TL;DR: India’s DPDPA shifts privacy from policy intent to demonstrable safeguards, with Proofpoint citing 99% of Indian CISOs reporting sensitive data loss, 90% expecting a material cyberattack, and 85% of organisations experiencing data loss in the past year. The real test is whether organisations can govern personal data across email, cloud, endpoints, collaboration tools, and AI workflows, not just where data is stored.
At a glance
What this is: This is a privacy and data security analysis of India’s DPDPA, arguing that compliance now depends on visibility into how personal data moves through daily work and AI tools.
Why it matters: It matters because IAM, data security, and governance teams need controls that can prove handling, access, retention, and response across human behaviour and AI-assisted workflows.
By the numbers:
- 99% of CISOs in India reported sensitive data loss in the past year.
- 90% expect a material cyberattack in the next 12 months.
- 85% of organisations experienced data loss in the past year.
👉 Read Proofpoint's white paper on DPDPA and personal data protection
Context
DPDPA reframes personal data governance around demonstrable safeguards, not just policy statements. The operational challenge is that personal data now moves through email, collaboration suites, cloud apps, endpoints, and AI prompts, so control failure often begins in ordinary work rather than in a classic breach path.
For IAM and data governance teams, that creates a practical bridge between privacy, access control, and security operations. If a programme cannot trace where data is accessed, shared, retained, and deleted across human and AI-assisted workflows, it cannot credibly claim accountability under the new model.
This is especially relevant where AI tools can ingest customer lists, documents, or internal records during routine productivity work. The article’s starting point is typical for modern enterprises: the highest-risk exposures often come from everyday behaviour, not exotic attack techniques.
Key questions
Q: How should organisations govern personal data that moves through email, cloud apps, and AI tools?
A: They should treat personal data governance as a flow problem, not a storage problem. That means classifying data, enforcing sharing and masking rules in the tools people actually use, and logging access and movement so the organisation can prove what happened if a breach or privacy request occurs.
Q: Why do routine work actions create so much privacy risk under DPDPA?
A: Routine actions create risk because most exposure happens during normal business behaviour, such as forwarding files, oversharing links, or pasting information into AI prompts. These actions bypass the mental model of a breach, so controls must watch for ordinary misuse as well as malicious activity.
Q: What do organisations get wrong about privacy controls for generative AI?
A: They often focus on model governance while ignoring the data that users supply to the tool. If customer records, internal documents, or confidential spreadsheets can be pasted into prompts without policy enforcement, the organisation has created a new disclosure path that traditional perimeter controls will not catch.
Q: Who is accountable when personal data is exposed through a processor or third-party workflow?
A: Under the DPDPA model described here, the data fiduciary remains accountable for reasonable safeguards even when processing is performed by a processor on its behalf. That means ownership, evidence, and incident response cannot be delegated away, only operationalised through contracts and controls.
Technical breakdown
Personal data governance across work tools and AI prompts
DPDPA forces organisations to think about personal data as something that moves, not something that sits in a single repository. The relevant control problem is cross-channel governance: email forwarding, link sharing, SaaS collaboration, endpoint copy-paste, and prompt injection into generative AI tools can all create exposure. That means classification alone is insufficient unless it is tied to policy enforcement and behavioural telemetry. The security model has to connect user intent, data sensitivity, and the context in which the data appears.
Practical implication: map sensitive-data controls to the tools where people actually handle records, not just to storage systems.
Reasonable safeguards, retention, and evidentiary logging
The article ties DPDPA readiness to the ability to prove reasonable security safeguards, deletion handling, and accountability. In practice, this means retention and deletion controls, audit trails, and access evidence become part of privacy governance, not separate admin tasks. For regulated data, the issue is not only preventing exposure but showing who accessed what, when, and under what policy condition. That evidence becomes central when incidents, grievances, or regulatory review occur.
Practical implication: ensure access logs, retention settings, and deletion workflows are aligned so evidence exists before an incident forces reconstruction.
DSPM and DLP as control layers, not standalone answers
Data Security Posture Management (DSPM) discovers and classifies sensitive data, while DLP enforces policy at the point of use. The article’s key point is that neither layer is enough on its own. DSPM without enforcement finds risk but does not reduce it. DLP without visibility tends to miss the most relevant data or apply controls too broadly. When paired with behavioural context from insider risk telemetry, these controls can prioritize the few users and workflows that create most exposure.
Practical implication: use DSPM to find sensitive data, DLP to stop leakage, and behavioural signals to focus investigations where they matter most.
Threat narrative
Attacker objective: The attacker objective is to obtain or exploit personal data exposed through everyday work channels in a way that is hard for defenders to detect and prove.
- Entry occurs through routine business activity, such as misdirected email, overshared collaboration links, or a user pasting sensitive data into a GenAI prompt.
- Escalation happens when that exposure is amplified by weak visibility, broad sharing permissions, or inadequate controls over where personal data can be processed.
- Impact is personal data leakage, inability to prove reasonable safeguards, and delayed or incomplete breach response under the privacy framework.
NHI Mgmt Group analysis
DPDPA turns personal data handling into an evidence problem, not just a policy problem. Organisations are no longer judged only on whether a rule exists, but on whether controls can be demonstrated across the actual places where data moves. That changes the governance burden for security, privacy, and identity teams, because proof now matters as much as policy. Practitioners should treat evidencing as a control requirement, not a reporting afterthought.
