India’s Privacy Law Prioritises Consent—But Will Compliance Follow? 

When data security firm Matters.ai, which helps organisations ensure data privacy compliance and operational safety, looked into the application logs of a prominent financial institution, what it found was astonishing, to say the least.

“When we worked with a very big financial institution, we told them within a span of twenty-four hours, their application logs contained more than one lakh people’s Aadhaar card numbers, which the developer could see with their bare eyes,” said Keshava Murthy, CEO and co-founder of Matters.ai, in an interaction with AIM. 

These numbers weren’t there by mistake; they were accumulated over years of application development, sitting in logs that nobody thought to audit for sensitive data.

Under India’s new Digital Personal Data Protection Act, this constitutes a breach, even if the exposure originates internally. The financial institution was clueless about the presence of personal data in internal logs,  and they are certainly not alone.

The DPDP Act, enacted in 2023 and operationalised in 2025, is India’s first comprehensive data protection law. The law applies to personal data—defined as any information that identifies an individual—including mobile number and Aadhaar details. Even information that may not identify someone on its own, such as salary slips or an address, becomes personal data when combined with other identifiers.

The Act’s origin is constitutional, its scope vast, and the implications are only beginning to register—for both organisations and individuals.

What Rights Do Users Get?

For India’s one billion internet users, the Act gives them a basket of digital rights.

“Think of it as the one piece of law that tells you how companies are allowed to process your data, what rights you have in relation to this, and how you really help enforce these rights against those companies,” Thomas Vallianeth, a lawyer who advises corporates and technology companies on regulatory compliance, told AIM.

Individuals can now demand a summary of all their personal data processing activities from an organisation. They can also request correction of inaccurate information that may block a transaction or service, and even deletion of their data if they don’t wish to be contacted.

“Next time you get an annoying, pesky call from a real estate telemarketer… you can approach that organisation and say, ‘Look, tell me about how you have my personal information and give me a summary of how you obtained this personal information,’” added Vallianeth.

The approach to consent has also structurally changed. Digital services have historically relied on bundled consent—forcing users to accept broad and overlapping purposes just to access an app. Under DPDP, users can withdraw consent for specific types of data processing. Companies must now justify collection and provide granular consent choices rather than blanket approvals.

The law also mandates breach notifications. If a data breach occurs, organisations must inform affected users within a specified timeframe and notify the government. This replaces a discretionary disclosure regime that often left users unaware of exposure.

However, personal data voluntarily placed in the public domain is exempt from DPDP protections. Vallianeth noted that if a user posts a photograph publicly on a social media platform and another user downloads it and creates a deepfake, the DPDP Act is not invoked. Deepfakes that cause harm fall under the IT Act and the Intermediary Guidelines.

Similarly, DPDP does not meaningfully intervene when it comes to malware. If a malicious file uploaded to a cloud storage service extracts personal data after being downloaded, liability flows through the existing IT Act, which penalises unauthorised access under Section 43.

New Compliance Architecture

For organisations, DPDP compliance rests on establishing a lawful basis for every instance of personal data processing.

Obtaining valid consent requires notice. Companies must disclose what data is collected, how it will be used, and what grievance mechanisms are available.

“Social media apps and other organisations that are doing data-intensive businesses should be ready to grant a little bit more control to users,” Vallianeth remarked.

Beyond consent, organisations must provide grievance mechanisms that allow users to raise complaints. If a user believes their data is being misused or handled inconsistently with stated purposes, they can file a grievance with the organisation. If the response is unsatisfactory, the complaint can be escalated to the Data Protection Board of India—a new enforcement body under the Act.

The Board can investigate organisations and impose penalties ranging from ₹50 crore to ₹250 crore for serious violations. Enforcement is expected to focus on material contraventions rather than minor lapses, particularly in the early years.

A subset of entities classified as ‘Significant Data Fiduciaries’—including social media platforms and other entities processing large volumes of data—will face higher compliance obligations, including data protection impact assessments, audits, and appointing local data protection officers.

Why Discovery Comes First

The case of the financial institution unaware of Aadhaar numbers in the application logs raises a bigger question: how many organisations actually know where their sensitive data lives?

