DPDP and AIF Operations: Investor Data Compliance Guide 2026

DPDP and AIF rules meet in fund operations because AIF managers handle investor personal data while running SEBI-regulated workflows. In practice, teams operate a dual compliance stack: SEBI for fund mechanics and DPDP for privacy and security.

SEBI governs fund formation, fundraising, investments, reporting and governance. DPDP governs how digital personal data is collected and used, stored and shared, protected through reasonable security safeguards, notified in case of a breach and deleted once the purpose is met, subject to legally required retention. DPDP applies to private organisations and, in specified contexts, government processing of digital personal data.

DPDP is operational through the DPDP Rules, 2025, with an 18-month phased compliance period. In parallel, SEBI’s cybersecurity and cyber resilience framework raises expectations for security controls and governance.

DPDP scope and principles

Who it applies to:

• Any organisation processing digital personal data of individuals in India
• Indian and foreign entities offering goods or services in India, even if processing happens outside India
• Fund and fund vendor ecosystems, including managers, administrators, RTAs, KYC providers, CRMs and data rooms and other vendors that touch investor data

It is not intended for purely personal or domestic use. For AIFs, scope matters because processing is vendor-mediated and vendor location does not remove DPDP exposure if the data principal is in India or the service is offered into India.

The principles that shape fund workflows:

• Consent and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Security safeguards
• Accountability

In a fund context, this becomes a practical design. What you collect, where you store it, who can access it, how long you keep it and how you respond when something goes wrong.

DPDP requirements for investor onboarding

Onboarding is the highest concentration of personal data in an AIF. A typical KYC pack includes identity and address documents, PAN, banking coordinates, UBO details for institutions and tax declarations. The key point is that the data is high-impact and widely shared during onboarding across internal teams and vendors.

Personal data in onboarding is broader than KYC PDFs. It also includes identifiers like name, phone and email, banking details, tax and account data and in many contexts online identifiers and system logs linked to a person.

DPDP pushes onboarding away from buried, catch-all clauses and toward clear, purpose-specific communication. The Rules emphasise a separate consent notice that is clear and states the specific purpose.

A DPDP-aligned consent notice should be separate and in plain language, covering:

• What data is collected and the specific purpose for collection and use
• Who it is shared with, such as KYC providers, fund administrators, RTAs, auditors and advisors, where applicable
• Retention approach, framed as purpose-based retention plus legally required retention
• Rights, grievance handling and consent withdrawal, with a visible contact point for queries

Consent should be free, specific, informed and revocable and should not rely on dark patterns or pre-ticked boxes. Consent withdrawal must be workable, with a clear channel and SOP. Where retention is required for legal or regulatory reasons, the notice should clarify what stops and what must continue.

Children’s data is uncommon in AIF onboarding, but if any child’s personal data is processed, DPDP requires verifiable parental consent and additional safeguards.

DPDP controls after onboarding

After onboarding, personal data continues to flow through capital calls, distributions, investor statements, tax documentation, audits and routine communications.

Purpose limitation and role-based access

Use data only for the purpose stated in the consent notice and restrict access by role. This reduces casual reuse and limits internal exposure.

Data minimisation and accuracy

Minimise collection and reuse so you are not moving data you do not need. Maintain accuracy of core investor master data, including contact details, authorised signatories and bank updates, so statements and notices do not go to the wrong place.

Retention and deletion with an evidence trail

Delete personal data once the purpose for which it was collected is served, unless retention is required by law or regulation. Implement a retention schedule based on applicable legal and SEBI requirements, internal policy and an evidence trail showing what was retained, what was deleted and why.

Rights requests and timelines

DPDP gives data principals rights such as access, correction and updating and erasure or removal in certain situations, along with grievance redressal and consent withdrawal.

Two operational requirements matter:

• Data fiduciaries must respond to rights requests within a maximum of 90 days
• Individuals can nominate someone else to exercise their rights

Fund operations should run a simple intake, verification and response workflow that meets the 90-day outer limit, including requests that come through authorised signatories or nominated persons.

