#Bharat is as prepared for the DPDP Act; as much as Zimbabwe is prepared for the ‘Kabaddi’ Gold! – #DhananjayRokde #iManEdge
A #SecuringBharat Practitioner’s Unfiltered Assessment
Dhananjay | Founder & vCISO, iManEdge Digital Services Bharat Pvt. Ltd.
Imagine the scene: The whistle blows. The “raider” crosses the baulk line, chanting aggressively. And the defending team — having never seen a mud mat in their lives, wearing cricket spikes, and frantically reading a rulebook they bought five minutes ago — just stands there waiting to get absolutely flattened.
This is the exact state of India Inc. facing the Digital Personal Data Protection Act (DPDPA).
We are about to step onto a high-contact, high-stakes regulatory mat, and the vast majority of organisations are completely out of their depth. They are treating a fundamental, existential shift in data sovereignty like a routine IT compliance tick-box exercise. The November 2025 notification of the DPDP Rules officially started the clock, giving enterprises a phased runway — Consent Manager obligations by November 2026, full enforcement by the hard stop of May 13, 2027. Yet, instead of building the requisite engineering muscle, the corporate ecosystem is entangled in legal illusions, imported playbooks, and paper frameworks that would collapse under the first breath of real regulatory scrutiny.
Here is why the corporate “defence” is about to collapse, why the current strategy is a guaranteed loss, and what the entire ecosystem must do to survive the incoming raid.
⚖️ The Supreme Court Battlefield: Why PILs Are Landing Directly at the Apex Court
There is a chaotic, and dangerously comforting, distraction occurring at the highest levels of the Indian judiciary — and it is sedating corporate boardrooms into a false sense of security.
Since early 2026, a coordinated barrage of Public Interest Litigations has bypassed the High Courts entirely, landing directly on the desk of the Chief Justice of India at the Supreme Court under Article 32. On February 16, 2026, the Supreme Court issued notices to the Union of India in three petitions simultaneously: Venkatesh Nayak v. Union of India (W.P.(C) 177/2026), The Reporters Collective Trust & Anr. v. Union of India (W.P.(C) 211/2026), and the National Campaign for Peoples Right to Information v. Union of India. The Court referred the core constitutional questions to a larger bench, explicitly acknowledging the issues are “complex,” “sensitive,” and directly implicate fundamental rights for privacy and transparency.
But Why Article 32? Why Not the High Courts?
Because this is not a statutory dispute. It is a constitutional collision. The DPDPA’s Section 44(3) quietly orchestrated one of the most consequential yet under-reported surgical strikes on democratic accountability in recent Indian legislative history — the effective gutting of Section 8(1)(j) of the Right to Information (RTI) Act. By creating a blanket exemption for anything classified as “personal information,” the Act has handed the executive a near-impenetrable shield against public scrutiny, triggering a full-blown Article 19(1)(a) and Article 21 constitutional crisis. Simultaneously, Sections 17(1)(c) and 17(2), which grant sweeping exemptions to government instrumentalities under the guise of national security, have raised alarms of an unchecked surveillance apparatus.
“The corporate boardroom whisper — ‘The Supreme Court is going to stay the Act’ — is not a strategy. It is a ₹250 Crore gamble on legal astrology.”
The Supreme Court has explicitly and categorically refused to grant any interim stay on the DPDP Rules or the Act’s operation. Even if the Court eventually strikes down the RTI amendments, the core obligations placed upon private enterprises regarding consumer personal data will remain completely intact. The raider doesn’t care about your legal team’s WhatsApp updates on bench compositions.
🔴 Is Bharat Really Prepared? A Hard Look at the Pre-Existing Record
Before we even touch the DPDPA, let us ask a more fundamental question: Can an enterprise sector that has consistently failed its existing regulatory cybersecurity mandates be expected to meet an entirely new one?
The RBI front: In a single recent assessment cycle, the RBI issued 353 penalties totalling ₹54.78 crore for IT security lapses across institutions. Kotak Mahindra Bank drew ₹3.95 crore for IT security deficiencies. Punjab National Bank and Yes Bank faced penalties for the same category of failure. ICICI Bank and Deutsche Bank India were named in enforcement actions. Every tier of the financial system has demonstrably fallen short of a framework that has been in force since 2016.
The SEBI CSCRF collapse: SEBI’s Cybersecurity and Cyber Resilience Framework became effective in early 2025. By mid-2025, SEBI was still issuing its third round of FAQ clarifications and technical addenda — because the vast majority of regulated entities (brokers, asset managers, depositories) were hopelessly behind. The CSCRF mandates 24×7 SOC operations, real-time threat monitoring, VAPT at defined intervals, Market-SOC onboarding, ISO 27001 certification, and Post-Quantum Cryptography asset inventories. For most intermediaries, these remain aspirational rather than operational.
