If you are a CISO in India right now, the DPDPA has changed your job description. You may not have noticed yet. Your board may not have told you. But the Act has expanded the CISO's accountability from protecting systems to protecting rights. And those are architecturally different mandates.
Security protects infrastructure from threats. DPDPA demands protection of personal data from misuse — including misuse by your own organisation. The firewall that stops external attackers does nothing against internal purpose limitation violations. The encryption that protects data in transit does nothing against a consent architecture that never obtained valid consent in the first place.
Day 1 to 30: Assess and Understand
Week 1 — Read the law. Not a summary. Not a consultant's slide deck. Read the DPDPA — all 44 sections. Read the DPDP Rules 2025 — all 22 rules. As a CISO, you need to understand Sections 8(5) on security safeguards, Section 8(6) on breach notification, Section 12 on the Board's inquiry process, and Section 10 on Significant Data Fiduciary obligations. These sections define your accountability perimeter.
Week 2 — Map personal data against your security architecture. You already have an asset inventory. Now overlay it with a personal data inventory. For every system in your estate: does it process personal data? What categories? What volumes? What security controls protect it? The gap between your security asset inventory and your personal data inventory is your DPDPA exposure surface.
Week 3 — Audit access controls for purpose limitation. Section 5 requires processing only for the specified purpose. Your current access control model probably grants access based on role, not purpose. A marketing analyst with database access can query customer data for any purpose — the access control does not distinguish between authorised analytics and unauthorised profiling. DPDPA requires purpose-aware access controls. Audit the gap.
Week 4 — Assess breach detection and response capability against DPDPA timelines. Your existing incident response plan was built for security breaches. DPDPA defines "personal data breach" differently — it includes any unauthorised processing, not just unauthorised access. Review your detection capabilities: can you detect unauthorised processing (not just unauthorised access)? Can you assess impact within hours, not days? Can you notify both the Board and affected Data Principals within the "without delay" timeframe? Most CISOs discover their incident response plans need fundamental restructuring.
Day 30 to 60: Design and Prioritise
Build the CISO's DPDPA control matrix. Map every DPDPA obligation that touches security to a specific control. Section 8(5) reasonable security safeguards — map to your encryption, access control, logging, and monitoring controls. Section 8(6) breach notification — map to your detection, assessment, and communication capabilities. Section 10 SDF obligations — map to your DPIA capability and audit readiness. The control matrix becomes your investment roadmap.
Redesign breach response for dual notification. DPDPA requires notification to both the Data Protection Board and affected Data Principals. Most incident response plans notify the CERT-In (under the 6-hour directive) but have no workflow for Data Principal notification. Design the dual-track notification workflow. Define escalation paths. Pre-draft notification templates. Assign accountability. Test the workflow before you need it.
Engage with the DPO. If your organisation has appointed a DPO under Section 10, the CISO-DPO relationship is the most critical governance nexus in your compliance architecture. The CISO provides the security infrastructure. The DPO provides the compliance direction. If these two functions operate in silos, gaps will emerge at the intersection — and the Board will find them.
Day 60 to 90: Implement and Report
Implement enhanced logging for personal data processing. Standard security logs capture who accessed what system. DPDPA-ready logs must capture who processed what personal data, for what purpose, under what lawful basis, and with what outcome. This is a fundamental upgrade from security logging to privacy logging. It is also the evidence that will defend your organisation in Board proceedings.
Present the DPDPA security posture to the Board. Within 90 days, the CISO should present to the Board: the current state of DPDPA-relevant security controls, the gaps identified, the remediation roadmap with timelines and investment requirements, and the residual risk profile. This presentation creates a governance record that demonstrates the organisation took DPDPA seriously from a specific date. That record matters in enforcement proceedings.
Establish continuous compliance monitoring. Deploy monitoring for consent validity across processing activities, purpose limitation violations in data access patterns, vendor compliance with DPA obligations, and breach detection metrics against DPDPA notification timelines. The CISO who monitors annually fails between monitoring cycles. The CISO who monitors continuously builds evidence of ongoing compliance.
"The CISO who treats DPDPA as a legal problem will lose the argument. DPDPA is a security architecture problem with legal consequences. That distinction changes every investment decision."
— Anandaday Misshra
Do this now
Open your incident response plan. Search for the words "Data Protection Board" and "Data Principal notification." If neither appears, your plan was not built for DPDPA. That is your Day 1 action. Everything else follows from there.