Where DPDP meets SEBI in daily workflows

SEBI’s February 2026 circular on reporting the value of AIF units to depositories requires NAV reporting per ISIN through RTAs with a defined timeline. The operational deadline is to upload the latest available NAV for each ISIN in the depository system before 1 May 2026 or within 30 days from the valuation date, whichever is later.

This creates a repeatable data flow across the manager, RTA, depository systems and internal teams. When a workflow becomes repeatable, privacy and security controls cannot be informal. Role-based access, audit trails and controlled sharing become part of the operating system.

Breach response under DPDP

Incidents in funds are often ordinary but serious, for example, a statement sent to the wrong investor, a compromised mailbox, an exposed shared folder or a vendor incident.

A DPDP-ready response should:

• Inform affected individuals without delay in plain language
• Include what happened, possible impact, steps taken and contact details for help
• Notify the Data Protection Board of India without delay and furnish detailed information within 72 hours or within a longer period if permitted
• Preserve evidence, contain exposure and document actions end-to-end

SEBI’s cyber resilience framework sets expectations for security controls and governance. DPDP adds privacy, breach notification and accountability on top, so the incident playbook should cover both.

Penalties and why this matters

Non-compliance can lead to significant monetary penalties. The government explainer highlights penalties up to ₹250 crore for failures relating to reasonable security safeguards, with other penalty categories such as up to ₹200 crore for breach notification failures and child-related violations and up to ₹50 crore for other violations. Penalty quantum depends on the nature of the violation, scale of impact and facts around negligence and repetition.

Third-party ecosystem: vendors and consent managers

AIF operations are third-party dependent. Investor data touches KYC providers, fund administrators and RTAs, auditors and advisors and common tools such as CRMs, data rooms, cloud storage and email systems. DPDP pushes vendor management from trust-based to contract and control-based.

Vendor contracts and SOPs should define:

• Data scope and purpose
• Expected reasonable security safeguards
• Incident escalation and cooperation, including timelines and evidence sharing
• Retention and disposal at termination
• Logs and audit evidence that the vendor must provide

Legacy vendor arrangements often fail here because they were designed for convenience, not accountability.

DPDP also introduces Consent Managers and the government explainer notes that they must be companies based in India. Even if most AIF managers do not use a Consent Manager immediately, this signals the direction of travel toward more standardised consent management and clearer consent records over time.

Significant Data Fiduciary readiness and AI workflows

DPDP introduces Significant Data Fiduciaries with higher obligations, such as independent audits and impact assessments, with designation criteria expected to be clarified. Larger managers should prepare early because the compliance load can change once classified.

The government explainer also links SDF expectations to stricter checks when using new or sensitive technologies. For funds, that matters as teams adopt AI-assisted workflows for onboarding automation, screening, analytics, profiling or investor servicing.

Practical next steps for AIF teams

Keep it recurring:

• Map data flows from onboarding to exit, including every vendor touchpoint
• Standardise separate consent notices, grievance handling and the visible contact point process
• Design consent capture and withdrawal workflows across systems, not only in documents
• Implement role-based access and controlled sharing for investor reporting and sensitive documents
• Define retention schedules with evidence trails for retention and deletion
• Refresh vendor contracts with DPDP-aligned processor clauses and incident cooperation
• Run one breach drill so the 72-hour Board reporting expectation is realistic
• Map overlaps between DPDP, KYC and AML obligations, SEBI recordkeeping and SEBI cyber resilience controls

Closing

As AIF operations become more institutional, managers who treat investor personal data as a core asset, not as paperwork, will build stronger LP confidence. In 2026, good operations combine SEBI-compliant fund mechanics with DPDP disciplined data handling, running together as one seamless system.

About Taghash

Taghash provides an end-to-end platform for venture funds, private equity, fund of funds and other alternative investment funds. Over the last seven years, we have served as the tech arm for top VCs, helping them manage operations across deal flow, portfolio, fund and LP management. 

We also offer a services layer to support execution across data management, legal and compliance, fund administration coordination, trustee and custodian interfacing and valuations and advisory.

Trusted by leading fund managers like Blume Ventures, Kalaari Capital and A91 Partners, we enable our clients to achieve greater success. Click here to book a demo.