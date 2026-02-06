Executive Summary

This article examines India's Digital Personal Data Protection Act, 2023 (DPDP Act) not as an immediate checklist-based compliance regime, but as a conduct- and governance-driven regulatory framework whose enforcement is deliberately phased over time. While the Act and the DPDP Rules, 2025 have been notified, most substantive obligations are subject to staged commencement extending into 2026–27, signalling a conscious legislative choice to prioritise institutional preparedness before hard enforcement.

The focus of this playbook is therefore not on theoretical compliance, but on how liability under the DPDP Act is likely to be constructed and assessed in practice. It explains how concepts such as "reasonable safeguards", "appropriate response", and breach awareness are designed to be evaluated contextually, how penalties are discretionary and conduct-based rather than automatic, and why governance choices made during the current preparatory phase will form the evidentiary baseline when enforcement matures. The article is intended for organisations and advisors who need to understand how the DPDP framework will judge conduct, not merely what the statute prescribes.

I. Why the DPDP Act Matters — but Not in the Way It's Being Marketed

The Digital Personal Data Protection Act, 2023 is frequently described as India's long-awaited privacy law or as an imminent compliance regime backed by penalties of up to ₹250 crore. Both descriptions are incomplete.

The DPDP Act does not primarily matter because it introduces new forms, notices, or technical safeguards. It matters because it changes the basis on which data-related liability will be assessed in India. The law moves away from a narrow, damages-based model and towards a governance- and conduct-driven regulatory framework, where organisational preparedness and response will matter as much or more than the occurrence of a breach.

Equally important is what the DPDP Act does not do at this stage. While the DPDP Act and the DPDP Rules, 2025 have been notified, the Central Government has expressly provided for staged commencement of substantive obligations. Most operational compliance requirements—particularly those relating to safeguards, breach notification, and enhanced fiduciary duties, are scheduled to come into force in later phases extending into 2026–27. This is not an accident. It reflects a conscious legislative choice to allow institutions time to adapt before enforcement hardens.

As a result, the DPDP framework currently operates as a transitional and preparatory regime, rather than an immediate compliance code. The risk for organisations lies not in failing to meet a checklist today, but in failing to use this window to design defensible governance structures.

When enforcement eventually matures, scrutiny is unlikely to focus on isolated technical failures. It will focus on how data governance decisions were taken, documented, and implemented during this preparatory phase.

II. The Transitional Reality: Why the DPDP Act Is "In Force", Yet Largely Preparatory

A close reading of the DPDP Rules, 2025 reveals a clear legislative design:- most substantive compliance obligations are intentionally deferred, with phased timelines extending into 2026 and 2027. The Rules themselves expressly contemplate staggered commencement of different obligations, rather than immediate full operationalisation.

For example, there are no operational Consent Managers today.

While the concept of Consent Managers is recognised under the Act and elaborated in the Rules, the registration, operationalisation and interoperability requirements are deferred, with timelines commencing 12 months from notification under the relevant Rules. As a result, no functional consent-management ecosystem presently exists.

Similarly, several safeguard obligations are framed, but their operational content and enforceability are deferred.

Rules dealing with data security and breach response—such as Rule 6(1)(a) and Rule 6(1)(b) (technical and organisational safeguards) and Rule 7 (intimation of personal data breaches)—set out the nature of obligations that will apply upon their commencement. These provisions fall within the category of Rules whose enforcement has been expressly deferred under the notified commencement timeline, and are therefore not presently operational.

Additionally, even when these provisions become operational in 2026–27, it is noteworthy that:

No bright-line technical or industry standards are prescribed.

Expressions such as "appropriate security measures" (Rule 6) and "without delay" (Rule 7) are deliberately open-textured. The Rules do not mandate adherence to any specific industry standard, nor do they create statutory safe harbours pending further guidance or adjudication.

It therefore implies that at present, the DPDP framework operates less as a conventional compliance code and more as a regulatory signal coupled with a preparation window. The statute and Rules together indicate how data-governance conduct will be evaluated in the future, while granting time to align internal systems, policies and decision-making processes.

III. How Liability Will Be Constructed Under the DPDP Act: Sections 8, 9 & 10 Read with the Rules 6 and 7

The DPDP Act contains several provisions, but only a limited subset will likely drive real enforcement outcomes.