The CERT-In gap: CERT-In’s mandatory 6-hour breach notification directive has been operational since 2022. The average Indian organisation takes 263 days to detect and contain a breach (IBM India 2025). The regulatory window is 6 hours. That is a 1,052x gap. No incident response plan sitting in a SharePoint folder will close it.
If enterprises cannot meet a 6-hour CERT-In SLA after three years of the directive being in force, what is the credible basis for assuming 72-hour DPDPA breach notification pipelines, Right to Erasure execution systems, and DPIA frameworks will materialise within 13 months?
🧾 The Big 4 Coaching Manual Is Useless on the Mat
When faced with a complex regulatory threat, the Indian enterprise reflex is consistent: panic and sign a seven-figure engagement letter with one of the Big 4 consulting oligopoly.
These firms will deploy freshly credentialled MBAs to produce stratospheric volumes of “Data Privacy Framework” documentation, colourful maturity heat maps, and Risk Matrix PowerPoints of such aesthetic magnificence that your Board Audit Committee will applaud and feel deeply reassured.
Here is the ugly, open secret: Policies do not discover PII. Consultants do not write code. A GDPR template with “India” Find-Replace’d across it is not a compliance architecture.
The Big 4’s India data privacy playbooks are, almost without exception, repackaged GDPR frameworks — built for European legal contexts, premised on European technical infrastructure, sold to Indian enterprises at European premium billing rates. They do not understand the chaos of a mid-sized NBFC running a 2009-era core banking system on an on-premise Oracle stack with an AWS S3 bucket bolted on for analytics. They cannot tell you whether your SaaS vendor’s processing of PII from Tier-2 city users constitutes a cross-border transfer under the DPDPA.
And Western DSPM tools fail structurally for the same reason. Leading platforms were engineered to classify US Social Security Numbers and EU passport formats. India’s PII universe is fundamentally different: Aadhaar numbers, PAN card formats, Indian mobile number patterns, regional language text in Devanagari and Tamil script, and the vast unstructured PII embedded in WhatsApp-based customer service logs. No tool built in Palo Alto will reliably identify all of this out of the box. Sovereignty requires sovereign tooling.
🔍 Why Organisations Are Struggling: The Illusion of Consent vs. Forensic Reality
India Inc. is sitting on decades of compounding technical debt. PII is not sitting neatly in a labelled, encrypted vault. It is embedded in legacy PostgreSQL tables with names only the developer who resigned in 2018 could decode. It lives in forgotten S3 buckets with public-read ACLs, on local employee hard drives, in third-party vendor logs, and inside WhatsApp message histories exported to shared drives.
The DPDPA demands capabilities that are fundamentally engineering problems, not legal ones:
- The 72-hour breach notification mandate requires automated, real-time detection — not a manual escalation chain.
- The Right to Erasure requires a targeted cascade deletion across every system holding that individual’s data — including disaster recovery backups — without breaking RBI retention obligations.
- The Consent Lifecycle requires a data processing architecture where every downstream flow from a consented event is logged, attributable, and revocable.
Updating your website’s Privacy Policy pop-up is not compliance. It is theatre. Privacy is a legal promise; a DSPM platform is the engineering proof.
⚖️ The Significant Data Fiduciary vs. Data Fiduciary Conundrum: Know Your Weight Class
The DPDPA does not treat all defenders equally. Classification as a Significant Data Fiduciary (SDF) is determined by a combination of lethally ambiguous factors — volume of data processed, sensitivity, risks to national security, and risks to electoral democracy — with the government retaining discretionary power to notify entities and thresholds not yet crystallised in subordinate legislation.
If you are classified as an SDF, the compliance burden multiplies exponentially and immediately:
- A DPO physically based in India is mandatory — not a retainer in Singapore.
- An independent Data Auditor must evaluate compliance periodically.
- Periodic DPIAs are mandatory for every significant new data processing activity.
- Algorithmic transparency assessments are required for AI/ML systems processing personal data.
High-growth fintechs, aggregators, ed-tech platforms, and health-tech applications are crossing SDF thresholds silently and without realising it. An NBFC that began with 50,000 borrowers and now has 5 million is almost certainly an SDF. You cannot retrofit an SDF-grade compliance architecture when the notification lands on a Friday afternoon. Build for it now — or be operationally destroyed when the classification becomes official.
🧭 The DPO Identity Crisis: Which Line of Defence?
Nowhere is the DPDPA preparedness gap more visible — or more farcical — than in the state of the Data Protection Officer function.
Organisations are arbitrarily dropping the DPO title onto existing leaders:
The General Counsel: Understands statutory language. Cannot interrogate a database schema. Cannot read a network flow log. Cannot determine whether a sub-processor in Singapore is actually implementing data minimisation.
The CFO / Audit Head: Manages liability exposure and insurance premiums — not the live data lifecycle across production systems.
