DPDP Act: A dual transformation of privacy and cybersecurity in Indian enterprises

By Salvi Kotian On Jun 24, 2025

The Digital Personal Data Protection (DPDP) Act is redefining how Indian enterprises view and manage both privacy and cybersecurity. This isn’t just a compliance requirement—it’s a structural transformation demanding holistic action across legal, IT, product, and leadership teams.

“It’s a culture shift, not just a checklist,” says Mini Gupta, Partner – Cybersecurity Consulting at EY.

From policy to practice: The privacy overhaul

Identifying where personal data lives—across apps, legacy systems, and cloud platforms, is proving one of the most complex challenges for Indian enterprises. Real compliance, as Gupta outlines, means setting up privacy structures, consent management frameworks, and implementing mechanisms to honour user rights such as access, erasure, and consent withdrawal in real-time.

Organisations are increasingly deploying AI/ML-powered data discovery tools, creating metadata-driven governance, and classifying data along dual axes—security and privacy. They are also conducting legacy data audits to minimise exposure.

Responsible innovation and trust by design

Gupta explains that DPDP doesn’t stifle innovation—it calls for more thoughtful design. Layered consent, anonymization, and privacy-enhancing technologies like federated learning are enabling data-driven insights without compromising identity. Enterprises are embedding Privacy by Design from the ideation stage, aligning ethical governance with user trust.

“Privacy-consciousness can be a competitive edge,” Gupta asserts.

Cybersecurity’s elevated role in the DPDP era

DPDP is triggering a shift from network-centric to data-centric cybersecurity. Organisations are redesigning architectures to enforce data minimisation via purpose-bound APIs, encryption, access controls, and real-time monitoring—even in backups and logs.

Cross-border data transfer, too, is under scrutiny. With trusted country lists pending, companies are localising sensitive data and rearchitecting flows with layered safeguards.

Breach readiness is another critical area. Enterprises are preparing privacy-specific response plans, breach simulations, and automated alerts for unusual activity. Gupta emphasises, “You’ll need to prove how you secured data—not just that you tried.”

Boardroom mandate: Governance, risk, and cyber resilience

Perhaps the biggest shift is the board-level accountability now required. The DPDP Act makes cybersecurity a business risk, not just an IT issue. Data Protection Officers are being empowered to drive enterprise-wide accountability, and risk registers are being integrated into broader governance frameworks.

Boards must now demonstrate due diligence—regular audits, incident simulations, and regulatory reporting, to avoid financial penalties and reputational loss. Metrics around trust, downtime, and compliance are being used to justify cybersecurity investments.

“Cybersecurity is a team sport,” Gupta concludes, affirming that it needs cross-functional leadership and strategic sponsorship.

A new operating model for data protection

As enterprises navigate this dual transformation of privacy and cybersecurity, the DPDP Act is acting as both a regulatory push and an innovation opportunity.

Those who embrace privacy as a pillar of user trust and cybersecurity as a boardroom priority, will not only comply, but lead.