The DPDP Act does not construct liability through prescriptive commands. Instead, it does so through open-textured statutory prescriptions, illustrated partially and without exact definition, by the Rules. Sections 8(5) and 8(6) provide the core liability hooks; Rules 6 and 7 add illustrative guidance without closing interpretive space.

A. Sections 8(5) and 8(6): the statutory duty layer

Section 8(5) requires Data Fiduciaries to take reasonable safeguards to prevent personal data breaches. Section 8(6) requires them to respond appropriately if a breach occurs.

The Act does not define "reasonable safeguards" or "appropriate response", nor does it prescribe technical baselines or procedural checklists. This drafting choice appears to be well thought of. These provisions will be the primary hooks for penalties, because they allow regulators to examine conduct rather than mere outcomes.

In enforcement terms, the inquiry will not be limited to whether a breach occurred. It will examine how risk was anticipated, mitigated, detected, escalated, and addressed.

B. Rule 6: illustrative guidance on safeguards(more specific, but not definitive)

Rule 6(1)(a) and Rule 6(1)(b) introduce a second layer of analysis by indicating what "reasonable safeguards" may include. The Rule refers, illustratively, to:

encryption,

obfuscation or masking,

virtual tokens mapped to personal data, and

access controls over computer resources.

This guidance is meaningfully more specific than the Act, which is silent on safeguards. However, the Rule still remains not definitely prescriptive. It does not mandate particular technologies, prescribe minimum standards, or designate any industry benchmark as sufficient.

Rule 6 informs the regulator's assessment of reasonableness without converting safeguards into a checklist or creating statutory safe harbours.

C. Rule 7: breach reporting and the meaning of "becoming aware"

Rule 7 requires intimation of a personal data breach to affected Data Principals and the Board "on becoming aware", and "without delay". The Rule specifies the content of such intimation, but not the threshold for awareness or the outer limits of delay.

Here again, the Rule adds structure without fixing boundaries. Whether an organisation "became aware" of a breach will inevitably be judged against:

the existence of detection mechanisms,

monitoring and logging capability, and

internal escalation and decision-making processes.

A claim of non-awareness will therefore be tested not as a factual assertion, but as a governance question- was the organisation reasonably capable of becoming aware?

D. Section 9: children's data as a carve-out, not a different philosophy

Section 9 imposes heightened obligations for the processing of children's personal data. While operational detail is to be supplied through Rules, the legislative signal is clear: tolerance for lapses will be materially lower.

This is not a departure from the conduct-based framework. It is the same framework with the tolerance dialled down. In future enforcement, failures involving children's data are likely to be treated as aggravated non-compliance, even where similar conduct might attract more measured scrutiny elsewhere.

E. Section 10: Significant Data Fiduciaries — enhanced duties through designation

Section 10 empowers the Government to designate certain entities as Significant Data Fiduciaries, triggering additional obligations such as:

periodic audits,

data protection impact assessments (DPIAs), and

enhanced compliance oversight mechanisms.

Crucially, the Act does not fix rigid thresholds for such designation. The criteria are framed broadly and include factors such as:

volume and sensitivity of personal data processed,

risk of harm to Data Principals, and

impact on sovereignty, public order or electoral democracy.

This is a deliberate retention of regulatory discretion. Rather than prescribing bright-line thresholds, Section 10 allows enhanced obligations to be imposed contextually and dynamically, based on risk rather than form.

In enforcement terms, Section 10 does not create a separate liability regime. Instead, it raises the expected standard of governance. What may qualify as "reasonable safeguards" or an "appropriate response" under Section 8 for an ordinary Data Fiduciary may be insufficient once an entity is classified as significant.

F. What remains intentionally undefined

Even when the Rules become fully operational in 2026–27, critical concepts will remain open:

what safeguards are "appropriate" for a given organisation,

how quickly reporting must occur to satisfy "without delay", and

what detection capability is "reasonable".

This is not regulatory oversight. It is discretion preserved by design, to be exercised by the Data Protection Board and, ultimately, tested through appellate and constitutional review.

Practical Takeaway

Liability under the DPDP Act will not turn on technical perfection.

It will turn on whether an organisation can demonstrate reasonable governance aligned with risk, assessed through the combined lens of Sections 8, 9 and 10 and Rules 6 and 7. Until judicial and regulatory interpretation fills the gaps, industry practices may function as defensive evidence in absence of prescribed statutory safe harbours. Decisions taken, documented, and implemented during the current preparatory phase will form the evidentiary baseline when enforcement hardens.