“If you want to protect the data, first, discovery is very important to understand where your data is present and what are the guardrails are present,” said Murthy.

In large enterprises, personal data is spread across databases, application logs, documents, internal tools, and employee devices. Without automated discovery, obligations such as consent management, erasure, and breach readiness become difficult to enforce.

This challenge has given rise to startups with expertise in data management, data engineering, and data security to help organisations comply with DPDP requirements.

Matters.ai analyses data not merely on format or pattern, but also on content, context, meaning, and intent. Murthy explained that a phone number in a résumé does not carry the same risk as the same number embedded in a production database or exposed in application logs.

This distinction becomes critical when enforcing the right to erasure. While users can demand deletion of their personal data, for large organisations, the challenge is scale.

Murthy described cases in which traditional security tools failed because they relied on naming conventions or sampling-based inspection rather than semantic understanding. In one instance, a departing senior employee in a firm embedded sensitive commercial information into a file labelled as a “medical blood report PDF” and exfiltrated it via WhatsApp. Existing systems flagged the file name but treated the content as benign.

The failure was not due to a lack of controls but a lack of context. Sampling files or relying on filenames was insufficient to detect intent.

Still, Murthy drew an important distinction between protecting all data and protecting sensitive data. “If you know where sensitive data is present, you can place guardrails there rather than across the entire ecosystem, without affecting team productivity,” he said.

Enforcement Complexities

Grievance redressal is likely to become the primary exposure layer under DPDP due to the sheer volume of user complaints expected.

“This is the one bucket that will eventually lead to the penalties,” Amit Das, founder and CEO of full-stack data science and AI firm Think360.ai, noted. “How else will you figure out what’s going wrong unless a customer is complaining about it?”

The problem, Das explained, is that most organisations are structurally unprepared to respond. When a grievance is raised, they often lack the ability to trace where an individual’s data resides, why it was collected, or how it is being processed—within statutory timelines.

He pointed to how large banks operate across multiple internal systems and external partners, with personal data flowing between core platforms, sourcing channels, and downstream service providers. These data flows were built incrementally, often without clear visibility into where data travels or how it is reused.

Intermediaries compound this complexity. DPDP liability does not stop at the primary institution. Lending service providers, sourcing platforms, and other third parties that process personal data now fall within the compliance perimeter. Banks must account for how data is shared, for what purpose, and under what consent—across their extended ecosystem.

Like Murthy, Das stressed that problems compound when organisations haven’t built their data architecture with discovery as the foundation.

DPDP also reverses a long-standing data strategy. Regulators now demand purpose upfront. Dormant user bases, once treated as assets, become liabilities as re-consent exercises lead to drop-offs, shrinking engagement metrics and affecting valuations.

At a structural level, Das said, “DPDP is basically not a scale problem, it’s a sequencing problem.”

Discovery must precede consent. Consent must precede grievance handling. Grievance handling must feed compliance reporting. Organisational preparedness for this sequence will make or break compliance.

The Infrastructure Opportunity

India’s IT services industry has long prioritised data security due to global client requirements. DPDP changes the nature of that obligation. Compliance becomes systemic rather than project-based.

Sanjay Agrawal, CTO of Hitachi Vantara India, told AIM that DPDP forces CIOs to confront whether regulation is a burden or an opportunity. “We feel this is an opportunity for all the enterprises to streamline their entire stack, be it data infrastructure or the entire landscape,” he said.

Agrawal explained that organisations operate with siloed systems and duplicated datasets governed unevenly. Some data is tightly protected, and the other data is ignored.

“That [ignored] part of the data may have some PII [personally identifiable information] that will suddenly become important,” he said.

DPDP forces uniform governance across all data assets. It pushes enterprises to consolidate, normalise, and eliminate redundant copies. The result is not only compliance, but clarity on what data exists and why it is retained.

“This will trigger a normalisation, consolidation or streamlining of all the infrastructure and data assets in the organisation,” Agrawal said.

Organisations have until mid-2027 to put compliance measures in place. Their compliance will determine whether DPDP evolves into a meaningful enforcement regime or remains a procedural exercise that falls short of its constitutional promise.

The post India’s Privacy Law Prioritises Consent—But Will Compliance Follow?  appeared first on Analytics India Magazine.