
DPDPA Rule 16: Exemption for Research, Archiving, and Statistical Processing
DPDPA Rule 16 offers a narrow exemption for research, archiving, and statistical processing. Master the necessity test and Second Schedule requirements.
Written by
Priyanka Choudhury
Date
Read time
5 min

In the world of compliance, “exemption” is the most dangerous word in the dictionary. It sounds like a free pass. It usually operates like a trap.
DPDPA Rule 16 creates a targeted carve-out from the Act when personal data is processed for research, archiving, or statistical purposes. But this is not a blanket waiver for anything your data science team decides to call “research.”
The exemption applies only if the processing is strictly necessary for those purposes and is carried out in accordance with the standards set out in the Second Schedule. If both conditions are not met, the Act applies in full.
What Rule 16 Says
Rule 16 states that the provisions of the Act do not apply to the processing of personal data that is necessary for research, archiving, or statistical purposes, provided the processing is conducted in line with the standards specified in the Second Schedule.
This is a conditional exemption. It attaches to specific processing that meets a rigid necessity test and complies with defined standards. Calling a project “research” does not make it exempt. Proving it does.
Scope and Applicability
- Covered purposes: research, archiving, and statistical activities.
- Covered processing: only the processing that is necessary to achieve one of the covered purposes.
- Condition precedent: adherence to the standards in the Second Schedule.
Think of this as a processing-level shield. It protects only the defined activity that qualifies. It does not exempt an organization or a dataset across the board. The moment the data is used for something else, the shield drops.
The Necessity Test
Rule 16 ties the DPDPA research exemption to processing that is necessary for the covered purposes. In practice, necessity is not a philosophical debate. It has a plain, operational meaning: use only the personal data and operations required to achieve the stated research, archiving, or statistical objective.
Implications:
- If an operation is helpful but not required, it falls outside the exemption.
- If you collect, combine, or disclose more data than the purpose requires, the excess is not exempt.
- If the purpose can be met with fewer attributes or a smaller cohort, reduce scope accordingly.
Document the rationale. Write down exactly why each category of data and each operation is needed for the defined purpose. Without a clear line of sight from purpose to processing, your footing for the exemption is entirely theoretical.

The Second Schedule Standards
The exemption applies only if the processing is carried on in accordance with the standards specified in the Second Schedule. Those standards are not optional guidelines. They are binding conditions for using the exemption.
Operational takeaways:
- Treat the Second Schedule as a hard control framework to be implemented, tested, and evidenced.
- Map each standard to concrete measures, assign owners, and record how compliance is achieved in practice.
- Keep current evidence. If controls degrade or drift, the basis for the exemption erodes with them.
Because the text of the standards is not reproduced here, teams should retrieve the Second Schedule, interpret each requirement carefully, and translate it into repeatable processes and technical safeguards. A policy document is not a safeguard.
Boundaries of the Exemption
- Mixed purposes: If the same data is processed for a non-qualifying purpose, that separate processing is not exempt. Maintain strict purpose separation.
- Lifecycle changes: If a project evolves beyond research, archiving, or statistical use, the exemption ceases for the new scope. Reassess before expanding.
- Third parties: Sharing data with another party for qualifying purposes must also meet the necessity test and the Second Schedule standards. Build that into contracts and oversight.
The exemption is narrow. Do not assume it follows the data everywhere. It follows the precise, qualifying use.
What Changes in Practice
To use Rule 16 confidently, you cannot rely on ad-hoc decisions. You must build a distinct path for qualifying projects with clear entry criteria, controls, and evidence.
Key steps:
- Define the purpose. Write a concise statement that the activity is research, archiving, or statistical, with objectives and expected outputs.
- Assess necessity. Identify the minimum data elements and processing operations required. Record the justification.
- Map to the Second Schedule. List each applicable standard and detail how your controls meet it. Note any compensating measures where needed.
- Segregate processing. Use dedicated environments, datasets, or access profiles so that non-qualifying uses do not commingle with exempt processing.
- Govern third parties. If external partners are involved, ensure contracts and onboarding require adherence to the Second Schedule standards and the necessity test.
- Evidence and audit. Keep project documentation, approvals, data inventories, and control test results. Be prepared to show that the exemption criteria are met throughout the project.
- Periodic review. Reconfirm that the purpose and necessity still hold. If the scope shifts, decide whether to continue under Rule 16 or transition to full compliance with the Act.
Decision Gates Before Claiming the Exemption
Before claiming the DPDP research exemption, run the processing through these gates:
- Purpose gate: Is the activity squarely within research, archiving, or statistical purposes?
- Necessity gate: Is each data element and operation necessary for that purpose?
- Standards gate: Are the Second Schedule standards implemented for this processing and verifiable?
- Proof gate: Can you produce clear documentation that demonstrates the above without delay?
A single “no” means you should not rely on Rule 16 for that processing. That is not compliance. That is a gamble.

Controls That Help Demonstrate Eligibility
While the exact standards sit in the Second Schedule, the following control types generally help show necessity and disciplined execution:
- Access control tied to the project purpose, with time-bound roles.
- Data scoping procedures that restrict collection and use to defined attributes.
- Change management that requires review when scope, purpose, or datasets change.
- Project-level records that link purpose, data elements, and processing steps.
- Partner due diligence and contractual clauses that bind external parties to the same standards.
Use these controls to create a reliable trail. If you cannot show how and where the standards apply, your claim to the exemption is exposed.
When the Exemption Does Not Fit
If your processing:
- Serves a purpose outside research, archiving, or statistical aims.
- Uses personal data beyond what is needed for the qualifying purpose.
- Cannot meet or prove adherence to the Second Schedule standards.
…then treat the processing as fully subject to the Act. Do not force-fit the exemption. It is always safer to comply with the Act than to rely on an exemption that you cannot substantiate.
Execution Reality
Rule 16 is straightforward on paper and unforgiving in practice. The exemption turns entirely on necessity and on conformity with the Second Schedule. That demands clarity of purpose, disciplined scoping, and strong records. The hard part is operationalizing that clarity across teams, systems, and partners.
At Regodit, we know that an exemption without evidence is just a violation waiting to happen. We help organizations structure these decisions, map standards to controls, and keep clean evidence that stands up to scrutiny.
Ready to simplify compliance?
Explore how Regodit can help you operationalize Rule 16 with clear governance, control mapping, and audit-ready records. If you want to stress-test your current approach or design a clean exemption path, schedule a call to discuss your setup and goals. Let’s turn theoretical exemptions into proven realities.
Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.
Keep reading
All blogs →DPDPA Rule 23: Government Requests for Information from Data Fiduciaries and Intermediaries
Handling a notice under DPDP Act Rule 23 requires strict confidentiality. Discover how to respond to government data requests and ensure full compliance.
DPDPA Rule 22: Appeals to the Appellate Tribunal
Lost at the Data Protection Board? DPDPA Rule 22 governs the digital-first appeals process. Read our complete guide to filing an appeal with the Tribunal.
DPDPA Rule 21: The Machinery Behind the Data Protection Board of India
Ensure your business meets DPDP Act compliance requirements. Discover key obligations for data fiduciaries, penalty risks, and steps to protect user privacy.
