India’s DPDP Act is everywhere right now. Consent rules, penalties, and legal clauses are taking the centre stage. However, the real challenge is not in adhering to the DPDP Rules 2025 themselves. The challenge, in fact, is overcoming the gap between how organisations believe their data are treated and how they actually behave inside systems.
The law operates on real data flows, not on assumptions. Across industries, we observe recurring technical gaps that organisations must address at the earliest.
Recurring Technical Gaps Across Organisations
May it be the IT/ITES, BFSI, retail, or manufacturing industries, actual system behaviour consistently reveals issues such as the following that directly impact DPDP compliance.
-
Shadow IT Assets and Outdated Data Flows
Many organisations still have export jobs running without owners, old vendor integrations that continue syncing personal data, and legacy apps processing inputs long after workflows have changed. These outdated pipelines break purpose limitation, undermine consent management, and increase the risk of breach notification scenarios. -
Sensitive Data Stored Without Classification or Safeguards
Medical files in shared drives, sensitive data in logs, and customer data in analytics spaces without data retention or erasure controls make it difficult to uphold data minimisation, verifiable parental consent, and other obligations required of a data fiduciary. -
Gaps in Access Control Processes
Many organisations still allow remote access without MFA, rely on shared admin accounts, and leave temporary privileged access unrevoked long after it should have been. These inconsistent access control practices make it difficult to trace accountability or meet DPDP’s expectations for reasonable security safeguards.
Points the Leadership Should Make Note of
Clear, end-to-end traceability of personal data will strengthen your path to compliance.
So, what is happening inside your systems right now?
There are three fundamentals that must be acknowledged for any DPDPA compliance program to succeed:
-
Data Reality: This refers to the actual state of personal data inside your systems. Identify your data sources: databases, logs, shared drives, and backup data. Understand where personal data sits, moves, and accumulates. True data visibility comes only from examining live system behaviour, not relying on outdated process documents.
-
Consent Reality: Consent isn’t required for all processes, so interpret which data flows require consent, and which do not. Usually, marketing, analytics, and external sharing processes depend on consent.
-
Security Reality: This reflects the real strength of your current controls. Gauge which systems still hold sensitive data without MFA, logging, or classification and whether basic controls like access reviews, encryption, and monitoring are actually in place to protect them.
Three Practical Moves to Make in the Next 30 Days
-
Run a 30-Day Data Reality Check
Start by asking each team to report where personal data is stored in real environments. Reviewing live systems, file paths, tables, logs, and backups quickly exposes blind spots and strengthens DPDP data mapping, data flow design, and readiness for data fiduciary obligations. -
Retire One Outdated Data Pipeline
Once visibility improves, identify one outdated data flow, an old SFTP job, a forgotten API, or a legacy report and validate whether it still serves a purpose. Updating or retiring even a single redundant pipeline meaningfully reduces risk and simplifies the data landscape. -
Enforce Retention on One Low-risk Dataset
With a better understanding of your data landscape, choose a low-risk dataset and run a full retention exercise across primary systems, derived stores, and backups. This helps teams meet data retention requirements and erasure obligations and implement reasonable security safeguards without risking sensitive personal data.
Will these steps make you DPDPA compliant overnight? No. However, they will build momentum and help you identify the operational gaps that need closure. This alone will catapult your organisation into the right direction.
Wondering what comes next? In our next post, we will break down how DPDPA applies to your organisation in practical terms across IT/ITES, BFSI, NBFC, retail, manufacturing, and healthcare. This is where theory meets reality. Stay tuned.
