---

In an era where digital business knows no borders, the question of where your data goes is more important than ever. For decades, companies in India have freely stored, processed, and transferred personal data to servers around the world — from Singapore and Ireland to massive cloud regions in the US.

However, the introduction of the Digital Personal Data Protection Act (DPDPA) 2025 marks a decisive shift in how India manages cross-border data flows. It reshapes the rules for companies that move personal data beyond India’s borders, balancing economic openness with citizens’ privacy and national security.

As a cybersecurity expert, I’ll break down exactly how the DPDPA 2025 changes the rules for cross-border data transfers, what businesses must do to comply, and how this impacts ordinary citizens who may never even realize their data is crossing oceans.

---

Why Cross-Border Data Transfer Matters

Most of us don’t think about it — but when you book a hotel online, use a social media app, or store files in the cloud, your personal data may zip through servers in multiple countries.

Companies do this because:
✅ Global data centers help deliver services faster.
✅ Outsourcing processing can cut costs.
✅ Multinational businesses need to share information across regions.

But uncontrolled transfers raise big privacy and security concerns. Once your data leaves India, it may be stored under foreign laws that don’t guarantee the same level of protection. It may also be harder for Indian regulators to enforce privacy violations abroad.

---

How DPDPA 2025 Addresses This

The DPDPA 2025 doesn’t outright ban cross-border transfers, but it adds clear conditions and government oversight to protect citizens’ data.

---

Key Provisions

1️⃣ Approved Countries List

The Act allows the Central Government to notify a list of countries where personal data can be transferred by default — if those countries have strong privacy protections.

If a country is not on this whitelist, companies can’t send data there without specific permissions.

Example:
Your fintech app wants to process transactions using a server in Country X. If Country X isn’t approved, the company must ensure additional safeguards or store the data in India.

---

2️⃣ Purpose Limitation

Organizations must prove the transfer is necessary for a legitimate purpose — like providing a service you signed up for, or fulfilling a contract. Transferring data for vague reasons or hidden monetization won’t fly.

---

3️⃣ Equivalent Protection

The foreign recipient must guarantee the same level of protection that the data would have inside India. This means:
✅ Adequate security safeguards.
✅ Consent-based processing.
✅ No misuse or unauthorized sharing.

---

4️⃣ Data Principal Rights Travel with the Data

Even when data crosses borders, your rights as a Data Principal remain intact. If you request correction, deletion, or withdrawal of consent, the company and its foreign partners must comply.

---

Example: Cloud Storage for an E-Commerce Site

A growing Indian e-commerce platform uses cloud servers in Singapore to store customer purchase histories and payment data.

Under DPDPA:
✅ The company must check if Singapore is on the approved list.
✅ It must ensure the cloud provider implements robust security.
✅ The company must inform customers that their data will be stored abroad.
✅ If a customer wants their data deleted, the cloud provider must comply too.

---

Data Localization vs. Cross-Border Transfers

Unlike earlier draft laws that leaned heavily toward strict data localization (forcing companies to store all personal data in India), the DPDPA 2025 takes a balanced approach.

It recognizes that some cross-border flow is essential for global trade and innovation. But it demands safeguards to prevent misuse, unauthorized surveillance, or poor privacy practices abroad.

---

Special Care for Sensitive Data

Highly sensitive personal data — like biometrics, health records, or financial details — is held to an even higher standard. Companies must justify why they need to send such data abroad and prove it won’t be misused.

---

What Happens if Companies Violate These Rules?

If a company:

• Transfers data to a non-approved country without safeguards,

• Or shares data with a foreign partner that mishandles it,

• Or fails to uphold your rights abroad,

…the Data Protection Board of India (DPBI) can investigate and impose penalties of up to ₹250 crore per violation.

---

What Businesses Must Do

Forward-looking companies are now:
✅ Auditing where their data physically resides.
✅ Checking contracts with foreign cloud and processing partners.
✅ Adding Data Processing Agreements to ensure partners follow DPDPA standards.
✅ Training teams to handle consent for transfers transparently.
✅ Investing in privacy-enhancing tech — like encryption during transit and storage.

---

Practical Example: Indian Startups & Global SaaS Tools

An Indian EdTech startup might use global SaaS tools for email marketing or analytics. If these tools store student data abroad:
✅ The startup must ensure the vendor’s country is approved.
✅ The vendor must provide data protection equivalent to Indian law.
✅ The startup must get explicit user consent when needed.

---

Public Example: How This Impacts You

When you sign up for an international travel portal, check the privacy policy. It should clearly state:

• Where your data will be processed.

• How you can access or delete it.

• What safeguards they use if it’s stored abroad.

You have the right to say no if you’re uncomfortable.

---

What If There’s a Breach Abroad?

If your data is leaked by a foreign partner:
✅ The Indian company that shared it remains responsible.
✅ The company must notify you and the DPBI promptly.
✅ You can demand remedies or file complaints in India.

This ensures accountability doesn’t get lost across borders.

---

Why It Matters for India’s Digital Ambitions

India is one of the world’s largest data markets. Balancing cross-border flows with strong privacy builds global trust. It shows the world India welcomes digital investment — but not at the cost of citizens’ rights.

It also pushes Indian businesses to become privacy leaders. Companies that get cross-border transfers right will win customer trust faster than those who treat it as a loophole.

---

How the Public Can Stay Protected

✅ Read privacy notices for details on data transfers.
✅ Exercise your rights: If you don’t want your data going abroad, withdraw consent when possible.
✅ Report shady practices: If a company won’t clarify where your data is stored, raise a complaint.

---

Conclusion

India’s DPDPA 2025 changes the game for cross-border data flows. It doesn’t shut the door on global business — but it demands that privacy rights stay intact, wherever your data goes. For companies, it means tight contracts, secure technologies, and full transparency. For citizens, it means confidence that your data won’t vanish into legal black holes overseas.

In the end, this is what a mature digital nation does: it fuels innovation and protects its people’s digital identity, no matter how far the data travels

In our modern digital economy, biometric data — fingerprints, facial scans, iris patterns, voice recognition, even gait analysis — is becoming a preferred method of identification. It’s convenient, hard to fake, and, in theory, makes security stronger.

From unlocking phones and accessing offices to Aadhaar-enabled services and attendance in schools, India is seeing an explosive rise in biometric collection. However, as a cybersecurity expert, I can confirm that while biometrics solve some security problems, they create serious new privacy risks that every citizen, company, and policymaker must take seriously.