IV. Who Is Likely to Be Affected First — A Risk-Based Enforcement Inference

As a matter of law, the DPDP Act applies to every Data Fiduciary processing digital personal data — including employers, consumer-facing businesses, financial institutions, healthcare providers, SaaS companies, professional service firms, logistics providers, and entities outsourcing data processing.

The Act and Rules do not prescribe any sector-wise enforcement priority.

However, regulatory enforcement in data protection regimes has historically been risk-led rather than uniform, and the architecture of the DPDP Act itself suggests a similar trajectory.

The following categories are therefore identified not as statutory targets, but as likely early candidates for scrutiny based on scale, sensitivity, and governance risk.

A. HR-heavy organisations (employee data exposure)

Employee data squarely qualifies as personal data under the DPDP Act. In practice, however, employee datasets are often the least governed internally, despite being extensive and sensitive.

HR systems typically process identity data, financial and payroll information, health and insurance details, performance metrics, and behavioural records. Access is often broad, retention periods undefined, and vendor involvement substantial.

B. Consumer-facing platforms with secondary or downstream data use

Platforms that process personal data beyond immediate transactional necessity — analytics, profiling, cross-use, or monetisation, present heightened justification and accountability challenges.

Regulatory scrutiny in such cases is unlikely to focus on collection alone, but on purpose limitation, transparency, and internal consistency between stated use and actual processing.

Again, this is not because the statute singles them out, but because such models inherently raise greater questions of proportionality and consent fidelity.

C. Fintech, health, and SaaS businesses

Entities operating at the intersection of high-volume processing and sensitive data are structurally exposed, even in the absence of formal designation as Significant Data Fiduciaries.

This inference flows directly from the Act's design:

sensitivity of data is a recognised risk factor,

scale amplifies potential harm,

and Section 10 expressly contemplates differentiated obligations based on such factors.

In effect, the "reasonable safeguards" standard is elastic, and what qualifies as reasonable will be judged more stringently where risk is inherently higher.

D. Businesses heavily dependent on processors and vendors

The DPDP framework places primary accountability on the Data Fiduciary, not on downstream processors.

Organisations with deep vendor ecosystems — cloud services, payroll processors, CRM tools, analytics providers, face indirect exposure where:

processor due diligence is weak,

contractual safeguards are generic, or

monitoring and escalation rights are absent.

Does Absence of Consent Managers anyway affect the obligations of Data Fiduciaries?

The Act envisages Consent Managers as independent entities acting on behalf of Data Principals through interoperable platforms. No such ecosystem is operational today, and Data Fiduciaries are not required to appoint or integrate with Consent Managers to discharge current obligations.

Their absence does not dilute fiduciary duties. At most, it informs how consent systems should be designed — portable and reversible so that future integration, if and when it occurs, does not require structural overhaul.

V. What Organisations Should Do Now — Building Defensible Governance During the Preparatory Phase

The current phase of the DPDP framework is best understood as a defensibility window. The objective is not to achieve theoretical compliance with an unfinished regime, but to ensure that when conduct is later examined, it appears reasoned, proportionate, and documented.

A. Shift from "compliance thinking" to "governance thinking"

The DPDP Act and rules do not appear to be reward box-ticking. They rather seem to be rewarding reasoned decision-making aligned with risk.

At this stage, organisations should focus on:

identifying what personal data they process,

why it is processed,

where it flows internally and externally, and

who is accountable for decisions at each stage.

This exercise is not purely operational. It is a governance and risk-allocation exercise, because future scrutiny will examine why choices were made, not merely what tools were deployed.

B. Data mapping and purpose discipline

A defensible posture begins with data mapping tied to purpose, not generic inventories.

Key questions that will matter later include:

whether each category of personal data is clearly linked to a lawful and articulated purpose,

whether purpose expansion or secondary use has been consciously evaluated, and

whether retention and access decisions reflect reasoned judgment rather than inherited legacy practice.

These determinations ultimately shape how Sections 8(5) and 8(6) are applied in enforcement.

C. Safeguards as a governance choice, not a shopping list

Rule 6 illustrates possible safeguards but does not mandate any particular standard. Organisations should therefore avoid treating safeguard selection as a procurement exercise.

What will matter is whether:

safeguards are proportionate to the nature and sensitivity of the data,

the rationale for choosing them is recorded, and

alternatives were considered and consciously rejected.

