Written by

Sumeshwar Pandey

View Profile
12 min read

What the DPDP Act Means for Indian Businesses in 2026

How to turn India’s new data protection regime into a practical 2026 operating plan across governance, data, technology and vendors.
Key takeaways
  • By 2026, the DPDP Act and 2025 Rules move into an 18‑month enforcement window, making personal data protection a board-level design problem rather than a narrow legal task.
  • The framework creates clear roles, rights and obligations for Data Fiduciaries, Data Processors and Significant Data Fiduciaries, with substantial penalties for weak governance or security.
  • Turning DPDP into an operating model requires coordinated workstreams across governance, data inventory and minimisation, consent and rights handling, security and incident response, and third‑party management.
  • Strategic choices—such as centralised versus federated privacy ownership, minimum viable compliance versus trust-led differentiation, and build versus buy tooling—directly affect cost, speed and risk.
  • Coordinating DPDP with sectoral rules and global frameworks like GDPR or the NIST Privacy Framework can reduce duplication, but India‑specific gaps still need dedicated attention.

Why DPDP is a 2026 boardroom issue

In a 2026 strategy review, DPDP readiness now competes directly with cloud migration, AI initiatives and sales expansion for management attention. The Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 are no longer abstract policy debates. With the Rules notified and an 18‑month phased enforcement period underway, personal data governance has become a board agenda item alongside credit risk, cyber security and tax.[3]
For most mid‑to‑large Indian and India‑facing businesses, DPDP is not a narrow legal compliance project. It changes how your organisation collects and uses data, how quickly you can launch new digital journeys, how you negotiate contracts with large clients, and how investors or acquirers assess your risk. The Act introduces individual rights, explicit consent requirements, mandatory breach handling and a dedicated Data Protection Board of India with power to investigate and levy significant monetary penalties.
Timing matters. The 2025 Rules create an 18‑month window in which different obligations come into force. Early obligations focus on notices, consent, core rights and baseline security safeguards; subsequent phases emphasise Significant Data Fiduciary requirements, cross‑border transfers and technical integrations such as consent managers. That means 2026 is when leadership needs to lock in structure, budgets and accountability, rather than waiting for a final long‑stop date that may arrive after your risk has already crystallised through complaints or incidents.

Core obligations under the DPDP Act and Rules

The DPDP framework applies to the processing of digital personal data and to personal data that is digitised from physical form. At a high level, it requires that personal data be processed only for lawful purposes, that individuals understand how their data is used, that they can exercise defined rights, and that organisations put in place reasonable security safeguards. The Act sets out principles and powers, while the 2025 Rules operationalise them with detail on notices, consent flows, breach reporting, logging and categorisation of Significant Data Fiduciaries.[1]
Every Data Fiduciary—the entity that decides why and how personal data is processed—must rely on a valid ground for processing. In most commercial contexts this means obtaining free, specific, informed and unambiguous consent, expressed through a clear affirmative action. The Rules emphasise that consent requests should be presented in simple language, separate from other terms, with an easy way to withdraw. The Act also recognises limited non‑consent grounds, such as processing required by law, for certain state functions, for employment‑related purposes, or for emergencies involving a threat to life or health. Where consent is used, Data Fiduciaries must honour withdrawals and instructions routed through consent managers once those are fully operational.[2]
The framework strengthens transparency and individual control. Before or at the point of collection, organisations must provide a notice that describes what personal data will be collected, for which purposes, the rights available to the individual, how to raise a grievance, and basic details of cross‑border transfers or third‑party sharing where relevant. Data Principals—the individuals whose data is processed—gain rights to request information about processing, seek correction or updating of inaccurate data, and request erasure of data that is no longer necessary for the stated purpose or required by law to be retained. They also gain the right to nominate another person who can act on their behalf in the event of death or incapacity. For children’s data, parental consent and additional protections against harmful processing or tracking are required, which affects how you design onboarding flows and profiling in education, gaming and other youth‑facing services.[1]
The Act places an explicit duty on Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches. The Rules build on this by requiring logging of key processing activities, maintaining records that demonstrate compliance, and notifying the Data Protection Board of India and affected Data Principals of qualifying breaches in the manner and within the timeframes the Rules specify. Penalty provisions create upper caps that can reach several hundred crore rupees per type of contravention in serious cases, though actual penalties will depend on factors such as the nature and duration of the breach, the volume and sensitivity of data affected, whether mitigation steps were taken promptly, and any previous non‑compliance.[1]