Under the Digital Personal Data Protection Act (DPDPA) 2025, biometric data is classified as sensitive personal data, which means extra care must be taken to collect, store, and use it. But what exactly can go wrong? Let’s break down the biggest concerns — and how people can protect themselves.

---

What Makes Biometric Data So Sensitive?

Unlike a password, you can’t change your fingerprint or iris. Once leaked, misused, or copied, it’s compromised forever. That’s why mishandling biometric data has lifelong consequences.

Example:
If a password leaks, you can change it tomorrow. If a company leaks your facial template or fingerprints, you can’t swap your face or fingers.

---

Key Privacy Concerns with Biometrics in India

1️⃣ Massive Centralized Databases

India’s Aadhaar system is the world’s largest biometric database — storing iris scans, fingerprints, and photos of over a billion people. Many government schemes, welfare benefits, SIM cards, and financial services use Aadhaar-based biometric verification.

While it enables efficiency, any breach or misuse can affect millions instantly. A single vulnerability can expose vast swathes of the population.

Example:
Past reports of unauthorized Aadhaar access have raised alarms about how easily brokers sold biometric data prints for fraud.

---

2️⃣ Lack of Informed Consent

Many people don’t fully understand how their biometric data will be used. They may provide fingerprints or face scans to local agencies, schools, or employers without clear terms or the ability to say no.

Example:
Some schools have faced criticism for using fingerprint scanners for student attendance, often without proper parental consent or security safeguards.

---

3️⃣ Function Creep

Once biometric data is collected for one purpose, there’s a risk it could be used for others. This is called function creep.

Example:
A company collects your facial scan for office entry, but later uses it to monitor employee productivity or share it with third-party analytics firms — often without clear consent.

---

4️⃣ Risk of Identity Theft

Biometric spoofing — using fake fingerprints or deepfake facial images — is becoming more sophisticated. A stolen biometric template can be used to bypass security systems, access bank accounts, or commit fraud.

Unlike passwords, biometrics can’t be “rotated” or easily disabled.

---

5️⃣ Data Breaches and Hacking

Biometric data is a high-value target for hackers. If organizations don’t use advanced encryption, multi-factor security, and strict access controls, attackers can steal this data and sell it on black markets.

---

6️⃣ Third-Party Misuse

Companies often rely on external vendors for biometric devices, cloud storage, or verification services. If these vendors have poor security practices, your sensitive data is only as safe as the weakest link in the chain.

---

What DPDPA 2025 Requires

Recognizing these risks, India’s DPDPA 2025 treats biometric data as sensitive personal data. Organizations must:

✅ Get explicit consent before collecting it.
✅ Tell you why they’re collecting it and how long they’ll keep it.
✅ Use robust security safeguards (encryption, secure storage).
✅ Delete it when it’s no longer needed.
✅ Notify you and the Data Protection Board if there’s a breach.

---

Example: Workplace Biometrics Done Right

A company that uses fingerprint scanners for employee attendance must:

• Tell employees why the data is needed.

• Store fingerprints securely in an encrypted database.

• Delete records when the employee leaves.

• Not reuse the scans for any other purpose without fresh consent.

---

What Can Go Wrong if Organizations Ignore This?

Let’s say a gym uses facial recognition for access but stores facial templates on a poorly protected server. If hackers breach it:
✅ Members’ biometric identities are exposed.
✅ Fraudsters could use them for spoofing or surveillance.
✅ The gym could face penalties up to ₹250 crore under DPDPA.

---

Public Example: Aadhaar Authentication

Millions use Aadhaar-based biometric authentication for services like ration distribution or pension payouts. While this brings convenience, it can lead to exclusion if:
✅ Fingerprints don’t match due to wear and tear (like for manual laborers).
✅ Systems fail or connectivity is poor.
✅ Fraud occurs through fake biometric kits.

These risks highlight the need for secure design and robust grievance redressal.

---

What the Public Can Do

Individuals have the right to:
✅ Ask why biometric data is needed.
✅ Refuse to share it if not legally required.
✅ Demand deletion once the purpose is fulfilled.
✅ File complaints if they suspect misuse.

---

Practical Steps to Protect Yourself

✅ Always check if an app or organization really needs your biometric data.
✅ Read consent notices carefully — don’t just click “I Agree.”
✅ Prefer multi-factor authentication that uses biometrics only alongside passwords or OTPs.
✅ If possible, choose services that give alternative options like PINs or cards.

---

Example: Everyday Decision

If a shopping mall asks for a face scan at entry, ask why. If they can’t explain or refuse alternatives, you can refuse. Convenience must never come at the cost of lifelong identity risks.

---

What Businesses Must Do

Responsible businesses should:

• Use only trusted biometric tech providers.

• Encrypt biometric templates — not just store raw images.

• Conduct regular security audits.

• Train staff on privacy requirements.

• Be transparent with customers about retention and deletion.

---

The Role of the Government

The government must:
✅ Ensure large-scale biometric databases like Aadhaar are protected with world-class security.
✅ Act swiftly against breaches and leaks.
✅ Run public awareness campaigns about how citizens can protect their rights.
✅ Strengthen penalties for misuse to deter bad actors.

---

Conclusion

Biometric data promises convenience, security, and efficiency — but comes with risks that last a lifetime. The DPDPA 2025 recognizes this by putting strict rules in place for collection, consent, storage, and deletion.

For organizations, this means designing privacy into every fingerprint scan, iris check, or facial recognition system they deploy. For citizens, it means staying aware, asking tough questions, and using your legal rights to keep your identity safe.

In the end, our fingerprints, faces, and irises are part of who we are. In a digital India, protecting them is not just a technical challenge — it’s a human right.

With India’s Digital Personal Data Protection Act (DPDPA) 2025, a new era has begun — one where the Data Principal (that’s you, the individual) finally has legally enforceable rights over their own personal information.

For years, Indians handed over phone numbers, Aadhaar details, health data, and even biometric scans with minimal visibility into how that data was used, shared, or misused. Now, the DPDPA 2025 gives you clear, actionable powers to take control.

