An enterprise’s guide to DPDP Compliance Success

Buchi Reddy B

CEO and Founder at Levo

Interfacing with 500+ Security and Engineering Directors, I see an urgent need for compliance support.

A need that was not as urgent or disproportionately dependent on the Engineering Teams when I was an Engineering Leader at Cisco.

Pre-pandemic, compliance was not seen as a function that was supported by engineering leaders, instead compliance efforts for a few schemes were outsourced.

Yet the post-pandemic compliance world is now more outcome-driven, demanding enterprises sustain and improve past compliance achievements like PCI DSS 2.0 while also moving forward with newer regulatory requirements across multiple jurisdictions, such as NIS2, the US National Cybersecurity Strategy, and the European Cyber Resilience Act.

One such mandate is the Digital Personal Data Protection Act, a bill passed in the Indian Parliament, containing core provisions defining personal data use, collection, and governance.

All enterprises collecting and processing data of Indian citizens are to comply with this.

Failure to do so will induce penalties amounting to upwards of ₹250 Crores and brand erosion from one of the largest consumer markets in the world.

So, the expectation is not just to shoulder the regulatory responsibilities but also to do them cost-efficiently since current methods are known to overrun allotted budgets by 60% or more.

In this blog, I will outline the core provisions of this mandate and the cultural shifts that will guarantee a smooth, jurisdiction-agnostic, effective, and ROI-positive capacity building.

Digital Personal Data Protection Act Mandates

Internet penetration in India has been on a steep rise since 2016.

Starting from 400 million users in 2016, Internet users more than doubled to 954.40 million in March 2024.

Such a meteoric rise in internet usage without a simultaneous cyber-awareness increase has led to the public availability of data of 518 million Indians (more than half of current internet users) on the dark web.

The Digital Personal Data Protection Act, passed last year, aims to prevent such violations of data privacy by holding digital data processing accountable.

The broader provisions lay the following responsibilities on enterprises as data fiduciaries and processors:

Check these analyses by Deloitte and PWC to understand them in detail.

To be compliant, data fiduciaries and processors must also take preventive action to protect all sensitive data by implementing encryption, obfuscation, tokens, access control, and detection and remediation of unauthorized access.

In the event of a personal data breach, the nature, extent, timing, location, and consequences of the breach and the security measures undertaken to mitigate it must be intimated to each affected data principal and the respective board.

In addition to the above mandates, significant data fiduciaries (most likely fintech and insurance players) must undertake annual data protection impact assessments and audits.

While these are still not finalized because they are available for feedback, the Ministry of Electronics and Information Technology has urged enterprises to begin capacity building and adaptation immediately under the provisions.

While a standard two-year transition period similar to GDPR is anticipated, it is deemed inadequate due to a multitude of factors:

Adding to this grim picture is the complex nature of modern enterprise infrastructures.

All DPDP provisions and draft rules focus on protecting personal data (boundaries of which are yet to be defined) through preventive security measures or post-breach notifications.

But how can you, as a data fiduciary or processor, do either without knowing how sensitive data is being created, handled, and delivered across your network?

Modern Enterprise Networks: Both the Problem and the Solution

Due to decentralization trends in enterprise infrastructure, questions like “Where is personal data stored?” “Who has accessed it?” and “What are we doing to protect it?” are now much more challenging to answer.

Hybrid and cloud deployments frequently replicate, cache, and store data across multi-regional nodes, making it difficult for organizations to identify where their data resides and which jurisdiction’s regulations apply.

Additionally, microservices architecture enables efficient scaling, but fragmented data flows across hundreds or thousands of components.

Tracing sensitive data manually in such environments becomes nearly impossible.

APIs, which power most of these microservices, further complicate the situation by spanning internal, external, and third-party endpoints.

This introduces risks like inconsistent data handling, unauthorized access, and regulatory non-compliance without proper governance.

However, API-first applications (currently 74% of all applications) also present an opportunity.

APIs are the backbone of modern networks, facilitating critical data exchanges between applications, databases, and external services.

When secured effectively, APIs are the closest to the data, enabling robust encryption, precise access controls, and seamless compliance monitoring across applications.

Organizations can turn APIs into a strategic asset for achieving compliance goals by adopting authentication and authorization best practices.

API Security: The Predecessor to DPDP Compliance Success

APIs hold immense potential to advance security and compliance initiatives, particularly for mandates like the DPDP Act. However, the lack of unified development and security practices often squanders this potential.

The following gaps in current Software Development Lifecycle (SDLC) practices hinder compliance efforts:

While rectifying such broken practices isn’t required as part of compliance adherence, it lays the foundation for an exponentially improved security and operational posture.

This approach takes security and compliance far beyond the annual audit, embedding security into your applications so you aren’t perpetually stuck in reactive mode.

While internal capacity building through hiring and training is recommended, it is not likely compelling enough to combat the pace of API integration or a stringent compliance deadline.

Utilizing automation is necessary, not an option, to save quarters’ worth of DevSecOps bandwidth and mitigate costly errors that are likely to happen through manual approaches.

Our platform streamlines the entire sensitive data detection and all recommended API security processes:

Comprehensive API Inventory: We leverage your traffic and code repositories to build the complete API inventory, including internal, external, open-source, third-party, and even inactive APIs like zombie and shadow APIs—uncovering 90-250% more APIs without changing code or configuration.
Automatic API Documentation: We generate thorough API documentation through OpenAPI/Swagger specifications, complete with over 12 critical parameters such as version details, changelog, and request-response bodies.
Sensitive Data Mapping: Our platform automatically detects and maps all sensitive data flows through your APIs, even across third-party and partner services, ensuring no blind spots.
Security Gap Identification: We identify endpoints handling sensitive data with no or weak authentication, allowing you to address vulnerabilities before they become threats to your customers and brand.
Flexible Data Tracking: All sensitive data types are mapped at both the application and environment levels, with the added flexibility to define new data types directly through the UI.
Trace-Linking Capability: Our trace-linking ensures that the data flows we detect are accurate and contain actual sensitive data rather than false positives. With your permission, we collect traces and surface them alongside sensitive data, providing you with unparalleled visibility and control.
Pre-Production Security Testing: We conduct rigorous pre-production security tests to minimize the risk of enumeration attacks, such as injection flaws, SQL injections, NoSQL injections, and other exploitable misconfigurations in production.
Automated Authorization Testing: Our platform automates testing various authorization scenarios, including horizontal and vertical access controls, object-level permissions, and advanced BOLA cases, efficiently managing testing across thousands of endpoints and numerous OAuth scopes, a feat that is impossible to perform manually.
Continuous Monitoring: Instead of annual audits, enjoy continuous, sensor-powered monitoring for your API traffic across all environments, automatically receiving alerts for anything that deviates from defined policies.