Which businesses are in scope and how to classify your role

In practice, if your organisation operates in India or actively targets Indian residents with goods or services and handles their personal data in digital form, you should assume that DPDP applies. The framework covers both private and public entities, across sectors, and applies regardless of whether the processing happens on‑premises or through cloud and software providers. It also applies to foreign entities that process personal data of individuals located in India in connection with offering goods or services to them, even if the processing infrastructure is outside India.[1]
The central concept for scoping your obligations is the distinction between a Data Fiduciary and a Data Processor. A Data Fiduciary determines the purposes and means of processing personal data. A Data Processor processes personal data on behalf of a Data Fiduciary and under its instructions. A bank using a cloud CRM is clearly the Data Fiduciary for its customer and employee data, while the CRM provider is a Data Processor for that data. A SaaS provider that uses behavioural analytics for its own product improvement, however, may be a Data Fiduciary for that analytics layer even while acting as a Data Processor for core customer records. Many B2B organisations therefore hold both roles across different data flows.
The Act also contemplates a category of Significant Data Fiduciaries. The central government may notify an entity as significant based on factors such as the volume and sensitivity of personal data processed, the risk of harm to Data Principals, the use of emerging technologies, and the potential impact on national interests. Significant Data Fiduciaries face additional obligations, which under the Rules include appointing a Data Protection Officer based in India, undertaking periodic data protection impact assessments and audits, and performing more structured risk management around high‑risk processing. Large players in financial services, healthcare, digital platforms and critical infrastructure are likely candidates.
Smaller entities may receive certain relaxations where the government formally notifies them as eligible, typically based on criteria such as low turnover, limited data volumes or processing that is incidental to core activities. Even then, core duties—such as implementing reasonable security safeguards and complying with basic rights and breach reporting requirements—cannot be ignored. For groups with cross‑border operations, determining which legal entity is the Data Fiduciary for Indian data, and how overseas affiliates act as Data Processors or joint Data Fiduciaries, is an early structural decision with implications for contracts, liability and regulatory engagement.

Enforcement architecture and penalty exposure

DPDP creates a specialised enforcement body, the Data Protection Board of India, as a digital‑first adjudicatory authority. The Board is empowered to handle complaints from Data Principals, references from government agencies, and cases that arise from reported breaches. It can conduct inquiries, call for information and records, engage experts, and issue directions and monetary penalties. The Board’s design reflects an intention to manage high volumes of cases online, using standardised procedures rather than traditional court processes.
From a business perspective, most enforcement scenarios are likely to start with a grievance or complaint. An individual who believes their rights request has been ignored, their data has been misused, or they have been affected by a breach is expected first to approach the organisation’s grievance redressal mechanism. If that fails, they can escalate to the Board through a digital portal. The Board may dismiss frivolous complaints quickly, but it can also open a formal inquiry, during which it will expect you to produce policies, logs, risk assessments, contracts and evidence of mitigation steps.
Penalty exposure is structured by type of contravention. Different maximum caps apply to failures such as not taking reasonable security safeguards, failing to notify breaches, not fulfilling Data Principal rights, or violating children’s data provisions. While the statutory ceilings can reach into the hundreds of crores of rupees, actual amounts will depend on context: whether the breach was systemic or isolated, whether board and senior management were involved in oversight, whether you cooperated with the investigation, and whether you had invested in proportionate controls before the incident occurred. Orders may also include directions to cease certain processing activities, change systems, or adopt specific remedial measures.[1]
Regulatory risk under DPDP does not exist in a vacuum. Many sectors already face oversight from regulators such as RBI, IRDAI, SEBI, TRAI and health authorities, and they retain powers to sanction weak data practices under their own statutes. Cyber‑security incidents still trigger CERT‑In reporting duties. In parallel, large enterprise customers and foreign partners increasingly run privacy and security diligence as part of vendor assessment. That means non‑compliance can hurt you even without a Board penalty: deals may be delayed or lost, insurance premiums may rise, and negotiations in fundraising or M&A can shift unfavourably if your controls and documentation are weak.