But knowing your rights on paper isn’t enough — you must know how to use them effectively. As a cybersecurity and privacy expert, let’s break down:
✅ What rights you actually have as a Data Principal
✅ How you can exercise them step-by-step
✅ Practical examples of where to start
✅ Common pitfalls and how to avoid them

This is your guide to turning the DPDPA’s promises into real-world privacy protection.

---

First, What Are Your Data Principal Rights?

Under the DPDPA 2025, every Indian citizen is recognized as a Data Principal — the rightful owner of their personal data. You now have the legal right to:

1️⃣ Access: Know what data an organization has about you, why they have it, and who they share it with.
2️⃣ Correction: Demand that incorrect or outdated data be updated.
3️⃣ Erasure: Request deletion of data when it’s no longer needed or when you withdraw consent.
4️⃣ Grievance Redressal: File complaints if your data rights are violated.
5️⃣ Nominate a Representative: Designate someone to exercise your rights on your behalf if you’re unable to do so.

---

Let’s Bring This to Life with an Example

Suppose you sign up for a loyalty card at a grocery chain. Later, you realize they keep spamming you with marketing calls and texts.

Under DPDPA:
✅ You can request a copy of what data they have on you.
✅ You can withdraw your consent for marketing.
✅ You can ask them to delete your contact details if they no longer need it.
✅ If they refuse or ignore you, you can escalate it to the Data Protection Board of India.

---

How to Exercise Your Rights: A Step-by-Step

1️⃣ Understand What Data They Hold

Most companies now provide privacy policies and dashboards. Look for sections like:

• “Manage My Data”

• “Download My Data”

• “Privacy Center”

Use these tools to see:

• What personal info they have.

• What purposes it’s used for.

• Which third parties it’s shared with.

---

2️⃣ Make a Clear Request

If you want to correct or delete data, submit a written request — ideally through email or the company’s designated portal.

Good requests are:
✅ Specific: “Please delete my phone number and purchase history from your marketing database.”
✅ Refer to your right: “Under the DPDPA 2025, I request deletion of my personal data.”

---

3️⃣ Keep Records

Always keep:

• A copy of your request.

• Any acknowledgment or ticket number they provide.

• Follow-up emails or replies.

This is your proof if you need to escalate.

---

4️⃣ Follow Timelines

The DPDPA says companies must respond within a reasonable time — usually within 30 days. If they ignore you or delay without reason, you can:

• File a complaint with their internal grievance officer.

• Escalate to the Data Protection Board of India (DPBI).

---

Example: Withdrawing Consent

You signed up for a newsletter but now want out. Look for an “unsubscribe” link in the email or the app’s privacy settings. If they keep sending emails, write to their Data Protection Officer (DPO) to withdraw consent.

If that still fails, you have the legal right to complain to the DPBI — and they can fine the company up to ₹150 crore.

---

What About Biometric or Sensitive Data?

Let’s say a gym uses your fingerprint for access. You stop your membership. You can request deletion of your biometric record — they can’t keep it just for convenience.

---

Using Your Right to Correction

Suppose an insurance app has an old address on file — which could cause problems for claims or communication.

✅ Send a correction request with updated proof (like a new utility bill).
✅ They must update it promptly.
✅ They must also pass the corrected data to third parties they shared it with.

---

Nominate Someone to Act for You

Elderly citizens, people with disabilities, or children can nominate a trusted person to exercise their rights.

Example: A parent can request deletion of a child’s data from an EdTech app that no longer needs it.

---

Grievance Redressal: What If They Still Don’t Listen?

If a company denies your request unfairly or drags its feet:
1️⃣ Escalate to the company’s grievance officer — details must be in their privacy policy.
2️⃣ If that fails, file a formal complaint with the Data Protection Board of India.
3️⃣ The DPBI will investigate and can order the company to comply — plus impose fines if needed.

---

How the Public Can Use This

Here’s how to build good privacy habits:
✅ Always read the consent notice before clicking “I Agree.”
✅ Use privacy dashboards to control what you share.
✅ Be clear when withdrawing consent — don’t just uninstall an app; tell them to delete your account.
✅ File complaints if your rights are ignored — it makes the whole system stronger.

---

Example: Everyday Scenario

You use a shopping app that suddenly shares your number with a partner brand. You start getting calls from that partner — which you never consented to.

✅ Use your Right to Access: Ask how your data was shared.
✅ If it was unlawful, withdraw consent and request deletion.
✅ If they refuse, escalate. This is exactly what the DPDPA was designed to fix.

---

Challenges to Watch Out For

❌ Some companies might hide behind vague language or make the process complicated — don’t be discouraged.
❌ Many small businesses are still learning the law — they might need a push.
❌ Keep an eye on timelines — delays should be challenged.

---

What Organizations Must Do

On the flip side, businesses must:

• Appoint a Data Protection Officer (DPO) to handle these requests.

• Provide clear, simple ways for people to exercise rights — not hide them behind confusing menus.

• Have the technical ability to actually correct or delete data everywhere it’s stored — live systems, backups, partners.

Failing to do so risks huge fines and reputational damage.

---

Conclusion

The DPDPA 2025 flips the script: your data is not theirs to keep forever — it’s yours to control. The law gives every Indian citizen the right to see, fix, delete, and control how their personal information is used.

For organizations, this means transparency, better data practices, and clear communication. For the public, it means more power — but only if you use it.

Read the fine print. Use privacy tools. Demand accountability. The more we exercise these rights, the more organizations will respect them. And that’s how India’s digital privacy culture grows — not just in law, but in everyday life.

India’s Digital Personal Data Protection Act (DPDPA) 2025 is not just a symbolic gesture toward stronger privacy — it’s a powerful legal framework that finally gives real teeth to India’s data protection efforts.

But any law is only as effective as its enforcement. That’s where the DPDPA stands out. It lays out strict obligations for organizations that collect, store, or process personal data — and backs them up with serious financial penalties for violations.

Gone are the days when mishandling personal data could be brushed off with a mild apology and a press statement. Under the DPDPA, companies, startups, government agencies, or any Data Fiduciary face heavy consequences if they don’t treat citizens’ data responsibly.

As a cybersecurity expert, let’s unpack what these penalties are, when they apply, and how they fundamentally reshape how businesses — big and small — must now handle your personal data.

---

Why Strong Penalties Matter

Without real punishment, data protection laws can feel toothless. A small fine for a massive data breach is just a cost of doing business for big companies — so there’s little incentive to invest in real safeguards.

