By NHI Mgmt Group Editorial TeamPublished 2026-06-25Domain: Cyber SecuritySource: OneTrust

TL;DR: India’s Digital Personal Data Protection Act sets a consent-centric privacy model with new obligations for data fiduciaries, rights handling, security safeguards, and breach notification, while also giving the Central Government wide rulemaking authority, according to OneTrust. The compliance challenge is operational, not just legal: organisations must connect data discovery, consent records, rights workflows, and cross-border controls into one governable programme.


At a glance

What this is: India’s DPDPA creates a consent-led privacy regime with rights, governance, security, and transfer requirements that organizations must operationalize across systems and processes.

Why it matters: It matters to IAM, privacy, and governance teams because consent records, identity-linked rights workflows, and access to personal data now have to be auditable, consistent, and responsive across the full data lifecycle.

By the numbers:

👉 Read OneTrust's India DPDPA compliance guide for governance and operational details


Context

India’s Digital Personal Data Protection Act is a privacy governance law first and an implementation problem second. It governs digital personal data processing in India and for organisations offering goods or services to individuals in India, which means compliance depends on how consent, identity-linked requests, retention, and security controls work together in practice.

For security and identity teams, the real challenge is not memorising legal language but making data handling measurable across systems. Consent withdrawal, correction, erasure, and grievance workflows all depend on knowing where data sits, who can touch it, and how third parties or AI systems reuse it. That makes the DPDPA relevant to privacy operations, IAM, and broader governance programmes, especially where personal data moves across platforms and jurisdictions.


Key questions

Q: How should organisations operationalise consent management under the DPDPA?

A: Treat consent as a lifecycle control, not a one-time capture event. Organisations should track the purpose, timestamp, language, withdrawal state, and downstream systems tied to each consent record so changes propagate consistently. If the consent record cannot drive enforcement, the programme has documentation, not control.

Q: Why do data principal rights create governance challenges for privacy teams?

A: Rights requests require the organisation to locate, verify, and act on the correct data across multiple systems and processors. Without strong identity matching, data inventories, and workflow orchestration, access, correction, and erasure requests become incomplete or overbroad. The result is both compliance risk and operational noise.

Q: What do organisations get wrong about privacy compliance in AI systems?

A: They often assume AI governance is separate from privacy governance. In practice, AI models inherit obligations through the personal data they consume, the notices attached to that data, and the retention rules that govern reuse. If privacy controls are missing, AI controls will be incomplete.

Q: Who is accountable when personal data transfers or breach handling fail under the DPDPA?

A: Accountability sits with the data fiduciary, especially where processing decisions, transfer governance, or notification duties are not enforced consistently. Organisations also need clear ownership across privacy, security, legal, and third-party management because the law ties governance failures to regulatory penalties and remediation obligations.


Technical breakdown

Consent management as a governable control plane

The DPDPA makes consent more than a checkbox by requiring it to be valid, revocable, and tied to clear purposes. That turns consent into a governance control plane spanning capture, storage, evidence, withdrawal, and exception handling. Organisations need records that prove what was consented to, when it changed, and which downstream processes still rely on it. This is operationally similar to access governance: if the record is inconsistent, stale, or fragmented, enforcement fails even when policy exists.

Practical implication: map consent state to every system that consumes personal data so withdrawals and purpose changes propagate reliably.

Data principal rights and identity-linked fulfillment workflows

Rights requests under the DPDPA depend on accurate identity binding. Access, correction, erasure, and grievance handling all require organisations to locate the right person’s data, distinguish it from other records, and coordinate action across storage, analytics, and third parties. In practice, this is a workflow and assurance problem, not just a legal intake problem. If identity resolution is weak, rights fulfillment becomes incomplete or overbroad, which creates both compliance and security risk.

Practical implication: build identity-verification and record-matching checks into rights workflows before automation scales.

Privacy governance for AI and cross-border data flows

The DPDPA does not create an AI-specific law, but it still constrains AI systems because those systems often process personal data. That means data quality, notice, security, and lawful purpose still govern model inputs and downstream use. The same applies to international transfers, where policy changes and government restrictions can alter where personal data may move. For governance teams, the key issue is lifecycle control across collection, processing, sharing, and retention, especially when AI or external processors are involved.

Practical implication: treat AI pipelines and transfer maps as part of the privacy control environment, not as separate technical exceptions.


Threat narrative

Attacker objective: The objective is to continue processing personal data outside the organisation’s lawful, auditable control boundary.

  1. Entry occurs through collection or reuse of personal data without clean consent records or purpose boundaries, creating an enforcement gap rather than a technical exploit.
  2. Escalation follows when rights requests or consent withdrawals cannot be propagated across systems, processors, or AI workflows in a timely way.
  3. Impact arrives as unlawful processing, incomplete erasure, or breach notification failure, which exposes the organisation to regulatory action and trust loss.

NHI Mgmt Group analysis

Consent is becoming an access-control problem in privacy programmes. The DPDPA pushes consent from a legal record into an operational dependency that must be enforced across workflows, processors, and downstream systems. When consent state is inconsistent, the organisation can still technically process data while losing legal authority to do so. Practitioners should treat consent governance as part of broader access governance, not as a standalone privacy register.