The 2025–2027 compliance timeline and what 2026 requires

By late 2025 the government had notified the Digital Personal Data Protection Rules, 2025, triggering an approximately 18‑month phased implementation period. Early notifications brought into force the establishment and functioning of the Data Protection Board, the core obligations of Data Fiduciaries around lawful processing, notices and Data Principal rights, and baseline security safeguard duties. Additional milestones scheduled through 2026 and into 2027 relate to the designation of Significant Data Fiduciaries, more prescriptive logging and record‑keeping expectations, full operationalisation of consent managers, and any restrictions or conditions on cross‑border transfers.[2]
As an executive, you should assume that by 2026 the foundational obligations are either already in force for your organisation or will become binding during the year, unless your entity benefits from a specific notified exemption. That includes the need to issue compliant notices, honour access, correction, erasure and nomination requests, run an accessible grievance redressal mechanism, and maintain security safeguards and breach response capabilities. Significant Data Fiduciary‑level requirements, sector‑specific circulars aligning DPDP with financial or health regulations, and detailed technical standards are more likely to crystallise through the remainder of the 18‑month window.
The 2025–2027 window naturally divides into three phases that help sequence design, build and optimisation work.
  1. Use late 2025 for assessment and design
    Treat the remainder of 2025 as the period to understand your exposure and design the target state, before you commit major capital.
    • Run a structured gap assessment against DPDP obligations, including sectoral overlays.
    • Map high‑risk processing activities and critical data flows, including cross‑border transfers.
    • Design your target operating model across governance, data, consent and rights, security and vendors.
  2. Fund 2026 as the primary build and rollout year
    Treat 2026 as the main execution year in which structures, tooling and contracts move from plan to production.
    • Stand up governance bodies and, where required, appoint and embed a Data Protection Officer.
    • Implement consent and rights tooling across priority customer, employee and partner journeys.
    • Refresh data retention schedules and align them with DPDP erasure rights and other legal requirements.
    • Re‑paper vendor contracts, especially with cloud and offshore processors, to reflect DPDP roles and safeguards.
    • Test and refine security monitoring and personal data breach response playbooks.
  3. Use 2027 for optimisation and sector alignment
    Assume 2027 will involve fine‑tuning controls, adapting to sectoral guidance and responding to the first waves of scrutiny under the new regime.
    • Tune policies, workflows and automation based on early experience with rights requests and incidents.
    • Incorporate circulars and standards issued by sectoral regulators into your DPDP programme.
    • Prepare for more detailed questions in large‑enterprise diligence and from the Data Protection Board where issues arise.