The DPDPA changes this by imposing fines that can reach hundreds of crores — big enough to get boardrooms to pay attention.

The logic is simple: the cost of negligence should far outweigh the cost of doing the right thing.

---

What Triggers a Penalty Under DPDPA?

Under the Act, the Data Protection Board of India (DPBI) is the key watchdog. If an organization violates the law, the Board can:
✅ Investigate complaints from the public.
✅ Conduct audits.
✅ Order corrective actions.
✅ Impose monetary penalties.

---

Some Major Offenses and Their Maximum Fines

Here’s a breakdown of common non-compliance scenarios and how costly they can be:

---

1️⃣ Failure to Protect Personal Data

If an organization fails to implement reasonable security safeguards, leading to a data breach or unauthorized processing, it can face penalties up to ₹250 crore per instance.

Example:
A fintech startup storing user KYC documents with weak encryption gets hacked — exposing Aadhaar numbers and bank details. If found negligent, the company can be fined crores, on top of reputational damage.

---

2️⃣ Failure to Notify Data Breaches

Organizations must inform affected individuals and the Board promptly if there’s a data breach. Hiding breaches or delaying notifications can attract fines up to ₹200 crore.

Example:
If a major e-commerce platform tries to cover up a leak of millions of customer addresses and payment details, the DPBI can impose maximum penalties once discovered.

---

3️⃣ Failure to Comply with Consent Requirements

Under the DPDPA, collecting and processing data without valid, informed consent — or failing to honor withdrawal requests — can lead to fines up to ₹150 crore.

Example:
A marketing agency keeps sending promotional messages after you’ve opted out — that’s a violation that can cost them heavily if they ignore consent withdrawal.

---

4️⃣ Violation of Children’s Data Protection

Handling children’s data comes with stricter obligations. Mishandling this can invite penalties up to ₹200 crore.

Example:
An EdTech platform collecting minors’ data without verified parental consent can land in serious trouble.

---

5️⃣ Failure to Meet Data Localization or Cross-Border Rules

Not following approved rules for storing or transferring data abroad can also attract hefty fines.

---

Penalties Are Not Just Financial

Apart from monetary penalties:

• Organizations can be ordered to stop processing certain data altogether.

• They can be forced to delete data immediately.

• Persistent offenders may face restrictions on operations in India.

For individuals or officers-in-charge, there can also be personal liabilities if their negligence or willful actions caused the violation.

---

Example: How This Would Play Out

Imagine a large health-tech platform that stores millions of medical records. A breach occurs due to poor security practices — and they fail to notify affected patients promptly.

1️⃣ The DPBI investigates and finds that the platform didn’t encrypt records or have proper breach response plans.
2️⃣ It imposes a fine of ₹250 crore for weak safeguards.
3️⃣ It adds another ₹200 crore for breach notification failure.
4️⃣ The company must also compensate victims under civil law if proven liable in court.

---

The Bigger Impact: Compliance by Design

With these penalties in place, companies can’t treat data privacy as an afterthought. They must:

✅ Appoint Data Protection Officers (DPOs) to oversee compliance.
✅ Regularly audit their security practices.
✅ Train employees to handle data responsibly.
✅ Have clear processes for breach detection, notification, and correction.
✅ Use robust encryption, access controls, and secure systems.

---

Small Companies Are Not Exempt

Startups and small businesses sometimes assume data laws only apply to big tech. That’s not true. Under DPDPA, any entity collecting or processing personal data must comply — regardless of size.

A neighborhood clinic that mishandles patient records can face fines just like a tech giant if found negligent.

---

How This Empowers Citizens

For the public, strong penalties mean:

• Organizations are more likely to secure your data properly.

• You have real leverage — you can file complaints if your rights are violated.

• The DPBI is required to investigate complaints and take action transparently.

If you see misuse — say, your data sold without consent or repeated spam despite opting out — you can hold companies accountable under the law.

---

Example: Public Action

A customer files a complaint that their telecom provider keeps sharing their number with third-party advertisers despite multiple opt-out requests. The DPBI investigates, confirms the violation, and imposes a hefty fine.

This sets an example for the entire industry — driving better privacy practices across the board.

---

Will Penalties Alone Solve Everything?

Heavy fines are a powerful motivator, but true privacy protection also needs:

• Strong governance: The DPBI must be efficient, impartial, and well-resourced.

• Tech innovation: Companies need tools like encryption, consent management, and secure cloud practices.

• Public awareness: People must know their rights and use them.

---

How the Public Can Help

Individuals should:
✅ Regularly review privacy policies.
✅ Withdraw consent if they’re uncomfortable.
✅ Use privacy dashboards to control their data.
✅ Report non-compliance — the DPDPA gives you this power.

---

Conclusion

The DPDPA 2025’s strict penalties are a turning point for India’s digital privacy story. They send a clear message: your personal data is not just another business commodity — mishandling it will cost companies dearly.

For businesses, this is not just about avoiding fines — it’s about earning trust in an increasingly data-driven world. For citizens, it’s reassurance that privacy rights finally have real legal weight behind them.

In the end, the strongest deterrent is not fear of fines — it’s a culture where protecting user data is the norm, not the exception. That’s the future India is now building, one penalty — and one secured database — at a time.

In the era of always-on digital footprints, how long should your data live online? Once you give your personal information to a company — be it your name, ID number, or intimate details about your habits — do you lose control forever?

India’s Digital Personal Data Protection Act (DPDPA) 2025 says: No, you don’t.

One of its most citizen-centric provisions is the “Right to be Forgotten” (RTBF) — a legal right that empowers individuals to demand that their personal data be erased when it’s no longer needed, or when consent is withdrawn.

But for organizations, this right triggers big changes. It forces businesses — from e-commerce giants and banks to local schools and hospitals — to rethink how they store, manage, and delete user data. It reshapes how long data stays on servers, backups, and archives — and what truly “deletion” means in a world where data is copied everywhere.

As a cybersecurity and privacy expert, I’ll unpack what the Right to be Forgotten means under DPDPA 2025, how it impacts retention and deletion policies, and how citizens can actually use this right in everyday life.

---

What is the Right to be Forgotten?

