By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: eMudhraPublished May 26, 2026

TL;DR: India’s DPDP Act 2023 makes consent, purpose limitation, audit trails, SDF duties, and cross-border safeguards mandatory for organizations handling Indian citizens’ personal data, with penalties reaching 250 crores for serious violations, according to eMudhra. For identity and access teams, the practical issue is proving who accessed what, when consent changed, and whether sensitive records stayed within policy boundaries.


At a glance

What this is: This is an analysis of India’s DPDP Act 2023 and its core compliance obligations, with a strong focus on consent, accountability, localisation, and cryptographic trust controls.

Why it matters: It matters because DPDP compliance depends on identity, access logging, and tamper-evident audit trails, which directly affect IAM, IGA, and data governance programmes that handle Indian personal data.

By the numbers:

  • The DPDP Act 2023 compliance framework permits penalties up to 250 crores for serious violations, including unauthorized processing and failure to honor data principal rights.
  • For multinational organizations managing DPDP Act compliance alongside GDPR, DPDP Act 2023 applies to Indian citizen data globally while GDPR fines can reach 4% of global revenue.

👉 Read eMudhra’s analysis of DPDP Act 2023 compliance and identity trust controls


Context

DPDP Act compliance is fundamentally a governance problem, not just a legal checklist. Organisations processing Indian citizens’ personal data need defensible consent handling, purpose limitation, retention discipline, and records that show who approved what processing and when. That puts identity, access, and audit controls at the centre of the compliance model.

For IAM and data security teams, the key question is whether systems can prove lawful processing across the data lifecycle, including access to consent records, rights requests, and cross-border transfers. That makes the intersection with identity governance explicit: access to personal data, consent systems, and audit logs has to be controlled as tightly as the data itself.


Key questions

Q: How should organisations make DPDP consent records auditable?

A: They should bind each consent event to a verified identity, a clear purpose statement, and a tamper-evident timestamp. The record must show request, disclosure, grant, withdrawal, and revision states. If the system cannot prove integrity across those states, it is a workflow artifact, not compliance evidence.

Q: Why does DPDP compliance matter for IAM teams?

A: Because lawful processing depends on controlling who can access personal data, who can approve processing changes, and who can alter audit evidence. IAM teams influence whether consent, retention, and rights handling are enforceable or merely documented. Identity governance becomes part of privacy compliance, not a parallel activity.

Q: What breaks when data localisation is not mapped to access paths?

A: Residency policy can be violated even when storage appears compliant, because replicas, backups, processors, and support access may still move data across borders. Organisations then lose the ability to show where sensitive data actually resides and who can reach it. That creates both regulatory and operational risk.

Q: Who is accountable when DPDP obligations fail?

A: The data fiduciary remains accountable for lawful processing, security, breach handling, and rights fulfilment, even when processors or platforms perform parts of the work. That means governance must include contracts, access controls, and evidence trails. Delegation does not remove responsibility under the statute.


Technical breakdown

Consent records need cryptographic integrity, not just workflow approval

DPDP compliance depends on being able to prove that consent was requested, disclosed, granted, withdrawn, and revised without tampering. That is why timestamping, digital signatures, and immutable logging matter: they make the consent record evidentiary rather than merely operational. In practice, the control problem is not whether a form exists, but whether the record can survive audit or dispute with a clear chain of custody.

Practical implication: identity and document-signing systems should preserve tamper-evident consent evidence tied to the right data principal and processing purpose.

Significant Data Fiduciary obligations turn compliance into an operating model

The Significant Data Fiduciary model adds governance depth for organisations processing data at scale or handling sensitive categories. A DPO, DPIA, stronger security controls, and grievance mechanisms are not isolated tasks; they form a repeatable accountability structure around high-risk data processing. For IAM teams, this means access approvals, audit trails, and review cycles must support demonstrable oversight rather than informal assurance.

Practical implication: align access review, DPIA evidence, and accountable ownership so SDF obligations can be demonstrated on demand.

Data localisation changes identity and access architecture

When sensitive personal data must remain in India, localisation becomes an architecture and access control issue, not only a storage issue. Organisations need to know where data lives, which identities can reach it, and how transfers are authorised, logged, and constrained. Cross-border processing can still occur, but only with safeguards that preserve policy intent and auditability across jurisdictions.

Practical implication: map privileged access, replication paths, and transfer approvals to the data residency rule before deployment.


Threat narrative

Attacker objective: The practical objective is to exploit weak consent, access, or transfer governance so personal data can be processed, moved, or retained without defensible compliance evidence.

  1. Entry occurs when an organisation collects or processes personal data without properly bounded consent or lifecycle controls, creating a governance gap rather than an exploit chain in the classic sense.
  2. Escalation follows when access to consent records, personal data stores, or transfer mechanisms is too broad to prove lawful processing or constrain secondary use.
  3. Impact appears as regulatory exposure, failed data principal requests, unlawful cross-border transfer, or penalties after a breach or audit challenge.

NHI Mgmt Group analysis

DPDP compliance is now an identity governance problem as much as a privacy obligation. The article makes clear that lawful processing depends on being able to prove consent, purpose limitation, access control, and retention discipline. That moves IAM and audit teams into the core of privacy enforcement rather than leaving compliance to legal review. Practitioners should treat consent systems and access logs as control surfaces, not records after the fact.