Identity resolution is now central to rights fulfilment. Access, correction, and erasure requests only work when the organisation can reliably bind a data principal to every relevant record and processor. That makes identity proofing, record matching, and workflow integrity part of compliance evidence. For privacy teams, weak identity assurance turns a rights process into an exposure channel rather than a control.

Cross-border transfer controls will sit inside broader data governance, not outside it. The DPDPA’s restriction-based transfer model means organisations need live visibility into where data moves and which destinations may later become restricted. That resembles the governance burden seen in other data residency regimes: policy alone is not enough if data flows are not continuously mapped. Practitioners should expect transfer governance to become a recurring operational review item, not a one-time legal assessment.

AI governance debt: personal data rules will shape model behaviour even without an AI-specific statute. The DPDPA regulates the data that AI systems consume, which means model programmes inherit privacy obligations whether or not they are explicitly labelled AI governance. Organisations that separate privacy and AI oversight will miss the point where data quality, lawful purpose, and retention decisions actually influence model risk. The practical conclusion is that privacy controls must be designed into AI operating models from the start.

What this signals

Consent drift will become the privacy equivalent of privilege creep. Once consent, purpose, and withdrawal states are spread across portals, processors, and AI workflows, the gap between what is permitted and what is actually executed widens quickly. That is why control evidence, not policy language, will decide whether privacy programmes can withstand audit and enforcement pressure.

DPDPA programmes will increasingly depend on identity assurance. If an organisation cannot reliably bind a rights request to the right person and the right record set, automation will amplify error rather than reduce it. Privacy teams should therefore define strong verification steps, while IAM teams should ensure those checks are consistent with broader access governance and data handling controls.

Cross-border and AI data use should be managed as live governance relationships, not static legal exceptions. The organisations that perform best will be the ones that keep transfer maps, retention schedules, and personal-data usage aligned to operational reality, then review them when rules or data flows change. That is where privacy operations and security governance increasingly converge.


For practitioners

  • Map consent to processing states Link every consent record to the specific systems, purposes, and downstream processors that rely on it so withdrawal can be enforced without manual reconciliation. Use the consent record as a live control, not as a static archive.
  • Build identity checks into rights workflows Add verification and record-matching steps before fulfilling access, correction, or erasure requests so the request is tied to the correct individual and complete data set.
  • Inventory transfer dependencies now Maintain a current map of personal data destinations, subprocessors, and cross-border routes so future government restrictions can be assessed quickly and consistently.
  • Align AI data use with privacy controls Review training, inference, and analytics pipelines to confirm personal data use is covered by notice, purpose, retention, and security controls already operating in the privacy programme.

Key takeaways

  • The DPDPA turns consent, rights handling, and data transfers into operational controls, not just legal obligations.
  • Identity assurance matters because rights fulfillment and compliance evidence depend on matching the right person to the right records.
  • Organisations that connect privacy, IAM, and AI data governance will be better positioned to absorb future DPDPA rule changes and enforcement pressure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
GDPRArt.32The article compares DPDPA security and accountability obligations with GDPR-style privacy controls.
NIST CSF 2.0PR.AC-4Rights fulfillment and consent enforcement depend on controlled access to personal data.
NIST SP 800-53 Rev 5AC-6Least privilege limits who can process or expose personal data in DPDPA workflows.
ISO/IEC 27001:2022A.5.34The DPDPA's security and privacy obligations align with protection of PII in information security processes.
NIST AI RMFGOVERNThe article links AI data use to privacy governance and accountability controls.

Align privacy handling and safeguards with A.5.34 when personal data is stored or processed in security tooling.


Key terms

  • Data Fiduciary: The organisation or person that decides why and how personal data is processed under the DPDPA. The concept is central because it carries accountability for lawful purpose, consent, rights handling, security safeguards, and downstream governance across processors and partners.
  • Consent Manager: A registered intermediary that helps data principals give, manage, review, and withdraw consent through an interoperable platform. It introduces a new governance layer between the individual and the organisation, which means consent records must stay accurate and machine-readable across systems.
  • Data Principal: The individual to whom personal data relates under the DPDPA. The term matters because rights, notices, and consent mechanics all revolve around this person, and operational controls must reliably identify the right individual before any data action is taken.
  • Significant Data Fiduciary: A data fiduciary designated for enhanced obligations because of the volume or sensitivity of data it processes. The label matters because it brings stronger governance expectations, including formal accountability structures and potential future requirements tied to risk and scale.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • How the DPDPA's consent and notice requirements map to real implementation workflows across portals, records, and downstream systems.
  • The article's breakdown of rights handling for access, correction, erasure, and grievance redressal, including the practical process considerations.
  • Its explanation of significant data fiduciary obligations and how future rules may change governance expectations over time.
  • The discussion of international transfer restrictions and how organisations should monitor future government notifications.

👉 OneTrust's full post covers the consent workflow, rights handling, transfer model, and enforcement context in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and the operational controls that support identity-driven security programmes. It is designed for practitioners who need a structured way to connect identity governance with the wider security and compliance landscape.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org