The Right to be Forgotten under DPDPA allows any Data Principal (that’s you, the individual) to request that a Data Fiduciary (the company or organization) erase your personal data when:
✅ The data is no longer needed for the original purpose.
✅ You withdraw consent.
✅ The retention period agreed upon has expired.
✅ Keeping the data is no longer necessary under any law.

Example:
If you close an account with a food delivery app, and there’s no legal reason to keep your address or order history, you can ask them to delete it — and they must comply.

---

Inspired by Global Best Practice

India’s RTBF echoes similar provisions in the European Union’s GDPR. The aim is simple: individuals should not be haunted forever by stale, outdated, or irrelevant data.

It balances:

• Privacy and dignity.

• The right to freedom of expression and information.

• Other legal requirements, like keeping records for tax or fraud prevention.

---

The Big Impact on Retention Policies

Before DPDPA, many companies treated user data like a digital goldmine — store everything forever, “just in case” it might be useful for marketing, analytics, or future products.

Now, that mindset must change:

• Organizations must define clear retention periods for each type of personal data.

• When data is no longer needed, it must be securely deleted.

• Consent withdrawal must automatically trigger deletion (unless other laws say it must be kept).

---

Example: A Bank’s Policy Shift

A bank once kept transaction logs indefinitely for marketing insights. Under DPDPA:

• They must justify why they need each type of data.

• After a legally required period (like for audits or anti-fraud rules), the data must be purged.

• If you withdraw consent for promotional offers, your info must be removed from marketing lists and related systems.

---

Technical Challenges: Is Deletion Ever Perfect?

Deleting data isn’t as simple as hitting “delete.” Organizations must tackle:

• Backups: Data often exists in multiple backup copies — all copies must be erased.

• Archives: Historical logs or data lakes can store old user info for years.

• Third parties: If data has been shared with vendors, partners, or processors, those parties must delete it too.

Failure to fully erase data could expose a company to fines up to ₹250 crore under DPDPA.

---

How Companies are Responding

Forward-thinking companies are redesigning their data lifecycle:
✅ Implementing “privacy by design” — only collecting what’s needed, for as long as needed.
✅ Mapping where data lives: main servers, backups, partner systems.
✅ Automating data deletion workflows.
✅ Adding user dashboards so people can easily submit deletion requests.
✅ Updating contracts with vendors — if they store your data, they must comply too.

---

Public Example: Using Your RTBF Rights

Imagine you joined a gym and shared your contact details and health info. You later switch gyms and no longer want them to store your records.

Under DPDPA, you can:

• Submit a written request to delete your data.

• The gym must respond within a reasonable time.

• If they refuse, they must show clear legal reasons (like keeping payment records for taxes).

If they don’t comply, you can escalate it to the Data Protection Board of India.

---

What About Social Media?

The Right to be Forgotten is especially relevant for social media. If you delete an old post or your entire account, the platform must:

• Remove your personal data.

• Ensure it’s wiped from backups where feasible.

• Prevent search engines or partners from continuing to index it.

However, there are reasonable limits: if a post is part of public record or journalism, platforms may balance privacy with freedom of information.

---

How It Empowers People

Before DPDPA, people had no clear way to demand deletion. Companies might claim, “We don’t do that.” Now, it’s not optional — it’s your legal right.

This means:
✅ Less risk of old, irrelevant data being misused for scams.
✅ More control over your online reputation.
✅ Stronger privacy for sensitive info — like health, biometrics, or ID scans.

---

Why This Matters in India

India’s data ecosystem is huge: digital payments, e-commerce, EdTech, health apps, and gig work platforms collect endless personal details. Without clear deletion rules, people’s data can live on servers for decades, often in ways they never agreed to.

The RTBF provision recognizes that our right to privacy doesn’t expire — and that stale data can be a security risk or a reputational threat.

---

What Businesses Must Balance

Businesses must balance RTBF with:

• Record-keeping laws: Some data must stay for audit, taxation, or anti-fraud needs.

• Freedom of speech: For media houses, taking down factual articles may not always be justified.

• Technical feasibility: Some deletion may be partial (anonymizing instead of fully erasing).

But the principle remains: if you keep data, you must have a lawful reason — not just convenience.

---

Example of Good Practice

A top EdTech company lets students delete old profiles or test results once they graduate. They provide a self-service portal to request deletion, with clear timelines.

Behind the scenes, they:

• Flag the user’s data.

• Erase it from live systems and backups.

• Notify any partners or vendors who received the data.

---

How the Public Should Use It

To protect yourself:
✅ Check privacy dashboards: Many apps now have “Delete My Data” or “Deactivate Account” buttons.
✅ Don’t overshare: Only give apps the info they really need.
✅ Follow up: If you withdraw consent, ask for written confirmation that data has been erased.
✅ Report non-compliance: The DPDPA gives you the right to file a complaint if an organization ignores valid requests.

---

Conclusion

India’s Right to be Forgotten under DPDPA 2025 is more than a legal clause — it’s a powerful shift that gives people genuine control over their digital lives. For businesses, it demands new data retention and deletion policies that respect consent and purpose. For individuals, it’s a reminder that your data is yours — not a permanent asset for companies to hold forever.

As India’s digital economy grows, respecting the RTBF will build public trust, reduce security risks, and create a culture where personal data is handled with the dignity and care it deserves.

In the era of always-on digital footprints, how long should your data live online? Once you give your personal information to a company — be it your name, ID number, or intimate details about your habits — do you lose control forever?

India’s Digital Personal Data Protection Act (DPDPA) 2025 says: No, you don’t.

One of its most citizen-centric provisions is the “Right to be Forgotten” (RTBF) — a legal right that empowers individuals to demand that their personal data be erased when it’s no longer needed, or when consent is withdrawn.

But for organizations, this right triggers big changes. It forces businesses — from e-commerce giants and banks to local schools and hospitals — to rethink how they store, manage, and delete user data. It reshapes how long data stays on servers, backups, and archives — and what truly “deletion” means in a world where data is copied everywhere.

As a cybersecurity and privacy expert, I’ll unpack what the Right to be Forgotten means under DPDPA 2025, how it impacts retention and deletion policies, and how citizens can actually use this right in everyday life.

---

What is the Right to be Forgotten?

The Right to be Forgotten under DPDPA allows any Data Principal (that’s you, the individual) to request that a Data Fiduciary (the company or organization) erase your personal data when:
✅ The data is no longer needed for the original purpose.
✅ You withdraw consent.
✅ The retention period agreed upon has expired.
✅ Keeping the data is no longer necessary under any law.

