Newsletter · Edition #15 · DPDP Act · 4 min read
The DPDP deadline nobody’s ready for
India’s Digital Personal Data Protection Act is law. Most teams are treating it like a policy update. It isn’t.
When the DPDP Rules commence, the grace period ends with them. The organisations we assess fall into two camps: those who mapped their personal data months ago, and those still arguing about who owns the project. The gap between them is about six months of work.
The part everyone underestimates
DPDP isn’t a policy you write once. It’s an operating capability: knowing exactly what personal data you hold, why, where it flows, who can access it, and how a data principal can withdraw consent or ask for erasure — on demand. If you can’t answer those today, you can’t answer them for the Board either.
Where to start this week
Build a personal-data inventory before you touch a policy. You cannot protect, consent-manage, or delete data you haven’t mapped. From there, consent, grievance redressal and breach notification fall into place fast. Start with your highest-volume systems — that’s where the exposure (and the penalty caps) concentrate.
The bottom line
DPDP readiness is measured in weeks of remediation, not days of paperwork. The teams who start with a data map finish calm. The ones who start with a policy template finish late.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