Turning DPDP into an operating plan for your business

The most effective way to absorb DPDP requirements is to treat them as a redesign of your personal data operating model, organised into a small number of executive‑owned workstreams. In most mid‑to‑large organisations these naturally cluster into governance and accountability, data inventory and minimisation, consent and rights handling, security and incident response, and third‑party and cross‑border management, supported by training and change management. Each workstream needs a clear owner, defined deliverables and a timeline aligned with the 2025–2027 enforcement window.
Governance and accountability start with deciding where privacy responsibility sits. For Significant Data Fiduciaries the Act and Rules expressly require a Data Protection Officer based in India, typically reporting to the board or a risk committee and coordinating with legal, technology and business heads. Even where this is not mandated, designating a senior privacy lead with authority over policies, approvals and escalations is critical. That role should oversee a structured data inventory that maps where personal data lives across applications, data lakes, SaaS tools and paper‑to‑digital processes; what purposes it serves; and which legal or contractual bases justify it. With that map in hand, leadership can make deliberate decisions on minimisation—retiring legacy collections that are no longer needed, reducing the number of attributes captured in forms, and setting retention periods that reconcile DPDP’s erasure rights with tax, financial or sectoral record‑keeping obligations.
Consent and rights handling translate directly into product, sales and support design. Consent prompts on websites, mobile apps, call centre scripts and in‑person onboarding must be rewritten to meet the Act’s standards on clarity, specificity and withdrawal. Systems then need to record, centralise and propagate those choices so that downstream analytics, marketing and partner integrations respect them. In parallel, you need standardised workflows to intake and resolve rights requests for access, correction, erasure and nomination, with clear service levels and decision criteria, including how you handle requests that conflict with legal retention duties. For many organisations this also requires a review of vendor and cross‑border arrangements: contracts with Data Processors must now contain DPDP‑aligned clauses on purposes, security, sub‑processing, audit and cooperation with rights requests, and data flows to overseas locations must be checked against any restrictions or conditions notified under the Act.
Security and incident response workstreams should align DPDP’s expectations with existing cyber and information security programmes rather than duplicate them. The priority is to ensure that personal data processing environments benefit from strong access controls, encryption where appropriate, regular testing and monitoring, and logs that can show what happened in the event of a breach. Incident response plans need explicit DPDP steps: a clear trigger for when an event becomes a personal data breach, a playbook for notifying the Data Protection Board and affected individuals, and arrangements for post‑incident review and remediation. None of this functions without people and culture: training for frontline staff who collect data, for engineers who design systems, and for procurement teams negotiating contracts is essential so that privacy considerations are embedded in everyday decisions rather than bolted on at the end.

Strategic trade-offs in how you implement DPDP

Within this operating model, leadership still faces genuine design choices. There is no single correct way to implement DPDP across all sectors and maturity levels. The choices you make on ownership structure, ambition level and technology approach will shape your cost profile, change management burden and risk posture for years to come.
Summary of key DPDP implementation trade-offs across ownership model, ambition level and tooling approach.
Decision area Option Upside Trade-off / risk When this can work
Privacy ownership model Centralised (corporate privacy or risk office) Consistent policies and decisions, a single tooling stack and stronger leverage in group‑wide contracts and regulator or large‑customer interactions. Business units may feel constrained; change can be slower to show up in product, sales and support flows. Groups with relatively homogeneous businesses, strong central risk functions and demanding enterprise customers looking for a single point of accountability.
Privacy ownership model Federated or hybrid (business‑unit privacy leads under central standards) Decisions sit closer to products and customers, which can speed up practical adoption while still drawing on shared standards and platforms from the centre. Risk of divergent practices, duplicated tooling and uneven quality of responses to Data Principals and regulators across business lines or geographies. Organisations with diverse products or country operations where central policy is essential but execution needs local ownership.
Ambition level Minimum viable compliance Lower near‑term spend and disruption by focusing on meeting statutory requirements with basic notices, rights handling, security documentation and breach processes. Limited margin for error when incidents occur and a programme that may look thin to sophisticated enterprise customers, partners or investors. Lower‑profile entities with modest data volumes and growth plans, where leadership consciously accepts a tighter risk tolerance.
Ambition level Trust‑led differentiation Stronger customer controls and transparency, visible certifications, tighter internal ethics checks on new data uses and a more credible story in regulatory or diligence conversations after incidents. Higher upfront and ongoing investment in governance, tooling, training and specialist talent. Organisations that depend on large enterprise or global customers, operate data‑intensive models or position trust and privacy as part of their competitive edge.
Tooling approach Build in‑house capabilities Tight integration with existing systems and data models, high flexibility and fewer external licence commitments for consent, rights and logging functions. Consumes scarce engineering capacity, requires ongoing maintenance and may struggle to keep pace with evolving regulatory expectations and edge‑case scenarios. Large technology teams with strong platform engineering discipline and a roadmap that justifies dedicated privacy engineering resources.
Tooling approach Buy specialised tools Faster deployment of tested consent, rights and logging workflows, with vendors maintaining features in line with regulatory changes and emerging practices. Licence and integration costs, plus dependency on each vendor’s readiness for DPDP‑specific features such as consent manager integrations and Indian language support. Organisations that need to move quickly or lack in‑house capacity, particularly where DPDP‑specific capabilities are non‑negotiable for risk or customer expectations.

