The CISO's Playbook: Preparing for DPDP Act Compliance in 2026

On 11 August 2023, India's Parliament passed the Digital Personal Data Protection Act (DPDP Act), establishing the country's first comprehensive data protection framework. With the Data Protection Board of India (DPBI) now constituted and subordinate rules expected to be notified in phases throughout 2025 and 2026, the compliance clock is ticking for every organization that collects, stores, or processes personal data of Indian residents.

The stakes are significant. The DPDP Act prescribes penalties of up to Rs 250 crore (approximately USD 30 million) for serious non-compliance, including failures in breach notification and data protection obligations. For CISOs, this is not just a legal compliance exercise -- it is a fundamental shift in how organizations must approach data security, incident response, and staff training.

This article breaks down the key requirements of the DPDP Act, the practical challenges organizations face, and a concrete playbook for building compliance readiness -- including the critical role of cyber drills and tabletop exercises in operationalizing data protection.

What the DPDP Act Requires: Seven Core Obligations

The DPDP Act establishes obligations for "Data Fiduciaries" (organizations that determine the purpose and means of processing personal data) and "Significant Data Fiduciaries" (large-scale processors designated by the government). Understanding these obligations is the foundation of any compliance program.

1. Lawful Purpose and Consent Management

Personal data may only be processed for a lawful purpose with the data principal's free, specific, informed, and unambiguous consent. Consent must be granular (per purpose), revocable, and recorded. Organizations must implement consent management systems that capture, store, and honour withdrawal requests. The Act also recognizes "deemed consent" for specific legitimate uses (employment, medical emergencies, state functions), but the burden of proof lies with the fiduciary.

2. Breach Notification

Data Fiduciaries must notify the Data Protection Board and affected data principals of any personal data breach "without delay." While the Act does not specify an exact hour count (unlike CERT-In's 6-hour rule for cyber incidents), the expectation is prompt disclosure. The notification must describe the nature of the breach, the data affected, and remedial actions taken. Failure to notify carries penalties of up to Rs 200 crore.

3. Data Protection Officer (DPO) Appointment

Significant Data Fiduciaries must appoint a Data Protection Officer based in India who serves as the primary point of contact for the DPBI and data principals. The DPO must be a senior executive with authority to influence organizational data practices, not merely a compliance figurehead.

4. Reasonable Security Safeguards

Organizations must implement "reasonable security safeguards" to protect personal data. While the Act does not prescribe specific technical controls, the expectation aligns with industry standards: encryption at rest and in transit, access controls, audit logging, vulnerability management, and incident response capabilities.

5. Data Principal Rights

Data principals have the right to access their data, request correction or erasure, nominate representatives, and file grievances. Organizations must build workflows to handle these requests within prescribed timelines, which the subordinate rules are expected to specify.

6. Cross-Border Data Transfer Restrictions

The Act empowers the central government to restrict data transfers to specific countries via notification. Organizations must maintain visibility into where personal data flows, including third-party processors, cloud regions, and backup locations. The government will publish a "negative list" of countries to which transfers are prohibited.

7. Data Protection Impact Assessment (DPIA)

Significant Data Fiduciaries must conduct periodic Data Protection Impact Assessments and audits. These assessments evaluate the risks of data processing activities and the effectiveness of safeguards. The results must be reported to the DPBI.

The Penalty Framework: What Is at Stake

The DPDP Act introduces a tiered penalty structure that makes non-compliance a board-level risk. Unlike the erstwhile IT Act provisions, these penalties are substantial enough to materially impact even large enterprises.

Violation	Maximum Penalty
Failure to take reasonable security safeguards (resulting in a breach)	Rs 250 Crore
Failure to notify the Board and affected individuals of a breach	Rs 200 Crore
Non-compliance with obligations regarding children's data	Rs 200 Crore
Non-compliance with additional obligations of Significant Data Fiduciaries	Rs 150 Crore
General non-compliance with other provisions	Rs 50 Crore

Key insight: The penalty for failing to notify a breach (Rs 200 crore) is almost as high as the penalty for the breach itself (Rs 250 crore). This underscores the Act's emphasis on transparency and rapid response -- organizations that detect and disclose breaches quickly will fare better than those that attempt to conceal them.

