🇮🇳India

India's data compliance framework is broader than one privacy law

India's data protection regime is anchored by the Digital Personal Data Protection Act, 2023, but the practical compliance picture is wider. The Act creates the accountability framework for processing digital personal data. The DPDP Rules translate that framework into operational requirements for notice, security safeguards, erasure, children's data, rights handling and Significant Data Fiduciary governance. The CERT-In Directions sit beside the privacy regime as a cybersecurity layer that directly affects breach response, logs, incident reporting and infrastructure governance.

The three pillars to understand first

The DPDP Act answers the legal question: when may an organisation process personal data, and what duties does it owe to the individual? Its core idea is accountability. If an organisation decides why and how personal data is processed, it remains responsible for that data, including when processors and vendors handle it on its behalf.

The DPDP Rules answer the implementation question: what must the organisation actually build or publish? They prescribe self-standing notices, specific links or means for consent withdrawal and rights exercise, minimum security safeguards, log and data retention rules, child-consent mechanics, and additional duties for Significant Data Fiduciaries.

The CERT-In Directions answer the incident-readiness question: what must the organisation be able to prove and report when cyber events occur? They require clock synchronisation, 180-day log retention within Indian jurisdiction, a designated Point of Contact, on-demand information support, and six-hour reporting for specified cyber incidents.

How these laws work together

A personal data breach under the DPDP Act will often also be a reportable cyber incident under the CERT-In Directions. A consent system under the DPDP Act also needs reliable timestamps, logging and retention to remain auditable. A vendor contract under the DPDP Rules should not only address privacy obligations, but also support incident escalation, security safeguards and evidence preservation.

The laws should therefore not be managed in separate silos. Data inventory, consent management, DSAR handling, retention, vendor governance, security logging and breach reporting all connect across the same operational system. Treating each law as a separate checklist creates gaps exactly where regulators and complainants are likely to look: handoffs, vendors, logs, notices and breach timelines.

What organisations should prioritise

Start with a complete map of personal data, processors, systems, cross-border storage and logs. Then make sure every consent flow has a self-standing notice, every rights mechanism is specific and usable, and every processor contract contains security and breach-support obligations. In parallel, confirm that ICT logs are enabled, retained for the required period, stored appropriately, and tied to an incident response process that can meet short statutory timelines.

For larger platforms, high-volume data fiduciaries, health-data processors, financial services businesses and child-facing services, the preparation should go further: DPIA readiness, independent audit readiness, algorithmic due diligence, child-consent verification, dormant-account erasure workflows and Board-ready evidence packs.