India’s Digital Personal Data Protection Act will, in time, be remembered for the firms it caused to behave differently — not for the firms it caught.
The audit framing is the wrong framing
Most institutions, on first reading the Act, treat it as a compliance exercise — a list of controls to be mapped, a vendor to be hired, a checklist to be ticked. This framing produces, reliably, a posture that survives until the first regulator’s letter and then collapses.
What changes
Three things change, in our experience, when a firm internalises the Act properly:
The firm’s data estate becomes legible to its own senior team. The vendor relationships of the firm get rewritten — not all of them, but the consequential ones. And the conversations the firm has with its customers about consent shift from procedural to substantive.
What does not change
What does not change, importantly, is the firm’s appetite for the data it actually needs to do its work. The Act does not, properly read, ask the firm to operate with less data. It asks the firm to operate with the data it has chosen to hold, deliberately.
A note for boards
Boards we have worked with on DPDP readiness have asked, repeatedly, what the right shape of an internal council on the matter should look like. Our answer is that the council should be small, should report into the audit committee, and should hold the posture in language the institution can use without a lawyer in the room.
Practice · Technology