Cryptographic trust is the only defensible way to make consent evidence durable. The use of PKI, digital signatures, and timestamped receipts reflects a wider shift away from process assertions and toward evidence that can withstand challenge. For identity programmes, that means the integrity of identity proofing, signature issuance, and log provenance matters as much as the workflow itself. Practitioners should design for evidentiary trust, not administrative convenience.

Data localisation exposes a hidden dependency between residency policy and privileged access design. If sensitive data must remain in India, the real risk is not only storage location but who can reach replicated, backed-up, or processed copies across environments. That creates a governance gap where access paths drift faster than policy. Practitioners should map privileged access to residency boundaries before the first transfer is approved.

DPDP’s SDF model rewards organisations that can operationalise accountability at scale. DPIAs, grievance handling, audit trails, and security controls are all pieces of one accountability chain. The lesson for enterprise identity teams is that privacy maturity now depends on whether identity, logging, and governance workflows can produce evidence quickly and consistently. Practitioners should use the SDF lens to test whether their operating model is actually auditable.

DPDP and GDPR together are pushing global programmes toward dual-track identity governance. Cross-border teams can no longer assume a single consent model, transfer model, or retention model will satisfy both regimes. That creates pressure for policy segmentation and jurisdiction-aware access design. Practitioners should expect more work in harmonising controls across privacy frameworks without flattening them into one weak standard.

What this signals

DPDP will force security and privacy teams to converge on evidence-led identity governance. Consent, access, and retention controls now need to produce audit-grade proof, not just policy statements. Organisations that treat consent as a static legal artefact will struggle to demonstrate lawful processing when regulators or customers ask for the chain of evidence.

Residency-aware identity design will become a material architecture concern. If sensitive data must remain in India, teams need controls that understand where identities can reach data, not only where the bytes are stored. That makes privileged access mapping, transfer approval, and logging part of the privacy architecture.

The practical signal for practitioners is clear: access reviews, consent workflows, and data principal request handling need to be tested together. Separate tooling may still be useful, but the governance model has to show end-to-end accountability across identity, data, and legal obligations.


For practitioners

  • Map consent records to identity controls Link every consent event to a verifiable data principal identity, purpose statement, and processing timestamp so the record can survive audit and dispute.
  • Restrict access to consent and rights systems Limit who can modify, approve, or export consent logs and data principal request records, and require privileged access review for those paths.
  • Build residency-aware access maps Track which identities can access Indian personal data, where replicas and backups exist, and which transfer mechanisms cross jurisdictional boundaries.
  • Use SDF obligations to test accountability Run DPIA, audit, and grievance workflows as a single operating model exercise so gaps in ownership, logging, or escalation are visible before enforcement.

Key takeaways

  • DPDP compliance is not only about privacy notices, it is about proving identity-bound control over data processing.
  • The most defensible programmes will combine consent integrity, access logging, and residency-aware governance rather than treating them as separate tasks.
  • Organisations that cannot evidence lawful processing will carry both regulatory exposure and operational uncertainty across their identity and data estates.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63CIdentity proofing and federation matter where consent and data principal identity must be verified.
NIST CSF 2.0PR.AC-1DPDP compliance depends on controlling access to personal data and supporting records.
NIST SP 800-53 Rev 5AU-2Audit trails are central to demonstrating lawful processing and accountability.
GDPRArt.32The article explicitly compares DPDP with GDPR on security and transfer obligations.
ISO/IEC 27001:2022A.5.15Access control is needed to protect consent systems, data repositories, and audit evidence.

Map data access and consent workflows to access-control policy and review entitlement exposure regularly.


Key terms

  • Data Fiduciary: The organisation or person that decides why and how personal data is processed under the DPDPA. The concept is central because it carries accountability for lawful purpose, consent, rights handling, security safeguards, and downstream governance across processors and partners.
  • Significant Data Fiduciary: A data fiduciary designated for enhanced obligations because of the volume or sensitivity of data it processes. The label matters because it brings stronger governance expectations, including formal accountability structures and potential future requirements tied to risk and scale.
  • Purpose limitation: The rule that data should be used only for the specific business purpose allowed by policy and context. In AI environments, this means a dataset may be technically accessible but still inappropriate for a given model, assistant, or agent if the use case exceeds the approved scope.
  • Consent audit trail: A record that shows who consented, what they accepted, when they made that choice, what language they saw, and whether they later withdrew permission. It turns a privacy claim into evidence that can survive audits, disputes, and regulatory review.

What's in the full article

eMudhra's full article covers the operational detail this post intentionally leaves for the source:

  • How eMudhra positions emCA, emSigner, and SecurePass within a DPDP compliance workflow
  • Specific consent and audit record features described as legally defensible under the statute
  • The article’s comparison points between DPDP Act 2023 and GDPR for multinational programmes
  • The penalties and enforcement framing used to justify compliance prioritisation

👉 The full eMudhra article covers consent management, SDF duties, localisation rules, and digital trust workflows in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management for practitioners building evidence-driven controls. It helps identity and security teams connect operational governance to the broader security programme they support.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org