Coordinating DPDP with sectoral and global frameworks

DPDP does not replace sector‑specific regulation; it sits alongside it. Financial institutions must continue to meet RBI and SEBI expectations on data confidentiality, outsourcing and cyber resilience. Insurers remain bound by IRDAI norms; telecom and digital communication providers answer to TRAI; healthcare entities face health information and clinical establishment rules. In many cases sectoral guidance will be more prescriptive than DPDP about localisation, retention or breach handling. Where there is overlap, a practical working assumption is to design for the stricter requirement, while watching for formal clarifications from regulators on how their frameworks interact with DPDP.
Organisations with international footprints need to coordinate DPDP with regimes such as the EU’s GDPR, Singapore’s PDPA or California’s CCPA. The good news is that privacy governance, security safeguards, data inventories and rights handling are conceptually similar, and crosswalks such as the NIST Privacy Framework to DPDP mapping show that a large portion of existing controls can be leveraged. For example, if you already maintain records of processing activities, run privacy impact assessments for high‑risk projects, and operate structured incident response processes, those foundations will support DPDP compliance as well.[4]
However, equivalence is not automatic. DPDP contains Indian‑specific features that global frameworks do not fully capture, such as the nomination right, the role of consent managers, language expectations for notices and rights processes accessible to Indian residents, and the particular categorisation of Significant Data Fiduciaries. It also relies more heavily on consent in some contexts where other regimes lean on legitimate interests. That means global policies often need tailoring for India, and your accountability map should explicitly assign responsibility for interpreting and implementing India‑specific nuances rather than assuming that a generic global template will suffice.

Executive checklist for 2026 leadership teams

Boards and CXO teams in 2026 need a concise way to test whether DPDP is being treated with the seriousness and structure it requires. One practical approach is to work through a short set of questions with management and ask for evidence, not just assurances.
Use the following questions to probe scope, operating design and resilience, and to surface where DPDP is still under‑resourced.
  1. Clarify scope and accountability
    Start by confirming who owns DPDP and how your roles are classified across the group.
    • Who is the accountable executive for DPDP and, where relevant, have we appointed a Data Protection Officer with a clear mandate and reporting line?
    • Have we formally classified our roles as Data Fiduciary and Data Processor across different lines of business and geographies, and do key third‑party contracts reflect those roles?
    • Has management obtained a legal view on whether we are likely to be designated a Significant Data Fiduciary, and if so, what additional steps are being taken?
  2. Test the operating model in practice
    Then examine whether day‑to‑day processes can actually deliver on notices, minimisation and rights.
    • Do we have an up‑to‑date inventory of systems and processes that hold personal data of Indian residents, including employees, partners and end‑users?
    • Where are the highest‑risk processing activities, and have we limited collection and retention to what is necessary?
    • Can we see working examples of DPDP‑compliant notices and consent flows in our major customer and employee journeys, including in local languages where appropriate?
    • If a Data Principal today asked to access, correct or erase their data or exercise their nomination right, what would actually happen in the front line and in our systems, and how quickly?
  3. Probe resilience, vendors and external alignment
    Finally, focus on how well you would cope with an incident, an audit or a major deal diligence request.
    • Have we aligned our security controls and logging to the expectations in the Act and Rules, and rehearsed our breach response with clear triggers for notification to the Data Protection Board and affected individuals?
    • How are DPDP obligations embedded into procurement, vendor onboarding and contract renewal, especially for cloud and cross‑border processing?
    • Where we are already bound by sectoral guidelines or global regimes like GDPR, have we documented how DPDP fits into that framework rather than relying on assumptions?
    • What metrics or dashboards is management using to track DPDP implementation progress and residual risk to the board over 2025–2027?