We believe that in enforcement proceedings, documented reasoning will often carry more weight than the sophistication of the technology itself.

D. Breach preparedness and the "awareness" question

Rule 7 links reporting obligations to the point at which an organisation "becomes aware" of a breach. That awareness will not be assessed in isolation.

Organisations should ensure that:

detection and monitoring mechanisms exist,

escalation thresholds are defined,

incident-response authority is clearly allocated, and

response timelines are understood internally.

It appears that an inquiry will not be limited to whether a breach occurred, but whether the organisation was reasonably capable of becoming aware and responding as a responsible fiduciary.

E. Vendor and processor alignment

Since accountability remains with the Data Fiduciary, organisations should revisit:

data-processing agreements,

audit and information rights,

breach notification obligations, and

allocation of responsibility during incidents.

This is not merely contractual hygiene. It is advance risk allocation for future enforcement.

F. Legal audit, due diligence, and documentation discipline

DPDP readiness cannot be reduced to an IT or cybersecurity function. Many operative standards under the Act — such as "reasonable safeguards", "appropriate response", and "without delay", are deliberately imprecise and along side technical inputs, it also will be a matter of reasonable legal interpretation as to what could be said to be "reasonable safeguards" and "appropriate response" etc.

In practice, organisations are increasingly addressing this through:

targeted legal audits of data governance practices,

of data governance practices, legal due diligence reviews of data flows, consent architecture, and vendor arrangements, and

of data flows, consent architecture, and vendor arrangements, and periodic independent assessment of breach response and documentation protocols.

Such exercises do not aim to certify perfection. Their value lies in surfacing judgment calls, recording the rationale behind them, and creating an evidentiary trail that demonstrates good-faith governance.

Technical controls address how data is protected.

Legal audit and due diligence address why particular choices were made and how those choices align with statutory duties.

VI. The ₹250 Crore Question — Why It Is Not About the Number, and Why Fear Is Misplaced

The figure of ₹250 crore has attracted disproportionate attention. Read in isolation, it appears punitive; read in context, it serves a different function. It is an upper cap, not a presumptive outcome, intended to signal the seriousness with which data-governance failures may be treated, rather than to predict routine penalty levels.

The DPDP Act does not create a tariff-based or automatic penalty regime. There is no minimum penalty prescribed under the Act. The imposition of a penalty is discretionary, not mandatory, and is conditioned on a contextual assessment of conduct. A personal data breach, by itself, does not mechanically translate into penal liability.

Section 33(2) makes clear that penalty determination is a calibrated and reasoned exercise, guided by multiple statutory factors rather than the mere occurrence of a breach. These include the nature, gravity and duration of the contravention; the type and nature of personal data affected; whether the contravention is repetitive; any gain or avoidance of loss resulting from the contravention; and the promptness and effectiveness of measures taken to mitigate the effects of the breach, viewed through the lens of proportionality and effectiveness.

The structure of these factors underscores a central point: penalties under the DPDP Act turn on conduct, not on outcomes alone.

In practical terms, proceedings before the Data Protection Board are unlikely to resemble strict-liability adjudication. The inquiry will be narrative and contextual. It will examine whether the organisation had reasonable safeguards in place, whether risks were identified and addressed in advance, whether detection and escalation mechanisms were functional, and whether the response to an incident was timely, proportionate and documented.

Importantly, the absence of a minimum penalty means that it is legally open to the authority to impose no penalty at all, even where a breach has occurred. Where an organisation can demonstrate preparedness, reasonable governance choices, and good-faith response, a breach may be treated as an unfortunate event rather than a punishable failure.

What aggravates exposure is not the breach itself, but institutional indifference—silence where judgment was required, inertia where action was expected, and the absence of any documented governance rationale. Conversely, preparedness and response are not merely defensive measures; they are statutory mitigation factors built into the penalty architecture.

Seen in this light, the DPDP Act is less about punishing data breaches, and far more about penalising sustained or systemic disregard for data governance obligations. The ₹250 crore ceiling is not a forecast of outcomes. It is a reminder that where governance failure is reckless, repeated or indifferent, the law is designed to respond with commensurate seriousness.

About the Author

Ruchika is a M.Sc.(IT) and LLB. She is a practicing advocate specializing in IT related disputes, contracts, compliance etc along with advising and representing clients in various other diverse areas.