Example:
If you close an account with a food delivery app, and there’s no legal reason to keep your address or order history, you can ask them to delete it — and they must comply.

---

Inspired by Global Best Practice

India’s RTBF echoes similar provisions in the European Union’s GDPR. The aim is simple: individuals should not be haunted forever by stale, outdated, or irrelevant data.

It balances:

• Privacy and dignity.

• The right to freedom of expression and information.

• Other legal requirements, like keeping records for tax or fraud prevention.

---

The Big Impact on Retention Policies

Before DPDPA, many companies treated user data like a digital goldmine — store everything forever, “just in case” it might be useful for marketing, analytics, or future products.

Now, that mindset must change:

• Organizations must define clear retention periods for each type of personal data.

• When data is no longer needed, it must be securely deleted.

• Consent withdrawal must automatically trigger deletion (unless other laws say it must be kept).

---

Example: A Bank’s Policy Shift

A bank once kept transaction logs indefinitely for marketing insights. Under DPDPA:

• They must justify why they need each type of data.

• After a legally required period (like for audits or anti-fraud rules), the data must be purged.

• If you withdraw consent for promotional offers, your info must be removed from marketing lists and related systems.

---

Technical Challenges: Is Deletion Ever Perfect?

Deleting data isn’t as simple as hitting “delete.” Organizations must tackle:

• Backups: Data often exists in multiple backup copies — all copies must be erased.

• Archives: Historical logs or data lakes can store old user info for years.

• Third parties: If data has been shared with vendors, partners, or processors, those parties must delete it too.

Failure to fully erase data could expose a company to fines up to ₹250 crore under DPDPA.

---

How Companies are Responding

Forward-thinking companies are redesigning their data lifecycle:
✅ Implementing “privacy by design” — only collecting what’s needed, for as long as needed.
✅ Mapping where data lives: main servers, backups, partner systems.
✅ Automating data deletion workflows.
✅ Adding user dashboards so people can easily submit deletion requests.
✅ Updating contracts with vendors — if they store your data, they must comply too.

---

Public Example: Using Your RTBF Rights

Imagine you joined a gym and shared your contact details and health info. You later switch gyms and no longer want them to store your records.

Under DPDPA, you can:

• Submit a written request to delete your data.

• The gym must respond within a reasonable time.

• If they refuse, they must show clear legal reasons (like keeping payment records for taxes).

If they don’t comply, you can escalate it to the Data Protection Board of India.

---

What About Social Media?

The Right to be Forgotten is especially relevant for social media. If you delete an old post or your entire account, the platform must:

• Remove your personal data.

• Ensure it’s wiped from backups where feasible.

• Prevent search engines or partners from continuing to index it.

However, there are reasonable limits: if a post is part of public record or journalism, platforms may balance privacy with freedom of information.

---

How It Empowers People

Before DPDPA, people had no clear way to demand deletion. Companies might claim, “We don’t do that.” Now, it’s not optional — it’s your legal right.

This means:
✅ Less risk of old, irrelevant data being misused for scams.
✅ More control over your online reputation.
✅ Stronger privacy for sensitive info — like health, biometrics, or ID scans.

---

Why This Matters in India

India’s data ecosystem is huge: digital payments, e-commerce, EdTech, health apps, and gig work platforms collect endless personal details. Without clear deletion rules, people’s data can live on servers for decades, often in ways they never agreed to.

The RTBF provision recognizes that our right to privacy doesn’t expire — and that stale data can be a security risk or a reputational threat.

---

What Businesses Must Balance

Businesses must balance RTBF with:

• Record-keeping laws: Some data must stay for audit, taxation, or anti-fraud needs.

• Freedom of speech: For media houses, taking down factual articles may not always be justified.

• Technical feasibility: Some deletion may be partial (anonymizing instead of fully erasing).

But the principle remains: if you keep data, you must have a lawful reason — not just convenience.

---

Example of Good Practice

A top EdTech company lets students delete old profiles or test results once they graduate. They provide a self-service portal to request deletion, with clear timelines.

Behind the scenes, they:

• Flag the user’s data.

• Erase it from live systems and backups.

• Notify any partners or vendors who received the data.

---

How the Public Should Use It

To protect yourself:
✅ Check privacy dashboards: Many apps now have “Delete My Data” or “Deactivate Account” buttons.
✅ Don’t overshare: Only give apps the info they really need.
✅ Follow up: If you withdraw consent, ask for written confirmation that data has been erased.
✅ Report non-compliance: The DPDPA gives you the right to file a complaint if an organization ignores valid requests.

---

Conclusion

India’s Right to be Forgotten under DPDPA 2025 is more than a legal clause — it’s a powerful shift that gives people genuine control over their digital lives. For businesses, it demands new data retention and deletion policies that respect consent and purpose. For individuals, it’s a reminder that your data is yours — not a permanent asset for companies to hold forever.

As India’s digital economy grows, respecting the RTBF will build public trust, reduce security risks, and create a culture where personal data is handled with the dignity and care it deserves

India’s Digital Personal Data Protection Act (DPDPA) 2025 is one of the country’s most significant legal steps to protect citizens’ digital privacy. One of its most debated and challenging aspects is data localization — the requirement that certain types of personal data be stored and processed within India’s borders.

While the idea of keeping sensitive data within the country sounds straightforward, the reality is far more complex. Data localization poses tough questions for global companies, local businesses, startups, and regulators alike: How feasible is it? What are the risks and benefits? And what does it mean for the public whose data is at the heart of it all?

As a cybersecurity expert, let’s break down what India’s data localization requirements mean under DPDPA 2025, the real-world challenges of making it happen, and how it impacts ordinary citizens and businesses alike.

---

What is Data Localization?

Data localization means that organizations must store and process copies of personal data within India’s geographic boundaries. In some scenarios, transferring certain data outside India is restricted or allowed only to countries the government approves.

The idea is simple: if data stays within India, it is easier for the government to:

• Enforce privacy laws

• Investigate misuse or breaches

• Prevent foreign surveillance

• Safeguard national interests

For example, if sensitive health or financial data is stored in India, regulators can access it under local jurisdiction rather than navigating foreign courts.

---

What Does DPDPA 2025 Say?