Common questions about DPDP for Indian businesses

As leadership teams dig into DPDP, a set of recurring questions tends to surface around startups and smaller entities, employee data, cross‑border operations, AI use cases and the interaction between DPDP and existing global privacy programmes. Many of these are fact‑specific and warrant tailored legal advice, but some directional answers can help frame the discussion.
The following points address frequent executive‑level queries that do not always fit neatly into a compliance checklist, but materially affect how you structure your operating model and investment plans.
FAQs

DPDP applies to any entity that processes digital personal data of individuals located in India in connection with offering goods or services, regardless of size. The Act allows the government to notify certain categories of smaller entities for specific relaxations, but this does not amount to a blanket exemption. Core duties—such as implementing reasonable security safeguards, issuing basic notices and honouring rights and breach reporting obligations—still apply. In practice, enforcement is likely to be risk‑based, with early attention on larger processors of sensitive data or those with visible consumer‑facing harms. However, smaller B2B organisations often sit deep in supply chains, and enterprise customers may require contractual DPDP assurances and audits even before regulators knock on the door. Treating DPDP as irrelevant because you are a startup or SME is therefore a risky assumption, particularly if your growth plan depends on large clients or regulated sectors.

Employees and contractors are Data Principals under DPDP and enjoy rights similar to customers or other individuals. At the same time, the Act recognises that certain processing can take place without consent where it is necessary for employment‑related purposes, such as payroll, benefits administration, compliance with labour laws or internal investigations mandated by law. Practically, you should provide clear privacy notices to employees and contractors that explain what data is collected, for what purposes, how long it is retained, how it may be shared within a group or with service providers, and how rights requests will be handled. You should be prepared to correct inaccurate records and erase data that is no longer needed once retention periods tied to tax, labour and other legal obligations have expired. HR systems, background verification, access management and leave or performance tools should all be included in your data inventory and risk assessment, not treated as outside the DPDP perimeter.

Existing compliance with GDPR, ISO 27701 or frameworks mapped through the NIST Privacy Framework gives you a substantial head start. You are likely to have governance structures, records of processing, security controls, incident response and basic rights handling already in place. However, most organisations still face a DPDP‑specific gap analysis. Typical gaps include localising privacy notices and rights processes for Indian residents and languages; accommodating DPDP’s nomination right; preparing to interface with consent managers once they are fully operational; aligning your lawful grounds with DPDP’s consent‑centred approach where you may previously have relied heavily on legitimate interests; and addressing India‑specific issues in cross‑border transfers, such as identifying which entities act as Data Fiduciaries for Indian data and how restrictions on certain countries, if notified, will be handled. You may also need to adjust DPO arrangements and board reporting lines where DPDP or Significant Data Fiduciary status introduces different expectations from those in the EU or other jurisdictions.

DPDP gives Data Principals meaningful rights, but it also recognises duties on their part and does not require organisations to comply with every request in every circumstance. You can decline or limit a request where fulfilling it would conflict with another law, such as statutory record‑keeping or regulatory retention requirements, or where the request is manifestly unreasonable, repetitive or disproportionate. The key is to have clear internal criteria, a documented decision process and transparent communication. For example, if a customer asks you to erase transaction data that must legally be retained for a minimum period, you can explain that the specific records cannot be deleted yet, while still offering to restrict certain processing such as marketing. Any refusal should be logged, tied to a clear legal or policy basis, and subject to review through your grievance redressal mechanism in case the individual challenges the decision or escalates to the Data Protection Board.

