.png)
2 hours ago
12
The wait is officially over. As of November 13, 2025, both the Digital Personal Data Protection Act (DPDPA) and the DPDPA Rules 2025 have become fully operational. This marks the definitive end of the window for "we’ll figure it out later." Based on my extensive experience advising organizations across India, I can confidently say that privacy compliance is no longer merely a legal or operational checklist - it is now an explicit survival imperative.
The Cost of Non-Compliance With the Act in force, the Data Protection Board of India has become fully operational, and the financial implications are severe. The Board is empowered to penalize security breaches with fines up to ₹250 Crore and breach notification failures up to ₹200 Crore.
The risks to financial balances are immediate. One systemic failure or compliance gap could lead to several cumulative penalties, potentially costing an organization hundreds of crores and turning a simple oversight into a solvency concern. Despite these high stakes, I regularly observe that many organizations remain unprepared, operating with policies that are disconnected from their technology, culture, and operational models.
A Fundamental Shift in Responsibility The DPDPA demands a fundamental reform in how we view data. We are moving away from the outdated concept of being a "data owner." Organizations now owe strict fiduciary duties to the Data Principal. This shift requires companies to build and maintain robust systems, procedures, and KPIs specifically designed to fulfill these obligations.
What Requires Immediate Attention To navigate this landscape, organizations must prioritize the following:
- Verifiable Consent: This means no dark patterns or pre-ticked boxes. Consent notices must be accessible in English and all 22 scheduled Indian languages.
- Traceability: Consent flows must be fully traceable and auditable. This often requires a major redesign of current systems, not just a quick correction.
- Technology Implementation: While tools like OneTrust, Securiti.ai, and Go-Trust are valuable, they are only effective when paired with a solid operating model.
- Rights Management: Individuals now have enforceable rights to access, correct, erase, and nominate. Organizations need a structured, auditable system to manage these requests. While various platforms available in the market can assist with this, the workflows must be customized to fit your specific risk profile and operations.
- Significant Data Fiduciaries (SDF): If an organization falls under the SDF criteria, they must act immediately to appoint an India-based Data Protection Officer (DPO) and conduct the independent audits required by law.
The Tsaaro Framework: How to Respond At Tsaaro, I stand by a four-step strategic framework to move from ambiguity to implementation:
- Diagnose: First, execute a DPDPA-compliant gap assessment. This involves mapping data flows, analyzing contracts, auditing security procedures (ISO 27001), evaluating vendor accountability, and conducting your first Data Protection Impact Assessment (DPIA). Maintaining visibility over "shadow processing" is crucial.
- Create: Develop an operational model, not just a legal list. Privacy must be integrated into corporate processes - such as vendor onboarding and automated consent flows - rather than added as an afterthought.
- Implement: Systematically deploy your chosen privacy platforms and set up rights workflows. Remember, tools are only as good as their architecture. Use this initiative as an opportunity to clean up historical data practices.
- Sustain: Privacy is a continuous discipline, not a one-time project. To sustain it through culture, organizations must:
- Build comprehensive training programs.
- Establish board-level reporting.
The Bigger Picture The DPDPA establishes a trust framework for India's digital economy. Companies that take privacy seriously will differentiate themselves, attracting global partners and resisting scrutiny. Those who view it as a mere compliance burden risk facing severe legal and financial repercussions.
The acting runway is short. If you are ready to move from ambiguity to implementation, my team at Tsaaro is ready to assist you. Please, don't wait.
(No ET Now Journalists are involved in creation of this article.)
English (US) ·