The Clock is Ticking on DPDPA Compliance
With the rules for the Digital Personal Data Protection Act (DPDPA) 2023 officially rolling out, enterprises across India are scrambling to audit their data pipelines. Fines for non-compliance are severe, capping at ₹250 Crores per instance, making privacy no longer just a legal issue, but a board-level risk.
1. Data Discovery is Step Zero
The core tenant of the DPDPA is that you must have a clear purpose for processing data. But how can you justify processing when you don't even know where the data lives? Shadow IT, rogue spreadsheets containing PAN/Aadhaar details on employee laptops, and misconfigured S3 buckets are the biggest liabilities.
Before buying expensive consent management tools, run automated discovery scans across your network.
2. Verifiable Consent
The DPDPA demands consent be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. Pre-ticked boxes are illegal. Furthermore, notices must be provided in English and any of the 22 languages specified in the 8th Schedule of the Constitution.
3. The Right to Erasure
When a Data Principal revokes consent, you don't just delete their row in a master database. You must cascade that deletion request to all third-party Data Processors you've shared that data with. Establishing a centralized Data Subject Rights (DSR) automation engine is the only scalable way to achieve this.