The DPDPA doesn’t enforce blanket localization for all data. Instead, it gives the government the power to:
✅ Allow cross-border transfers to certain countries.
✅ Restrict or prohibit transfers in the interest of national security.
✅ Set conditions for how and where data must be stored.

This flexibility means that organizations must prepare for scenarios where some data must be localized, while other data can move freely — but only to trusted regions.

---

Why is Data Localization Important?

Data localization is driven by concerns that:

• Sensitive personal and national security data shouldn’t be accessible to foreign governments or corporations.

• Local storage can make regulatory enforcement faster and clearer.

• India’s digital sovereignty remains intact in an era of geopolitical tensions.

Countries like China and Russia already have strict localization rules. India’s approach balances openness for global business with stronger domestic control.

---

The Business Side: Why Localization is Hard

For global tech giants — cloud service providers, social media companies, e-commerce platforms — localization raises tough questions.

1️⃣ Infrastructure Costs

Storing and processing data locally means setting up data centers in India or leasing local capacity. This can be expensive — especially for startups or smaller players who rely on affordable, globally distributed cloud services.

Example:
A growing SaaS startup may currently use servers in Singapore or the US because it’s cheaper and technically reliable. Moving everything to India means higher costs — and possible slower services if India’s local data center capacity can’t keep up.

---

2️⃣ Fragmented Data Flows

Many businesses rely on global teams, vendors, and tools. Localizing data means creating separate data silos — complicating how teams collaborate and how services run.

Example:
A global bank with Indian customers might have fraud detection AI models hosted in London. If customer data must stay in India, it may need to develop separate models locally — duplicating effort and cost.

---

3️⃣ Compliance Complexity

Companies must continuously track:

• Which data can leave India.

• Which must stay.

• Which foreign partners are “approved.”

• How to respond if rules change.

Staying compliant means constant monitoring, legal reviews, and technical safeguards — challenging for small companies without big legal teams.

---

4️⃣ Vendor and Cloud Dependency

Most businesses use third-party cloud providers like AWS, Azure, or Google Cloud. Data localization means they must ensure these providers have Indian data centers — and that data doesn’t “accidentally” move abroad through backups or global support teams.

---

National Challenges: Building Capacity

Localization works only if India has strong, secure data centers and networks. This means:

• Expanding local storage and processing capacity.

• Ensuring reliable electricity, connectivity, and cybersecurity standards.

• Preventing new single points of failure — a major power outage could affect massive amounts of localized data if not properly backed up.

---

The Security Paradox

Ironically, localization alone doesn’t automatically make data safer. If local data centers are poorly protected or become political targets, they can be single points of attack for hackers or state actors.

Good data protection still needs robust encryption, strong access controls, and skilled cybersecurity teams — whether data is local or global.

---

What This Means for the Public

For everyday citizens, localization is mostly invisible. But it impacts your privacy and rights:
✅ Local storage makes it easier for the Indian government to investigate data misuse or breaches.
✅ It can prevent foreign companies from misusing your data in places with weaker privacy laws.
✅ However, it can raise concerns about government surveillance if proper checks and balances are not enforced.

---

Example: Social Media Platforms

Suppose you use an international social media platform. Under DPDPA’s localization rules:

• Your personal data — posts, photos, messages — must be stored on servers in India or a trusted location.

• If a data breach happens, Indian regulators can investigate under local law instead of relying on a foreign court.

• If the platform wants to share your data with a foreign advertiser, it must follow cross-border transfer rules and get your consent.

---

Small Businesses: New Burdens

A small Indian startup using global cloud tools may struggle to suddenly switch to local-only servers. This can increase costs, slow innovation, and reduce competitiveness.

Many small businesses are looking for Indian cloud providers or hybrid solutions — balancing compliance with affordability.

---

Public-Private Collaboration: The Only Way Forward

To make data localization workable, India needs:

• Investment in secure, high-capacity local data centers.

• Clear rules and practical timelines for compliance.

• Collaboration between government, industry, and cloud providers to create affordable, secure local solutions.

• Support for startups and SMEs who can’t afford expensive infrastructure alone.

---

How the Public Can Respond

While individuals don’t have to do anything directly, they should:

• Choose companies that explain where your data is stored.

• Ask questions — your data is yours.

• Support transparency — companies that share their localization and security practices show they take privacy seriously.

---

Example: Choosing a Secure Service

If you’re choosing a health-tech app, check if it stores medical records in India and follows DPDPA guidelines. If they can’t answer clearly, that’s a red flag.

---

Conclusion

India’s DPDPA 2025 puts data localization on the map as a way to protect citizens, strengthen national security, and enforce privacy rights. But turning this vision into reality is challenging: businesses must rethink infrastructure, manage costs, and design smarter workflows to keep data local without hurting innovation.

For the public, localization offers greater legal protection — but real security still depends on strong encryption, transparent companies, and an informed society that understands where its data lives and how it’s used.

Done well, data localization can strengthen India’s digital sovereignty while keeping its booming tech ecosystem connected to the world. It’s a delicate balance — and one that requires collaboration, smart policy, and strong cybersecurity at every step

With the enactment of India’s Digital Personal Data Protection Act (DPDPA) 2025, the landscape of personal data handling has fundamentally shifted. No longer can organizations rely on vague privacy statements or hidden clauses to gather and use people’s information. The new law places consent at the center of data collection — making it clear, informed, specific, and revocable.

For millions of businesses, this isn’t just a legal compliance checkbox — it demands a rethink of how they collect, store, and manage consent from individuals across every touchpoint. Whether you run a massive e-commerce marketplace, a small mobile app, or even a neighborhood clinic that stores patient data, the DPDPA’s requirements apply to you.

So, how exactly are Indian organizations — from startups to legacy enterprises — redesigning their consent management processes? As a cybersecurity and privacy expert, let’s break it down: what’s changing, how it affects the public, and what good compliance looks like in practice.

---

What Makes Consent Different Under DPDPA?

Under DPDPA 2025:
✅ Consent must be specific and informed: Organizations must explain exactly what data they are collecting, for what purpose, and for how long.
✅ Consent must be freely given: No pre-ticked checkboxes or forced bundling.
✅ Consent must be easily revocable: Individuals can withdraw consent anytime, and organizations must act on it promptly.
✅ Consent must be recorded and auditable: Companies must maintain clear records to prove that valid consent was obtained.