Compliance Timeline: Where We Are in 2026

The DPDP Act received Presidential assent on 11 August 2023, but full enforcement depends on the notification of subordinate rules by the central government. As of early 2026, the landscape looks like this:

The Data Protection Board of India (DPBI) has been constituted with a chairperson and members appointed.
Draft rules on consent management, breach notification procedures, and DPO qualifications have been released for public consultation.
The government has signaled that enforcement will begin in phases, with obligations for Significant Data Fiduciaries (banks, telecom operators, e-commerce platforms, healthcare providers) activating first.
Industry estimates suggest full enforcement timelines of 12 to 18 months from the final notification of rules, placing peak compliance pressure in late 2026 to mid-2027.
The DPBI has begun accepting complaints and has issued initial guidance on consent mechanisms and breach notification format.

The phased approach gives organizations a window of opportunity -- but not a long one. CISOs who begin building compliance infrastructure now will be positioned to demonstrate readiness when enforcement begins, rather than scrambling to retrofit controls under regulatory pressure.

Why Staff Training Is the Compliance Multiplier

Technical controls -- encryption, access management, DLP -- are necessary but insufficient for DPDP compliance. The Act's requirements around breach notification, consent management, and data subject rights all depend on people knowing what to do, when to do it, and how to do it under pressure.

Consider the breach notification requirement. When a data breach is detected, the organization must:

1Confirm the breach scope and identify affected data principals within hours.
2Assess whether the breach involves personal data subject to the DPDP Act.
3Draft and submit a notification to the DPBI in the prescribed format.
4Notify affected data principals with clear, non-technical language explaining the impact and remedial measures.
5Preserve evidence for the Board's investigation while simultaneously containing the breach.
6Coordinate across legal, communications, IT, and executive leadership.

None of these steps can be improvised in the moment. They require rehearsed procedures, cross-functional coordination, and muscle memory that only comes from practice. Research from the Ponemon Institute consistently shows that organizations with a tested incident response plan save an average of Rs 18.7 crore per breach compared to those without one.

The DSCI (Data Security Council of India) reported in its 2025 Cybersecurity Landscape report that 73 percent of Indian enterprises have an incident response plan on paper, but only 29 percent have tested it with a realistic drill in the past 12 months. That gap between documentation and operational readiness is exactly where DPDP Act penalties will bite hardest.

How Cyber Drills Build DPDP Compliance Readiness

Cyber drills and exercises serve as the bridge between compliance documentation and operational reality. They transform written policies into practiced procedures, expose gaps that audits miss, and build the organizational reflexes needed for rapid breach response.

Breach Notification Drills

Simulate a data breach scenario and practice the full notification workflow: detection, scoping, DPBI notification drafting, data principal communication, and evidence preservation. Measure time-to-notification and identify bottlenecks in the process. Organizations that drill quarterly reduce their average notification time from 72+ hours to under 12 hours.

Consent Withdrawal Exercises

Test your consent management system under load: can your team process 1,000 simultaneous withdrawal requests? Do downstream systems actually stop processing data when consent is revoked? These exercises reveal integration gaps between consent management platforms and backend data processing systems.

Cross-Functional Crisis Simulations

Bring legal, communications, IT security, executive leadership, and the DPO into a joint crisis simulation. Practice coordinated decision-making under time pressure. The DPDP Act makes the Data Fiduciary (the organization) liable, not individual teams -- so cross-functional coordination is essential.

Data Subject Rights Request Drills

Simulate a wave of data access, correction, and erasure requests. Measure your team's ability to locate all instances of a data principal's data across systems, verify identity, and fulfill requests within the prescribed timeline. The DPDP Act gives data principals broad rights, and the DPBI will expect organizations to demonstrate operational fulfilment.

