A mid-sized professional services firm in India had been told, like most businesses, that it needed to do something about the DPDP Act. The brief that reached the technology team was the usual one: read the law, file it, tick a box. The reality was that the firm had quietly accumulated personal data for years, across a CRM, a few spreadsheets, an email marketing tool and three vendors nobody could fully name, and had no single picture of where any of it lived.
The pain was ordinary, not dramatic. Nobody had been breached. But if a customer had asked the firm to delete their data, or a regulator had asked what it held and why, there was no honest way to answer quickly. We treated this as a systems exercise wearing a legal label, because that is mostly what it is.
The challenges we had to solve
- There was no data map. You cannot minimise, secure or erase what you have never inventoried, and the firm had never inventoried it.
- Consent was a single tick box that meant nothing specific. The Act expects consent that is itemised, tied to a notice, and as easy to withdraw as to give.
- Data was kept indefinitely because deleting it had never been anyone’s job. There were no retention rules and no erasure path.
- Breach notification under the Act runs on a tight clock from the moment of awareness, and the firm had no detection, no escalation path and no one clearly accountable.
How we approached it
We began with the unglamorous groundwork: a data map across applications, databases, logs, backups, spreadsheets and third-party tools, so that for the first time the firm could say what personal data it held and why. That alone retired several fields it had been collecting out of habit and never used. We then rebuilt consent as a real record, with purpose, timestamp and version, and made withdrawal a first-class action rather than a support ticket. Retention schedules followed, with automated deletion that notifies before it erases rather than purging silently.
On the security side we kept it proportionate to a firm of this size: least-privilege access, encryption for the data that warranted it, logging that could actually detect unauthorised access, and a breach workflow rehearsed in advance so the report clock is something the team can meet rather than a scramble. We helped them think through whether a Data Protection Officer made sense for them and tightened the vendor contracts, because accountability for a processor’s handling stays with the firm regardless of what any contract says. None of this was a certificate; the obligation is theirs to meet, and our part was making it something their systems can do rather than a promise on paper.
Where it stands
The firm can now say what personal data it holds, on what basis, and for how long, and it can act on a deletion request without a hunt. A breach would still be a bad day, but a contained and reportable one rather than an improvised one. They used the runway before enforcement to do the real work, which is exactly the point of having the runway.