Service
Cyber Security
Data and Cybersecurity to Fight off Cyberattacks
Highlights
- DPDPA moves privacy from a voluntary policy to a strict statutory obligation, requiring organisations to abandon siloed workflows and adopt a unified governance, risk, and compliance (GRC) framework.
- Cyber incidents involving personal data now trigger overlapping mandates, requiring rapid 6-hour technical reporting to CERT-In alongside accountability and harm-mitigation disclosures to the Data Protection Board.
- Financial and market entities must reconcile the DPDPA's data minimisation rules with conflicting, long-standing data retention mandates enforced by the RBI and SEBI.
On this page
On this pageinpage
How can DPDPA be aligned with RBI, SEBI, and CERT-In?
For years, privacy in India was a fragmented landscape of sector-specific guidelines and voluntary data security policies. The enactment of the Digital Personal Data Protection Act (DPDPA) has fundamentally shifted that narrative, moving privacy from a casual policy choice to a strict, non-negotiable statutory obligation. Across the Indian digital ecosystem, the law establishes a unified, enforceable framework anchored on individual rights and organisational accountability.
However, the real challenge for CXOs and board members isn't just understanding the DPDPA as an isolated piece of legislation. True compliance requires managing its direct alignment with existing heavyweight regulators such as CERT-In, the Reserve Bank of India (RBI), and the Securities and Exchange Board of India (SEBI).
Organisations that attempt to address the DPDPA in silos will quickly find themselves overwhelmed by overlapping timelines, conflicting data formats, and fragmented internal accountability. The solution lies in shifting toward a converged GRC model that harmonises these distinct regulatory streams into a singular corporate strategy.
How do we handle a breach under both CERT-In and DPDPA?
In the past, a cyber incident was viewed through a purely technical lens. If a server went down or exposed data, the IT department handled containment and patched the vulnerability. Under the new regime, this tech-centric incident response model is obsolete. Today, a single cyber incident involving personal data triggers immediate, dual-regulator engagement that demands entirely different streams of information.
- CERT-in mandates: Requires strict reporting of cyber incidents within a highly compressed six-hour window, focusing heavily on logs, forensics, and technical timelines.
- DPDPA mandates: Requires reporting data breaches to the data protection board (DPB) and the affected individuals. The DPB's focus is on individual harm, systemic accountability, and mitigation strategies.
To survive this double scrutiny, enterprise incident response plans must be overhauled. Legal, privacy, and public relations workflows must fire in parallel with technical recovery teams the moment a breach is detected.
What changes for banks and fintechs under DPDPA?
The DPDPA does not replace existing sectoral mandates; it explicitly reinforces them. For the banking, financial services, and insurance (BFSI) sector, the act supercharges the RBI's long-standing expectations for customer data confidentiality, cyber resilience, and risk governance for outsourcing. Financial institutions have always been heavily regulated, but the DPDPA introduces severe statutory penalties for operational lapses that previously fell under supervisory warnings.
Under this converged reality, banks, non-banking financial companies (NBFCs), and fintech platforms must demonstrate rigorous accountability for outsourced data processors and cloud vendors. It is no longer enough to sign a standard service-level agreement; financial entities must actively audit their vendor ecosystem to ensure downstream compliance.
Furthermore, the RBI's focus on operational resilience now demands that privacy-by-design be baked into every digital lending application, payment gateway, and core banking update. Board-level oversight must treat privacy risk with the same gravity as credit or liquidity risk.
What does DPDPA change for data governance in capital markets?
In capital markets, investor protection and market integrity naturally extend to robust privacy governance under SEBI mandates. The sheer volume of personal data circulating through stock exchanges, depositories, registrars, and transfer agents (RTAs) makes this sector a high-value target for threat actors.
Market participants now face the complex task of aligning traditional SEBI record retention obligations with the strict DPDPA principle of data minimisation. While SEBI requires transaction histories to be maintained for years to prevent market manipulation, the DPB mandates that personal data be deleted once its collection purpose is fulfilled.
Navigating this legal intersection requires a highly sophisticated data lifecycle management strategy. Security leaders must establish clear protocols that specify exactly when a record transitions from an active financial asset to an archived regulatory requirement, ensuring it remains isolated from unnecessary exposure.
How can organisations break silos to meet DPDP rules?
The DPDP rules operationalise the broader act by defining explicit expectations for consent notice clarity, accessible grievance redressal mechanisms, and seamless pathways for users to withdraw consent or request data erasure.
The biggest operational hurdle to achieving this is fragmented internal ownership. In the average enterprise, legal drafts the privacy policy, IT manages databases, security handles breaches, and business teams collect data. When these units operate in silos, compliance breaks down. Legacy IT systems, which were never designed to delete specific user records upon request or track granular consent preferences downstream, become massive liabilities. The DPDPA forces an uncomfortable but necessary organisational convergence across these corporate functions.
Business value leaders can unlock through converged compliance
Organisations that approach the DPDPA as a standalone, paper-driven checkbox exercise will inevitably struggle with operational inefficiency, spiraling legal costs, and regulatory friction. Conversely, forward-thinking leadership teams that view this transition through the lens of a unified corporate strategy will unlock substantial long-term value.
Privacy, cybersecurity, and operational resilience are no longer separate corporate pillars; they are mutually reinforcing elements of market survival.
By building a converged GRC framework, enterprises achieve true breach readiness, drastically reducing the time it takes to detect and mitigate an attack. Aligning data minimisation with storage strategies also shrinks the corporate data footprint, lowering cloud infrastructure costs and reducing overall liability. Embedding privacy into organisational culture is no longer just a legal defence; it is a sustainable competitive advantage that drives business growth.