The Digital Personal Data Protection Act, 2023 has moved from gazette to enforcement, and the rules notified under it bring with them a control regime that most Indian enterprises are not yet ready for. This is a controls problem before it is a legal problem.
This note maps the DPDP obligations to a practical implementation roadmap, framed in the way a Chartered Accountancy practice would build an assurance engagement around it.
Why this is a controls problem first
The DPDP Act regulates the processing of digital personal data. The obligations on a data fiduciary - lawful basis, notice, consent, purpose limitation, retention, security safeguards, breach reporting, grievance redressal - map cleanly onto the kind of controls that finance, IT audit, and compliance teams have been building for years under SOX-style and ISO 27001 regimes.
What is new is the principal-rights architecture: the ability of an individual (the 'data principal') to access, correct, and erase their data, and the obligation on the fiduciary to action those requests within bounded time. That demands an underlying data inventory and an entitlement model that most enterprises do not have today.
Step 1: Build a data inventory that actually reflects reality
Every credible DPDP programme begins with a data inventory - a catalogue of the categories of personal data the organisation processes, the systems where it sits, the lawful basis under which it was collected, and the third parties it has been shared with.
The mistake we see most often: the inventory is built once during a consulting engagement and then frozen. By the time it surfaces in an internal audit, half of it is out of date. Three principles that make the inventory useful:
- Tie it to systems, not departments. Departments reorganise; systems persist.
- Refresh on a defined cadence - quarterly at minimum, with change triggers (new vendor, new product line).
- Tag every entry with lawful basis - consent, contract, legal obligation, vital interest, or legitimate interest.
Step 2: A consent architecture that holds up at audit
The Act sets a high bar for consent: free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. Bundled consent, pre-ticked boxes, and consent buried in long policies will not survive scrutiny. A defensible consent architecture has three properties: granularity by purpose, withdrawability with an audit trail, and re-consent on material change.
Step 3: Reasonable security safeguards - what 'reasonable' means
The Act requires data fiduciaries to maintain reasonable security safeguards. The rules specify a non-exhaustive list, but in practice we treat ISO 27001 (or its updated 27001:2022 version) as the baseline benchmark, with additions for India-specific requirements - encryption of data at rest and in transit, access controls aligned with least privilege, logging and monitoring, and breach detection capabilities.
Step 4: Breach notification - the 72-hour clock
The Data Protection Board can impose substantial penalties for breach-notification failures. Building a 72-hour readiness posture requires three components:
- Detection capability - instrumented systems and a SOC capable of identifying personal-data exposure events.
- Decision protocol - a defined RACI for who calls a breach, what evidence triggers the call, and the threshold for notification.
- Notification workflow - pre-drafted templates, contact channels for the Board and affected principals, and a legal-review fast track.
Step 5: Cross-border transfers
The cross-border transfer regime under the Act is permissive by default, with a negative list to be notified by the Central Government. Practitioners should review existing master service agreements with cloud providers, payroll vendors, marketing automation platforms, and analytics tools - many of which transfer data overseas as a matter of course.
Step 6: Governance and the role of the DPO
The Act requires a Data Protection Officer for Significant Data Fiduciaries. Even where the organisation is not yet in that category, designating a DPO-equivalent role and giving it a reporting line independent of the business is good practice. The DPO's remit should include the data inventory, the consent architecture, the breach-response runbook, the cross-border transfer register, and the periodic DPDP-readiness audit.
What good looks like
An organisation that is genuinely DPDP-ready will be able to do four things on demand: produce a current data inventory; action a principal-rights request within statutory timelines; evidence reasonable security safeguards through an independent review; and execute breach notifications within the 72-hour window without panic.
The bottom line
The DPDP Act is a controls challenge dressed in legal vocabulary. Treat it the way you would treat IFC - build the inventory, design the controls, evidence the operation, and audit the outcome. The legal questions become much easier to answer when the underlying machinery is in place.
This article is for general information only and does not constitute legal or professional advice. For engagement-specific DPDP readiness reviews, please write to contact@zarkca.in.