Newsletter · Edition #15 · DPDP Act · 4 min read

The DPDP deadline nobody’s ready for

India’s Digital Personal Data Protection Act is law. Most teams are treating it like a policy update. It isn’t.

When the DPDP Rules commence, the grace period ends with them. The organisations we assess fall into two camps: those who mapped their personal data months ago, and those still arguing about who owns the project. The gap between them is about six months of work.

The part everyone underestimates

DPDP isn’t a policy you write once. It’s an operating capability: knowing exactly what personal data you hold, why, where it flows, who can access it, and how a data principal can withdraw consent or ask for erasure — on demand. If you can’t answer those today, you can’t answer them for the Board either.

Where to start this week

Build a personal-data inventory before you touch a policy. You cannot protect, consent-manage, or delete data you haven’t mapped. From there, consent, grievance redressal and breach notification fall into place fast. Start with your highest-volume systems — that’s where the exposure (and the penalty caps) concentrate.

The bottom line

DPDP readiness is measured in weeks of remediation, not days of paperwork. The teams who start with a data map finish calm. The ones who start with a policy template finish late.

Get the next edition in your inbox

Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.

Compliance insights, no spam. Unsubscribe anytime.

← Browse all editions

Free tool
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →