Field notes from the DPDP frontline
Long-form, practitioner-grade writing on the Digital Personal Data Protection Act, 2023. No legalese. No SEO filler. Each post is cross-checked against the actual Act text and the 2025 Rules.
Featured · most recent
Why DPDP matters for you (yes, even if you think it doesn't)
The Digital Personal Data Protection Act, 2023 is not a problem for someone else's department. If your business touches Indian customer data — and almost every business does — the Act has already changed your job description, whether you've noticed or not.
Does DPDP apply to me? A 7-question self-check that actually answers it
Every founder, every counsel, every product manager I talk to asks the same first question — and most of the answers floating around the internet are wrong. Here's the practitioner's version, with the actual section numbers, in plain English.
What-if scenarios every Data Protection Officer should rehearse before they're real
The job of a DPO is 90% preparation for moments that may never come and 10% terrified scrambling through moments that arrived without warning. Here are six scenarios I rehearse with every new DPO I onboard — and why each one ends in a different kind of bad day.
The board-room case for a dedicated Data Protection Officer (and why your General Counsel is the wrong person)
Every Indian board I've sat across from in the last year has tried to solve the DPDP staffing question with a sentence: 'the General Counsel will handle it.' That sentence is going to age very badly. Here's the case for hiring an actual DPO, in language a board can act on.
What DPDP enforcement will actually look like (and what it'll do to Indian data fiduciaries)
Enforcement of the Digital Personal Data Protection Act has not started in earnest yet. When it does, three things will be true that almost nobody is preparing for. Here's the realistic playbook of how the next 24 months unfold — and what that means for your organisation.
Will DPDPA be another compliance burden, or can Indian businesses make it a culture?
The fear I hear most often from Indian executives is that DPDP is going to be one more line item on the compliance budget — something to tick off, audit through, and forget. That fear is reasonable, but it's also a choice. Here's the case for why the Indian organisations that treat DPDPA as a cultural shift will outperform the ones that treat it as a checkbox, and what that shift actually looks like in practice.
What mindset should the Data Protection Board of India build on?
The Data Protection Board is being constituted right now. The single most important decision its early leadership will make is not legal — it's a question of posture. What kind of regulator does India need? Here's the case for the mindset I think the Board should anchor on, and the failure modes I'd most like them to avoid.
Do we have the compliance and reporting framework India needs to handle DPDPA?
Indian regulators have sectoral compliance frameworks for banking, insurance, telecom, and securities. None of them were designed for DPDP. The honest question facing every Indian organisation in 2026 is: do we have a framework that fits, or are we improvising? Here's the practitioner view of where the gaps are and what to do about them.
How relevant are the DPDP Rules in the Indian context, really?
When the DPDP Rules dropped in 2025, the most common reaction in Indian compliance circles was a polite shrug followed by a quiet question: do these rules actually work for India? Let me try to answer that — honestly — with the parts that fit, the parts that don't quite fit, and the parts that the Rules will only validate after a few real enforcement actions.
Why the DPDP Act, in India, and why now? The long answer.
India waited two decades for a serious data protection law. The DPDP Act 2023 is what finally arrived, and the timing is not a coincidence. Here's the long view — what made the law finally happen, what failed before it, and why the political and economic conditions are now aligned in a way they never were before.