DPDP is technology‑neutral, but its principles have direct implications for AI and analytics. If your models rely on personal data, you must ensure there is a lawful basis—often consent—for that data use, that the purpose is clearly described in your notices, and that you are not repurposing data in ways that are incompatible with what individuals were told. Data minimisation and retention limits may reduce the temptation to hoard rich historical datasets indefinitely. High‑risk use cases such as profiling that materially affects individuals, automated eligibility decisions or behavioural scoring are more likely to attract scrutiny, particularly if you are designated as a Significant Data Fiduciary. In those cases, structured risk assessments, testing for bias or unfair outcomes, and stronger human oversight become important both from a regulatory and reputational perspective. Where possible, consider whether your AI objectives can be met with anonymised or aggregated data, which falls outside the DPDP regime if re‑identification risks are properly addressed.

Sources
  1. Digital Personal Data Protection Act, 2023 - Ministry of Electronics and Information Technology, Government of India
  2. DPDP Rules, 2025 Notified: A Citizen-Centric Framework for Privacy Protection and Responsible Data Use - Press Information Bureau, Government of India / MeitY
  3. India’s Digital Personal Data Protection Act 2023 Brought Into Force - Hogan Lovells / JDSupra
  4. Meity may cut compliance timeline for key DPDP rules to 12 months - Business Standard
  5. Shaping India’s Data Protection Regime: DPDP Rules Published - Economic Laws Practice (ELP)

Related pages

Updated At Apr 18, 2026

How to Run a DPDP Readiness Assessment in 30 Days

A business-style piece for business buyers that explains how to run a dpdp readiness assessment in 30 days and turns policy requirements into an operating plan

 Updated At Apr 18, 2026

Significant Data Fiduciary (SDF) Status: Checklist for Fast-Growing Companies

A business-style piece for decision-makers that explains significant data fiduciary (sdf) status— checklist for fast-growing companies and turns policy

 Updated At May 19, 2026

Data Processors vs Data Fiduciaries: Operational Responsibilities Explained

For Indian procurement and leadership teams: a practical guide to data fiduciary vs data processor roles under the DPDP Act, with contract, RFQ, scorecard, and vendor-risk implications.

 Updated At May 18, 2026

What Counts as a Reasonable Security Safeguard under DPDP?

A strategic guide for Indian CXOs on how DPDP’s “reasonable security safeguards” duty translates into concrete controls, governance, vendor oversight, and audit-ready evidence.

 Updated At Apr 18, 2026

How to Create a Privacy Steering Committee That Actually Works

A business-style piece for decision-makers that explains how to create a privacy steering committee that actually works and turns policy requirements into an

 Updated At Apr 18, 2026

Cross-Functional Privacy Governance: Legal, Product, Security, Marketing

A business-style piece for decision-makers that explains cross-functional privacy governance— legal, product, security, marketing and turns policy requirements

 Updated At May 16, 2026

The 72-Hour Breach Clock: Incident Response Plan for DPDP

How Indian leadership teams can turn DPDP’s 72-hour breach reporting rule and CERT-In’s six-hour clock into a reliable incident response operating model by May 2027.

 Updated At May 24, 2026

DPDP vs GDPR: Where Global Teams Get India Wrong

An executive guide for leaders aligning GDPR-era privacy programmes with India’s Digital Personal Data Protection Act, focusing on risk, governance, and a 12–24 month execution roadmap.

 Updated At Apr 18, 2026

Log Retention, Deletion, and Audit Trails: Building an Evidence Program

A business-style piece for technical evaluators that explains log retention, deletion, and audit trails— building an evidence program and turns policy

 Updated At May 27, 2026

Verifiable Parental Consent (VPC) for EdTech: Implementation Guide

A business-style article for business buyers that addresses verifiable parental consent (vpc) for edtech— implementation guide for learning platforms handling