Human and AI workflow convergence creates a new exposure surface for privacy governance. The article correctly identifies that customer lists, spreadsheets, documents, and prompts can all become leak paths. That is a meaningful shift for identity programmes because user access, collaboration rights, and AI-tool permissions now intersect in one control plane. The named concept here is workplace data leakage surface: the set of everyday work actions that can expose regulated data without a classic breach event. Practitioners should govern that surface explicitly.
DSPM without behavioural context will miss the highest-value risk zones. Discovering sensitive data is necessary, but the operational problem is deciding which users, workflows, and channels create the most real exposure. The article’s emphasis on behaviour is well founded: most organisations do not need more discovery noise, they need better prioritisation. Practitioners should connect classification to user activity so controls follow the data as it is actually used.
Identity governance is now inseparable from data protection accountability. Access, retention, deletion, and audit evidence are converging into a single compliance story. That matters because many privacy programmes still treat identity controls as upstream plumbing and data controls as downstream enforcement. DPDPA pushes those layers together. Practitioners should align IAM, DLP, and privacy operations around one accountable workflow.
AI adoption will expose weak assumptions about consent, masking, and retention. Once personal data is copied into AI tools, traditional data-at-rest controls are not enough. The governance question becomes whether the organisation can prevent unnecessary disclosure, preserve traceability, and enforce deletion where required. Practitioners should prepare for AI-assisted work to become a routine privacy control test, not an edge case.
What this signals
DPDPA readiness will increasingly be judged by whether teams can trace regulated data across collaboration tools and AI workflows, not by whether a policy exists on paper. The practical programme shift is toward evidence-backed control mapping, where access, retention, and deletion are all visible in one operating model.
Workplace data leakage surface: the risk zone is no longer a single application or repository, but the collection of routine actions that can disclose personal data. That concept should reshape how security and privacy teams prioritise telemetry, because the highest-risk path is often the least dramatic one.
For identity and data governance teams, the next maturity step is to connect policy enforcement to activity context. That means aligning classification, access decisions, and investigation workflows so that the organisation can show reasonable safeguards when regulators, auditors, or customers ask for proof.
For practitioners
- Map personal data flows across work channels Inventory where regulated personal data is handled in email, collaboration tools, endpoints, SaaS apps, and generative AI prompts. Prioritise the workflows that let data move outside expected storage locations, then attach policy and monitoring to those paths.
- Align identity controls with data handling rules Tie access permissions, sharing restrictions, and masking policies to the sensitivity of the data rather than to broad team membership. Make need-to-know controls visible in collaboration and AI workflows so users only see what their role genuinely requires.
- Treat retention and deletion as enforceable controls Define retention periods, deletion triggers, and evidence capture for personal data so privacy obligations can be demonstrated during audit or incident review. Ensure deletion requests and data subject workflows propagate to the systems where data is copied or shared.
- Prioritise behavioural signals for investigation Use insider-risk and activity telemetry to focus on the users and workflows most likely to cause accidental or malicious exposure. This reduces investigation noise and helps teams separate routine business sharing from repeatable data-loss patterns.
Key takeaways
- DPDPA raises expectations from policy alignment to provable safeguards across the places where people actually handle personal data.
- The biggest exposure paths are ordinary work actions, including sharing, forwarding, and AI prompt use, which means visibility must extend beyond storage systems.
- IAM, DLP, and privacy controls now need to operate as one accountable system if organisations want to evidence compliance and reduce data-loss risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | DPDPA readiness depends on protecting data in use and in transit across work tools. |
| NIST SP 800-53 Rev 5 | AU-2 | Audit evidence and accountability are central to the article's compliance model. |
| ISO/IEC 27001:2022 | A.5.12 | Information classification is necessary to prioritise sensitive personal data under DPDPA. |
| GDPR | Art.32 | The article's safeguards and accountability themes align closely with security of processing. |
Use AU-2 to ensure access and data-handling events are logged for later proof and investigation.
Key terms
- Digital Personal Data Protection Act: India’s privacy law for digital personal data, including data collected offline and later digitised. It requires organisations to justify processing, protect data with reasonable safeguards, and support rights handling, breach notification, and accountability through operational controls rather than policy alone.
- Data Security Posture Management: Data Security Posture Management, or DSPM, is the continuous discovery and monitoring of where sensitive data lives, how it is exposed, and where policy gaps exist. Its value rises when it feeds remediation rather than generating findings alone, especially in environments where AI expands the number of data paths.
- Data Fiduciary: The organisation or person that decides why and how personal data is processed under the DPDPA. The concept is central because it carries accountability for lawful purpose, consent, rights handling, security safeguards, and downstream governance across processors and partners.
- Workplace Data Leakage Surface: The workplace data leakage surface is the collection of ordinary user actions, tools, and channels where personal data can be exposed without a classic breach. It includes email, collaboration apps, endpoints, and AI prompts, and it becomes a governance problem when controls do not follow the data.
What's in the full article
Proofpoint's full white paper covers the operational detail this post intentionally leaves for the source:
- DPDPA-oriented classification rules for personal data in common work tools and collaboration flows
- Practical guidance on how enterprise DLP and DSPM can be combined for everyday data handling
- Behavioural and insider-risk context for prioritising investigations across email, cloud, endpoints, and AI workflows
- Retention, deletion, and audit-evidence considerations for teams preparing for privacy review
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, identity lifecycle, and workload identity. It gives security and identity practitioners a practical foundation for governing access and accountability across modern systems.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org