VMS + EMS + ICCC stack is STQC-certified (MeitY) and stores footage on India-resident infrastructure, directly supporting the residency and security expectations. Configurable retention policies automatically purge footage once its purpose expires, satisfying retention-limitation duties. Role-based access with audit trails records every view and export, providing the accountability evidence a Data Fiduciary must produce. AI-driven video redaction and privacy masking (one of VMukti's 26+ AI models) blur uninvolved individuals before footage is shared, and ArcisGPT generative-AI video search lets teams locate exactly the clips relevant to a data-principal request — supporting access and erasure rights without trawling raw archives. NDAA-889-aligned, hardware-agnostic onboarding of 1,000+ ONVIF cameras keeps the deployment auditable and free of restricted components.

Practical compliance checklist

1. Document the lawful purpose for each camera zone and publish a notice. 2. Set automatic retention windows per zone; avoid indefinite recording. 3. Keep primary storage in India and restrict exports. 4. Enforce role-based access and review audit logs regularly. 5. Apply redaction/privacy masking before any external sharing. 6. Define a workflow for data-principal access and erasure requests.

DPDP compliance is ultimately the operator's responsibility, but a platform built with residency, retention, audit logging, redaction and forensic search makes it achievable rather than aspirational.