India’s Digital Personal Data Protection (DPDP) Rules—released after years of consultations—mark a decisive step toward creating a mature, enforceable data protection environment. For enterprises, the Rules bring welcome clarity, but also a clear message: compliance must be embedded into technology, governance, and day-to-day business operations.
To decode the practical implications of the new Rules, Express Computer spoke with Lalit Kalra, Partner – Cybersecurity Consulting at EY India, who shared deep insights into the risk-based obligations, enforcement expectations, and the operational readiness Indian companies need to build.
High-Risk Processing: The Real Compliance Trigger
According to Lalit Kalra, one of the government’s key focus areas is the identification and governance of “high-risk” processing activities. These are activities where the misuse or breach of personal data can significantly harm the Data Principal.
Kalra explains:
“High-risk processing is going to be the real inflection point for compliance. Organizations dealing with large or sensitive data sets—especially those making automated decisions with human fallout—will need far stronger controls. The Rules make it clear that such data flows must be identified, assessed, and continuously monitored through structured governance.”
Industries that run large-scale automated decision systems—such as BFSI, healthcare, telecom, and digital-first platforms—will need to assess both algorithmic and operational risks in a more disciplined way.
User Accounts & Digital Ecosystems: A Broader Compliance Perimeter
The Rules introduce an expanded definition of “User Account”, impacting any digital service where access, personalization, or transactions depend on user identity.
Kalra notes:
“Digital companies must now understand how and where personal data is being stored, enriched, and shared—whether with affiliates, partners, or third-party processors. The DPDP framework expects organizations to maintain full visibility into their downstream ecosystem. That means clearer contracts, tighter integrations, and systematic monitoring of data flows.”
This places responsibility not just on first-party platforms, but also on cloud providers, analytics partners, marketing ecosystems, and SaaS platforms that store or process personal data.
CERT-In + DPB: A New Era of Coordinated Enforcement
One of the most consequential structural changes is the alignment between CERT-In (India’s cybersecurity incident authority) and the Data Protection Board (DPB), which will oversee personal data breaches.
Kalra highlights a major shift:
“The Act clearly mandates timely and transparent breach reporting. Organizations must have the ability to detect incidents fast, assess personal-data impact, and communicate with both CERT-In and the DPB. This means businesses need stronger incident response playbooks, better data classification, and automated monitoring capabilities.”
The Rules signal an era of “zero-tolerance for opacity”, pushing companies toward more mature breach readiness.
Notices & Consent: Simpler Format, Higher Expectations
While the Rules offer flexibility in how organizations design consent notices, the responsibility to maintain clarity remains high.
Kalra explains:
“The DPDP Rules allow notices to be customised, but not diluted. Users must know what data is being collected, why it is being used, and who it will be shared with. Organizations will have to rebuild their notice frameworks—especially those with multilingual or multi-platform interfaces—to ensure full transparency.’
This is especially relevant for digital businesses with layered data collection across apps, web portals, chatbots, and automated systems.
The Road Ahead: Governance, Automation & Accountability
Summing up the practical implications for enterprises, Kalra emphasizes that the DPDP regime is not merely a legal requirement—but a structural shift toward ethical, human-centric digital systems.
“Compliance now needs to live inside the product lifecycle. Organizations must establish robust governance, improve visibility of data flows, strengthen incident management, and ensure traceable accountability. Automation, AI-driven monitoring, and well-defined controls will be essential for sustainable compliance.”
EY India expects that over the next 12–18 months, companies will invest heavily in:
-Data discovery and classification
-Data-flow mapping
-High-risk processing assessments
-Consent frameworks
-Ecosystem contract modernization
-Breach readiness enhancement
The DPDP Rules mark a major inflection point for India’s digital economy. With high-risk processing, breach accountability, ecosystem responsibility, and user transparency at the core, the Rules push organizations toward a mature, globally aligned privacy posture.
As Lalit Kalra stresses, the winners will be those who treat DPDP not as a compliance challenge, but as an opportunity to build trust, transparency, and resilience into their digital foundations.