India's Digital Personal Data Protection (DPDP) Act, 2023 passed into law in August 2023 and is in the process of being operationalised through rules. When fully in effect, it will fundamentally change how Indian enterprises collect, process, store, and share personal data. Unlike earlier Indian data regulations, the DPDP Act has teeth: fines of up to ₹250 crore for significant violations.
This is not a future concern for IT teams to park until the rules are finalised. The organisations that will comply with the least disruption are the ones building compliant data practices now — before the enforcement machinery is fully operational.
The Core Obligations Under DPDP
The Act creates obligations for 'Data Fiduciaries' — any entity that determines the purpose and means of processing personal data. If your organisation collects, processes, or stores personal data of Indian citizens, you are a Data Fiduciary under the Act.
- Consent: Obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data
- Purpose limitation: Use data only for the specific purpose for which consent was obtained
- Data minimisation: Collect only the data necessary for the stated purpose
- Storage limitation: Retain data only as long as the purpose requires; delete it after
- Data Principal rights: Respond to requests for access, correction, erasure, and grievances within specified timelines
- Data breach reporting: Notify the Data Protection Board and affected individuals of significant breaches
- Data localisation: Significant Data Fiduciaries face restrictions on cross-border data transfers
The Act applies to any enterprise processing personal data of Indian citizens, regardless of where the enterprise is located. An Indian enterprise processing employee or customer data is fully covered. The penalties for non-compliance scale with the violation — up to ₹250 crore for failing to implement reasonable security safeguards.
The Data Governance Gap Most Indian Enterprises Have
To comply with DPDP, you need to know: what personal data you hold, where it lives, why you have it, who has access, and how long you will keep it. This sounds straightforward. In practice, for most organisations with more than a few hundred employees and systems built over a decade, the answer is: we do not fully know.
Customer data exists in the CRM, the billing system, the support tool, the marketing platform, and email archives. Employee data is in the HRMS, the payroll system, the access control system, and individual spreadsheets on shared drives. This data fragmentation is the governance gap that DPDP compliance requires you to close.
Four Data Governance Steps to Take Before Enforcement
Step 1: Data Discovery and Classification
Inventory every system that stores personal data. Classify the data by type (identity, financial, health, behavioural) and sensitivity. This is not a one-time exercise — it needs to be an ongoing process as new systems are added. The output is a Data Register: a documented record of what you hold, where, and why.
Step 2: Consent and Purpose Mapping
For each category of personal data, document the purpose for which it was collected and the consent mechanism used. Where consent is not currently the legal basis for processing, determine whether it needs to be, or whether a legitimate interest basis applies. This mapping exercise often surfaces data that was collected without adequate consent — which needs to be either re-consented or deleted.
Step 3: Retention and Deletion Policies
DPDP requires that data not be retained longer than necessary. For many organisations, data is never deleted — it accumulates indefinitely in backup systems, email archives, and legacy databases. Implement retention schedules for each data category, and build the technical capability to execute deletion when the retention period expires. This is harder than it sounds for distributed data environments.
Step 4: Security Controls Proportionate to Risk
The Act requires 'reasonable security safeguards' proportionate to the risk of the data being processed. For Significant Data Fiduciaries processing sensitive personal data at scale, this means documented security policies, access controls, encryption at rest and in transit, periodic security audits, and documented breach response procedures.
The Connection to Master Data Management
Organisations with well-implemented Master Data Management (MDM) have a significant advantage in DPDP compliance. When personal data is centralised, governed, and consistent — rather than duplicated across systems with inconsistent quality — responding to Data Principal rights requests (access, correction, erasure) becomes operationally feasible. Without MDM, finding and deleting all instances of a specific person's data across your infrastructure is an expensive manual exercise.
If your organisation has not yet invested in MDM, DPDP compliance is a compelling business case for doing so now. The governance capability you build to comply with DPDP also improves data quality for analytics, reduces duplication in operational systems, and lowers storage costs.