Back to Resources
DPDP Act Readiness: A Security Team's Field Guide: visual preview
Guide

DPDP Act Readiness: A Security Team's Field Guide

The Act's biggest penalties sit with security, not legal. Here's what we find when we scan Indian companies, and a 90-day plan

The expensive half of the Act is yours

Most DPDP conversations happen in legal and marketing: consent notices, privacy policies, preference centers. Fair enough. But look at the penalty schedule. The single largest fine in the Act, up to ₹250 crore, attaches to Section 8's "reasonable security safeguards". Failure to notify a breach carries up to ₹200 crore more. Consent violations cap lower.

In other words, the CISO owns the two most expensive obligations in Indian privacy law. We've been doing security work for Indian data fiduciaries since before the Act had rules, and our take is blunt: if your DPDP program is a consent banner and a policy PDF, you've covered the cheap half.

What the DPDP Rules 2025 settled

The Act passed in August 2023, then sat waiting for its operating manual. The DPDP Rules, notified in 2025, supplied it: the Data Protection Board became a working forum, and breach notification got a clock. Affected data principals must be informed without delay, the Board notified promptly, and a detailed report filed within 72 hours.

Read that timeline against your current detection capability. Industry breach reports have put average identification times well past 200 days for years. A breach you discover in month seven fails the notification obligation by default, before anyone examines your safeguards. Detection speed is now a legal requirement in India, and that's new.

What we find when we scan Indian companies

  • Dev and staging environments carrying full production copies of customer PII, exposed to the internet
  • Forgotten subdomains pointing at decommissioned services that still hold data
  • Employee credentials in stealer logs traded on Telegram, often with active corporate sessions
  • Public object-storage buckets with KYC documents, invoices, or database exports
  • Third-party processors leaking data the fiduciary is still legally answerable for
  • Databases with authentication disabled, discovered by us hours after deployment

A 90-day readiness plan

DaysFocusOutput
1 to 15Map where personal data actually lives, including shadow assets and processor systemsData-bearing asset inventory, not an org-chart diagram
16 to 30Scan the external attack surface for exposed PII and forgotten infrastructurePrioritized exposure list with owners and deadlines
31 to 50Close the worst exposures; enforce MFA and access reviews on data-bearing systemsEvidence of remediation, logged and dated
51 to 65Stand up breach detection: leaked-credential monitoring, dark web coverage, alertingMean time to detect measured in hours, not months
66 to 80Write and rehearse the notification runbook against the 72-hour report deadlineTabletop exercise with legal, security, and comms
81 to 90Assemble the evidence file: policies, logs, reviews, processor contractsAn audit-ready record the Board can actually inspect

Evidence beats intentions

Here's the pattern we expect from Data Protection Board inquiries, because it's the pattern every regulator follows: they don't ask whether you cared about security. They ask for records. Access review logs. Remediation tickets with dates. The timestamp of breach discovery versus the timestamp of notification.

"Reasonable security safeguards" is judged in hindsight, after an incident, by people reading your paper trail. A control that ran but wasn't logged might as well not have run. So build the evidence habit now: every scan, every fix, every review leaves a dated record. Boring? Completely. It's also what the ₹250 crore question turns on.

Where automation fits

The obligations above are continuous, and headcount doesn't scale to continuous. That's the gap we built Hunto's DPDP tooling for: autonomous agents that discover exposed personal data across your attack surface, watch dark web and Telegram channels for leaked records, detect breaches fast enough to make the 72-hour report feasible, and keep the audit evidence current without anyone compiling spreadsheets at quarter-end.

Start with the free DPDP Act compliance checklist to see which obligations your current stack leaves uncovered, then look at the DPDP compliance automation overview for how the agents divide the work. And talk to your legal team early. The best DPDP programs we've seen treat security and legal as one workstream with two owners.

Common Questions

Frequently asked questions

It helps, and it's strong evidence of a working security program, but the Act doesn't name any certification as a safe harbor. Section 8 is judged on whether safeguards were reasonable for the data you held. An ISO certificate plus current evidence of exposure management and breach detection is a far stronger position than the certificate alone.

The data fiduciary. The Act keeps accountability with you regardless of where processing happens, which is why processor monitoring and contractual security requirements belong in the security program, not just in procurement paperwork.

Under the DPDP Rules, affected individuals must be informed without delay and the Data Protection Board must receive a detailed report within 72 hours of the fiduciary becoming aware. Practically, that means detection, scoping, and a drafted notification process that runs in hours. Teams that rehearse the runbook make the deadline; teams that improvise don't.

The core obligations apply to data fiduciaries broadly, with heavier duties for Significant Data Fiduciaries designated by the government. Penalty exposure scales with the harm, but Section 8 and breach notification aren't size-gated, so a lean version of the same program (know your data, close exposures, detect fast, keep records) is still the baseline.

Want to see this in practice?

Book a demo and watch Hunto AI run discovery, verification, and takedown on live data.

Hunto AI logo: Autonomous AI Cybersecurity Agents

100% Autonomous AI Agents that continuously discover, monitor, and mitigate external threats: protecting your brand, infrastructure, and data 24/7.

Partners

Nvidia Inception - Hunto AI Partner
KPMG - Hunto AI Partner
Mastercard - Hunto AI Partner
Airtel - Hunto AI Partner

© 2026 Hunto AI. Copyright. All Rights Reserved