The CISO: The most dangerous overlap. The CISO builds and operates the security infrastructure. The DPO’s function is to independently audit, challenge, and — if necessary — halt that infrastructure on behalf of Data Principals. You cannot have the person who poured the concrete also inspect the foundation.
In a mature GRC framework, the DPO is unambiguously a Second Line of Defence. The DPO must have the authority to halt product deployments if Privacy-by-Design requirements are not met, unrestricted access to DSPM dashboards and immutable audit logs, and the right to report directly to the Board of Directors — bypassing the CIO and CTO reporting chain entirely.
The DPO’s Precise Role and Privileges: Sector-by-Sector
BFSI, NBFC, and Lending: The DPO must maintain real-time alignment between DPDPA consent requirements and the RBI’s data localisation and retention mandates — navigating genuine tension where the Right to Erasure conflicts with RBI’s 5-year transaction record retention. The DPO requires audit access to Consent Manager integrations within core banking systems and authority to trigger zero-touch erasure protocols cascading across primary databases and DR sites.
Manufacturing and Industrial: The DPO must govern the IT/OT convergence boundary — biometric access systems, IoT floor telemetry, AI-enhanced CCTV, and connected supply chain platforms. Key privileges include authority to mandate DPIAs before any new biometric or IoT deployment, and enforcement of DPDPA contractual obligations on third-party contract manufacturers.
IT and Enterprise Services (IT/ES): The DPO must manage multi-jurisdictional compliance stacks — DPDPA, UK GDPR, UAE PDPL, Singapore PDPA — often across the same infrastructure. The highest level of audit access is required across multi-tenant cloud environments, data isolation architectures, and vendor sub-processor chains.
🇮🇳 The Sovereign Defence: What Bharat Must Build
The time for theoretical debates, passive Supreme Court observation, and ₹2 Crore Big 4 engagement letters is definitively over. Make in India must extend beyond factory floors to the architecture of India’s data governance infrastructure.
We need:
- Automated DSPM platforms with native Indian PII classifiers — Aadhaar, PAN, regional language text.
- Immutable audit trail infrastructure that can provide the forensic evidentiary chain the Data Protection Board will demand.
- Zero-touch breach notification pipelines executing 72-hour DPBI notifications without manual dependency.
- Government that stops rewarding imported GDPR template vendors over indigenous sovereign product builders.
Either build the technical capability to hold the line — or prepare to be tagged out, at ₹250 Crore per violation.
📊 Enterprise GRC Compliance & Maturity Scorecard
| Domain / Framework | Current Posture Assessment | Mitigation / Capability Status |
|---|---|---|
| DPDPA 2023 + DPDP Rules 2025 | Most organisations lack PII discovery, consent management architecture, and DSR fulfilment pipelines. | CRITICAL: Deploy DSPM with Indian PII classifiers. Appoint and empower independent DPO. |
| RBI IT Master Direction (2024) | 353 penalties issued. Core banking legacy architecture resists continuous control monitoring. | ACTIVE REMEDIATION: Implement SIEM → SOAR escalation. 6-hour SLA requires tested IR capability. |
| SEBI CSCRF (August 2024) | Majority behind on Market-SOC onboarding, VAPT scheduling, and ISO 27001 certification. | URGENT: Conduct CSCRF gap analysis. Prioritise SOC integration. Begin PQC asset inventory. |
| CERT-In Incident Reporting | Average detection-to-containment: 263 days. Mandatory SLA: 6 hours. Gap: 1,052x. | STRUCTURAL FAILURE: Invest in 24×7 threat detection. Tabletop exercises are insufficient. |
| NCIIPC / SBoM Guidelines | SBoM guidelines largely unimplemented. OT asset inventories non-existent at most CII-adjacent entities. | STRATEGIC INITIATIVE: Commission OT asset discovery. Implement SBoM in CI/CD pipelines. |
| ISO/IEC 27701:2025 (PIMS) | Organisations conflating ISO 27001 recertification with 27701 readiness. Distinct scopes, distinct SoA. | REQUIRES NATIVE ARCHITECTURE: Annex A/B controls must be evidentially populated. |
| ISO/IEC 42001 (AI Management) | GenAI tools deployed without DPO involvement, DPIA, or data minimisation review. | STRATEGIC INITIATIVE: Enforce AI governance gate with DPO sign-off for PII-processing models. |
Dhananjay is the Founder, Director & vCISO of iManEdge Digital Services Bharat Pvt. Ltd. — a DPIIT/StartUp India registered AI-native cybersecurity and privacy consultancy. He holds CRISC, CGEIT, CIPP, AIGP, CCISO credentials and brings 20+ years of practitioner-grade experience across 42 countries. He writes at the intersection of technology, sovereignty, and regulatory reality under the #SecuringBharat identity.
iManEdge Digital Services Bharat Pvt. Ltd. | CIN: U62020MH2025PTC454644 | Nagpur & Mumbai
Originally published on dhananjayrokde.wordpress.com · reproduced in full.