DPDP Legislation: Aligning Corporate Maps with Individual Privacy

They say data is the new oil. But unlike oil, it is not buried deep underground — it is generated every day, by every business, in every transaction. India’s Digital Personal Data Protection Act now makes misuse and non-compliance expensive. Most organisations still haven’t grasped the gravity of this shift — they have until May 2027, hardly 12 months, to become compliant before fine print turns into serious liability.

Digital personal data protection is uncharted territory for most organisations. Collecting, processing and retaining personal data has long been treated as a routine business activity – something organisations largely took for granted. Consent, where taken, was typically blanket in nature and sought only when explicitly required by law. Data management practices focused mainly on storage and protection of business-sensitive information. That is now changing. The DPDP Act seeks to regulate the misuse of personal digital data. The Act gives individuals the right to protect their personal data and control how it is used. Specific, purpose-bound consent is the crux of this law. Organisations and their vendors will be held accountable.

Drawing the Privacy Map

Personal data covers any information that can be traced back, directly or indirectly, to an individual. Name, address, phone number, PAN, Aadhaar, e-mail id, and IP address are just the beginning. Once such data is collected, whether in digital or manual form, the organisation collecting it assumes a fiduciary obligation in relation to how that data is used, stored, shared, and retained. The scope of this Act is large — it covers NGOs actively building contact databases, government bodies sitting on vast historical repositories of identity data, and foreign technology companies that hold the digital footprints of Indian users. That is why this law matters as much to a domestic manufacturer as it does to a global technology platform.

That responsibility does not end at the organisation’s boundary. If a vendor or outsourced service provider processes personal data on its behalf, the organisation remains accountable. In other words, outsourcing the activity does not outsource the liability.

The law is broad but not absolute — certain sovereign, domestic and publicly available data sits outside its scope.

Mapping the Road to Readiness

For many entrepreneurs, the DPDP Act still feels like a legal development that can be dealt with later. That would be a mistake. The compliance date may appear comfortably distant, but this is not a law that can be implemented through a last-minute policy update. It requires companies to understand what personal data they collect, why they collect it, where it flows, who touches it, how long it is retained, and what happens when something goes wrong.

The first task, therefore, is mapping. Most businesses do not have a reliable map of their personal data. Customer databases, employee records, website cookies, app analytics, KYC documents, CRM systems, payroll files and outsourced support functions all sit in different corners of the enterprise. But data does not always remain within formal systems. It may sit in an employee’s personal email, a WhatsApp thread, a shared folder, or even on a device that remains with the individual after departure from the organisation. Before talking of compliance, management must know what data exists and where. Without this map, there can be no serious conversation on consent, purpose limitation, vendor risk or data retention.

The second task is to put a consent architecture in place. Consent must be specific, which means the individual must know the purpose for which the data is being collected or used. It must also be capable of being withdrawn by the individual, and systems for processing such withdrawal, within prescribed time limits, must be built into the process. Records that can evidence consent and withdrawal will need to be maintained. Additional obligations may apply where the organisation is notified as a Significant Data Fiduciary or where it collects personal data relating to children. With regard to digital personal data already in the organisation’s possession, notices seeking consent to continue using such data may also need to be issued, with an option to withdraw consent. Entrepreneurs will therefore need to separate processing that depends on fresh, specific and revocable consent from processing that may be justified on another legal basis. This exercise will expose how many businesses still rely on vague privacy notices and broad, catch-all consent language that will not survive scrutiny.

The third task is governance. Vendor contracts need review. Retention periods need discipline. Breach response mechanisms need to be tested, not assumed. Internal ownership must be fixed — if data compliance remains dispersed between IT, legal, HR and operations, it will remain nobody's problem until it becomes everybody's crisis. Vendor arrangements must also be tightened to address data security standards, breach notification obligations, deletion of data at the end of the relationship, and the ability to verify that personal data is not being leaked, retained, or misused beyond the agreed purpose. At the end of the day, a vendor may process the data, but accountability still rests with the organisation.

The Cost of Inaction

The DPDP Act is deliberately aggressive about penalties. A breach of the obligation to maintain reasonable security safeguards can attract penalties of up to ₹250 crore; failure to notify the Board or affected individuals of a personal data breach can draw penalties of up to ₹200 crore; and breaches of additional obligations relating to children’s data can invite penalties of up to ₹200 crore. These penalties apply per breach, not in aggregate. In a catastrophic incident involving multiple failures — security safeguards, breach notification, or children’s data — the combined exposure can be high enough to put the very survival of a company at risk.

Owning the Data Map

The entrepreneurs who will handle this law well are not those with the longest privacy policies. They are the ones who start early, build internal systems, and treat personal data not as an administrative residue of doing business, but as a regulated asset with legal, financial and reputational consequence.