ZARK & Co. logo
ZARK & Co.
← Back to The ZARK Journal Cybersecurity

DPDP Act Readiness: A Controls-Based Roadmap for Indian Enterprises

CA
CA Rohan Sinha
Partner · IS Audit
22 March 2026 · 11 min read

The Digital Personal Data Protection Act, 2023 has moved from gazette to enforcement, and the rules notified under it bring with them a control regime that most Indian enterprises are not yet ready for. This is a controls problem before it is a legal problem.

This note maps the DPDP obligations to a practical implementation roadmap, framed in the way a Chartered Accountancy practice would build an assurance engagement around it.

Why this is a controls problem first

The DPDP Act regulates the processing of digital personal data. The obligations on a data fiduciary — lawful basis, notice, consent, purpose limitation, retention, security safeguards, breach reporting, grievance redressal — map cleanly onto the kind of controls that finance, IT audit, and compliance teams have been building for years under SOX-style and ISO 27001 regimes.

What is new is the principal-rights architecture: the ability of an individual (the ‘data principal’) to access, correct, and erase their data, and the obligation on the fiduciary to action those requests within bounded time. That demands an underlying data inventory and an entitlement model that most enterprises do not have today.

Step 1: Build a data inventory that actually reflects reality

Every credible DPDP programme begins with a data inventory — a catalogue of the categories of personal data the organisation processes, the systems where it sits, the lawful basis under which it was collected, and the third parties it has been shared with.

The mistake we see most often: the inventory is built once during a consulting engagement and then frozen. By the time it surfaces in an internal audit, half of it is out of date.

Three principles that make the inventory useful:

  • Tie it to systems, not departments. A department-level inventory misses the granular truth of which application processes which field.
  • Make ownership operational. Each data category should have a named owner who signs off the inventory entry every quarter.
  • Capture lawful basis at the point of collection. Retroactive lawful-basis assignment is a common audit finding waiting to happen.

Step 2: A consent architecture that holds up at audit

The Act sets a high bar for consent: free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. Bundled consent, pre-ticked boxes, and consent buried in long policies will not survive scrutiny.

Practically, this means:

  1. A consent management platform that records when consent was given, for which purpose, and through which interface.
  2. An audit log of consent withdrawals and the downstream system actions triggered (suppress, anonymise, delete).
  3. A linkage between the consent record and the data inventory, so that when consent is withdrawn for ‘marketing’, the system knows which fields and which third parties to act on.
A consent record without a downstream action chain is theatre. A regulator will look at the chain, not the record.

Step 3: Reasonable security safeguards — what ‘reasonable’ means

The Act requires data fiduciaries to maintain reasonable security safeguards. The rules specify a non-exhaustive list, but in practice we treat ISO 27001 (or its updated 27001:2022 version) as the baseline benchmark, with additions for India-specific requirements like:

  • Encryption at rest and in transit for personal data, with key-management documented.
  • Access controls tied to the entitlement model, with periodic re-certification.
  • Audit logs of access to sensitive personal data, retained for the prescribed period.
  • Incident-response runbook aligned with the breach-notification timelines under the Act.

Step 4: Breach notification — the 72-hour clock

The Data Protection Board can impose substantial penalties for breach-notification failures. Building a 72-hour readiness posture requires three things:

  1. A defined trigger: what counts as a notifiable breach? The runbook should not require legal interpretation in the heat of an incident.
  2. A pre-approved notification template, with the Board’s required fields, that can be sent without a multi-stage approval chain.
  3. Tabletop exercises every six months, with logs of how long it actually took to declare and notify in the simulation.

Step 5: Cross-border transfers

The cross-border transfer regime under the Act is permissive by default, with a negative list to be notified by the Central Government. For now, transfers to most jurisdictions are allowed, but the contract with the data processor must reflect DPDP-aligned obligations.

Practitioners should review existing master service agreements with cloud providers, payroll vendors, marketing automation platforms, and analytics tools to confirm:

  • The processor obligations (security, sub-processing, breach notification, audit rights) are present and adequate.
  • There is a clear flow-down of data principal rights through the processor chain.
  • The data localisation posture is documented, even where localisation is not currently mandated.

Step 6: Governance and the role of the DPO

The Act requires a Data Protection Officer for Significant Data Fiduciaries. Even where the organisation is not yet in that category, designating a DPO-equivalent role and giving it a reporting line independent of the business is good practice.

The DPO’s remit should include the data inventory, the consent architecture, the breach-response runbook, the cross-border transfer register, and the periodic DPDP-readiness audit.

What good looks like

An organisation that is genuinely DPDP-ready will be able to do four things on demand:

  1. Produce the data inventory, signed off and current within the last 90 days.
  2. Demonstrate the consent record for any sample data principal, traced through to the downstream system actions.
  3. Walk through the security control matrix mapped to the personal-data categories, with evidence of operating effectiveness.
  4. Run the breach-response tabletop without consulting external counsel for the first 24 hours.

The bottom line

The DPDP Act is a controls challenge dressed in legal vocabulary. Treat it the way you would treat IFC — build the inventory, design the controls, evidence the operation, and audit the outcome. The legal questions become much easier to answer when the underlying machinery is in place.

This article is for general information only and does not constitute legal or professional advice. For engagement-specific DPDP readiness reviews, please write to contact@zarkca.in.

Continue reading

Direct Tax

Decoding the Latest Amendments to the Finance Act for FY 2026–27

Read more →
Audit

Internal Financial Controls: Where Audit Committees Are Asking Tougher Questions

Read more →