Authored by Ruchin Kumar, VP, South Asia, Futurex
Last few weeks has seen CISOs and a large number of enterprises in the proverbial rush, evoking some memories of India’s nation-wide roll-out of GST. DPDP and the set of reforms are a milestone that places India in a distinguished league of countries focused on data protection and integrity.
Security teams often describe their world as a giant, unpredictable elephant – what with the shifting standards, emerging tools, the ever-expanding data size or the perennially look-out over newer risks that appear without warnings. The animal of choice in the big world is often dynamic.
To banking, KYC could be an opportunity to understand a customer while for a logistics enterprise it could be vendor assessments. The nuance may take a minute for someone outside the CISO profession to comprehend. As a seasoned CISO once jovially explained, “the biggest risk is not data loss… Never is, never was… It was data blindness.”
FINDING WHAT TO PROTECT?
CISOs are expected to immediately have systems that have privacy by design as a security stack. And a protection board to be operationalized even as core processing or rights obligations are assumed to kick-in within the next 6-18 months. Enterprises are also mandated to have compliance checks in place for consent, notices, general obligations of data fiduciaries, security safeguards of children's data, rights of data principles, approaches towards dealing with cross-border restrictions even as 2025-26 has been decided as a build-out window phase for CISO teams.
At the core of these expectations is the premise that the CISO protects data. But how much of data? Of what volume? Of what nature? Where do we house it? How does the data be manipulatable without being manipulated? And there would be some more nuances built atop these expectations, such as parallel reporting to the board-room, regulatory compliance, and data availability for audits.
The premise is simple - CISO safeguards data but the execution may not be a simple given the vagaries of organizational culture and sectoral variances. In fact, if one talks of data, it’s a large size that one has to consistently secure considering the average Indian enterprise houses anywhere from 6-10 petabytes of data within premise.
With a mandate this daunting, a prudent step would be to identify what truly requires protection and applying “reasonable” safeguards with discipline and culture, not just controls.
PROOFING FOR UNCERTAINTY
While India's DPDP laws are currently exhaustive, several interpretational gaps are likely which may need time to get ironed out. For example, extent rules mandate data fiduciaries to notify Data Protection Boards within 72 hours of detecting a breach. Some sectors in India, such as the banking sector not only comply to this expectation, however many from other sectors may not have mature IR (incident response) frameworks aligning with the legal mandate.
Similarly, the central authority has the power to set conditions for transferring personal data to foreign states or entities. However, without clarity, global firms are likely to have challenges with designing cross-border data flows securely owing to the risk of non-compliance or over-localization. It becomes paramount for CISOs to architect their cross-border data flows in light of possible future constraints - by building more on-shore resiliency or planning for contract-level safeguards. The latter may be achieved with encryption or by processes that guarantee minimal data transfers to avoid compliance burden.
Uncertainty also stems from mandates such as “reasonable security safeguards” which are bound to invite more interpretational challenges. With no publicly prescriptive standard for encryption, access control, or specific technical benchmarks, an inconsistent understanding may invite ambiguities. There is further a likely increase in risk of breaches, especially for data fiduciaries. It holds true that CISO teams need not prepare themselves for uncertainty but condition themselves against unpreparedness.
APPROACHING WITH REASONABILILTY
DPDP is a watershed moment in Indian cybersecurity, but one needs to also understand the phased nature of the implementation as a reasonable transition. It is also an action-oriented moment as CISOs and business teams engage in identifying metrics, audit protocols, find viable encryption standards, and provide ways and means to tackle sensitive context (age‑gating or risk‑based controls where children’s data or vulnerable groups are involved).
India's DPDP doesn’t change realities, rather it amplifies the need to tackle and align globally. It is not forcing companies to rethink the data conundrum; rather it exposes several structural weaknesses that may have been ignored for years. As they say, compliance can seem like bliss, but having the right posture can be true power for survival. Organisations that prepare right would be ones that will manage to stand with heads held high.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