CERT-In has conducted 122 cyber drills for 1,570 organizations across sectors over the past several years. Organizations that participated in these drills reported a 68 percent improvement in mean-time-to-detect (MTTD) and a 45 percent improvement in mean-time-to-respond (MTTR). Under the DPDP Act, where breach notification speed directly correlates to penalty exposure, these improvements translate directly into reduced regulatory risk.

The CISO's DPDP Compliance Checklist

Based on the Act's requirements, industry guidance from DSCI, and lessons from GDPR implementations globally, here is a practical checklist for CISOs preparing for DPDP compliance.

Appoint a Data Protection Officer (or designate one) and register with the DPBI when the portal opens.

Conduct a comprehensive data mapping exercise: identify all personal data flows, storage locations, processors, and cross-border transfers.

Implement a consent management platform that supports granular, revocable consent with audit trails.

Review and update your incident response plan to include DPDP-specific breach notification procedures and templates.

Establish a Data Protection Impact Assessment (DPIA) process for high-risk processing activities.

Implement technical safeguards: encryption at rest and in transit, role-based access controls, DLP, and audit logging.

Build data subject rights fulfilment workflows: access, correction, erasure, and grievance handling with SLA tracking.

Train all employees who handle personal data on DPDP obligations, consent procedures, and breach reporting.

Conduct quarterly breach notification drills with cross-functional participation.

Run an annual crisis simulation that includes DPDP-specific scenarios with the DPO, legal, and executive team.

Establish vendor management procedures to ensure data processors comply with DPDP obligations.

Create a data retention and deletion policy aligned with the Act's purpose limitation principle.

Review cross-border data transfer mechanisms and prepare for potential "negative list" restrictions.

Budget for ongoing compliance: DPO, training, tools, audits, and legal counsel.

Document everything -- the DPBI will expect evidence of proactive compliance efforts, not just post-breach remediation.

DPDP Act vs GDPR: Key Differences for Multinational Organizations

Organizations that have already implemented GDPR compliance have a head start, but should not assume one-to-one equivalence. Several important differences require attention:

The DPDP Act has a narrower scope (digital personal data only, excluding offline or non-digital data), but broader territorial reach within India.
Consent under DPDP must be in clear, plain language with specific purpose disclosure -- similar to GDPR, but with stricter requirements for processing children's data (verifiable parental consent for all data of individuals under 18).
Cross-border transfer restrictions are government-notified (negative list) rather than adequacy-based (GDPR model), creating potential uncertainty for organizations that need to plan data flows.
The penalty structure is per-infraction with absolute caps (Rs 250 crore maximum per incident), unlike GDPR's revenue-percentage model. This is comparatively more predictable but still substantial.
The DPDP Act places less emphasis on data minimization and purpose limitation as explicit principles, but the subordinate rules may elaborate.
The Act introduces a "deemed consent" concept for certain legitimate uses (employment, voluntary provision) that has no direct GDPR equivalent.

Conclusion: Compliance Is a Practice, Not a Project

The DPDP Act represents a watershed moment for data protection in India. With over 800 million internet users and one of the world's fastest-growing digital economies, the regulatory framework will have global implications for any organization that processes data of Indian citizens.

For CISOs, the message is clear: DPDP compliance is not a one-time project that ends with a policy document and a consent banner. It is an ongoing operational capability that must be built, tested, and refined through regular practice. The organizations that treat compliance as a continuous drill -- not a checkbox -- will be the ones that avoid the headline-making penalties and, more importantly, earn the trust of their customers and regulators.

Start with the checklist above. Appoint your DPO. Map your data. Build your notification workflows. And then drill, drill, drill -- because when a breach happens (and it will), your team's readiness will be measured in hours, not weeks. The DPBI will expect nothing less.