In other words, the days of ambiguous “I Agree” buttons with hidden fine print are over.

---

The Shift to Consent Management Platforms (CMPs)

Many large companies are now investing in Consent Management Platforms (CMPs) — specialized tools that:

• Collect user consent at every relevant point (website, app, email).

• Store consent logs securely.

• Allow users to update or withdraw consent easily.

• Integrate with internal systems to enforce consent rules — so data isn’t used beyond what’s allowed.

Example:
A major online retailer like Flipkart or Amazon India now uses a CMP to ensure that when a user signs up, they clearly agree to receive promotional emails. If the user later opts out, the CMP automatically updates all systems so that marketing emails stop immediately.

---

Designing Consent Flows: What Good Looks Like

For a consent mechanism to be DPDPA-compliant, it must be:
1️⃣ Simple: The language must be plain and understandable — no legal jargon.
2️⃣ Granular: Users should be able to give different consents for different purposes.
3️⃣ Actionable: Users must be able to easily change their minds.
4️⃣ Transparent: There should be a clear record of when and how consent was given.

---

Real-World Example: A Fintech App

Let’s say a mobile wallet app wants to use customer transaction data to offer personalized loans.

Old way:
Buried in a lengthy terms and conditions page, the company says they “may use your data for better service.” Most people click “Agree” without understanding.

New DPDPA-compliant way:
The app shows a separate pop-up explaining: “We’d like to analyze your transaction patterns to offer you customized loan offers. Do you agree?”
✅ Yes
❌ No

If the user says “No,” the app cannot use that data for this purpose. If they say “Yes,” the consent is recorded — and the user can withdraw it later in settings.

---

Small Businesses: Simpler, but Not Exempt

Smaller organizations — like local clinics, coaching centers, or housing societies — don’t need fancy CMP software but must still meet the same consent principles.

Example:
A local clinic storing patient health records must get written or digital consent explaining what information they collect, why they need it, and who they may share it with (like labs or insurance).

Patients must be able to withdraw consent to share data with third parties at any time — for example, if they switch doctors.

---

Integrating Consent with Data Flows

One challenge is ensuring that consent preferences actually shape how data is handled.

Example:
If a user withdraws consent for email marketing:

• The marketing database must stop using their email.

• Automated systems must remove the user from mailing lists.

• Third-party marketing partners must also be informed.

If these systems don’t “talk” to each other, a company could accidentally keep sending emails — leading to non-compliance.

---

How Public-Private Collaboration Helps

Many organizations are partnering with privacy consultants, legal advisors, and tech providers to build robust consent mechanisms.

Startups are creating plug-and-play consent tools for small businesses — helping them embed easy checkboxes and withdrawal options on websites and apps.

Industry associations are issuing best practices and templates so that even smaller players can comply without huge legal teams.

---

How the Public Can Use These Changes

For the public, DPDPA’s new consent rules put power back in their hands:

• Look for clear options: Next time you see a checkbox, ask: “Do I really want them to use my data for this?”

• Use withdrawal features: If you’re tired of constant marketing calls, you can now legally say “stop” — and companies must obey.

• Ask questions: If an app doesn’t give you clear consent choices, you can challenge it under the DPDPA.

---

Example: Everyday Application

Suppose you sign up for a new digital insurance app. It asks for permission to:
✅ Use your contact info to send policy reminders.
✅ Share your data with third-party marketers.
✅ Analyze your health patterns to offer discounts.

Under DPDPA, you can:

• Give consent for reminders only.

• Say no to third-party sharing.

• Withdraw consent later if you’re uncomfortable.

The law is on your side.

---

Challenges Organizations Face

Adapting to DPDPA consent rules isn’t just about technology — it’s a mindset change:

• Design teams must make consent forms clear and simple.

• Legal teams must ensure wording aligns with the law.

• Tech teams must integrate consent preferences across systems.

• Marketing teams must accept that fewer people may say “yes” to promotions.

This can feel like a loss — but it’s actually a win: only engaged, consenting users receive messages they want, boosting trust and reputation.

---

Example of Good Practice: Telecom Industry

Telecom companies have historically struggled with unwanted promotional calls and SMS. Under DPDPA, telcos must now offer simple ways to opt out, and record that choice across all marketing channels.

A good telco app now lets you manage permissions in a clear “Privacy” section — and once you say “No,” your preference must stick.

---

What Happens if Companies Don’t Comply?

Failure to get valid consent — or ignoring a withdrawal request — can result in fines up to ₹250 crore. But more than money, the reputational cost is huge. Customers today care about privacy. Mishandling consent erodes trust, which is costly to rebuild.

---

Conclusion

India’s DPDPA 2025 has changed the rules of the game for consent: no more hidden opt-ins, no more silent misuse of your personal data. For organizations, this is an opportunity to treat privacy as a trust-builder, not just a compliance burden. For the public, it’s a reminder that your data is yours — and your “No” is as powerful as your “Yes.”

As organizations big and small adapt their consent management, the winners will be those who keep it clear, honest, and user-friendly — building a safer, more respectful digital India for everyone

India’s rapid digital transformation is remarkable — millions of citizens transact online, businesses store huge volumes of data in the cloud, and government agencies digitize services at record speed. But with this explosive growth comes a dark side: data breaches.

In the last few years alone, India has seen some of the world’s largest and most alarming data leaks, affecting millions of citizens. Each breach has exposed the reality that even well-known brands, crucial public services, and startups often leave critical gaps in how they protect personal information.

These incidents highlight why the Digital Personal Data Protection Act (DPDPA) 2025 is so important — and why India’s businesses and institutions must rethink how they handle sensitive data.

As a cybersecurity expert, let’s break down some of the biggest breaches, what they reveal about India’s vulnerabilities, and how the public can better protect themselves in an era of data exposure.

---

India’s Recent Data Breaches: A Wake-Up Call

1️⃣ The Domino’s India Data Breach (2021)

In 2021, hackers claimed to have stolen over 180 million order details from Domino’s India — including names, phone numbers, email addresses, delivery addresses, and payment details. Worse, attackers created a search portal on the dark web where anyone could look up customers’ orders and personal information.

What went wrong:
Domino’s reportedly failed to secure its database with robust access controls and encryption. Attackers exploited this weak point to siphon off customer data undetected.

What it shows:
Popular brands are prime targets. Even everyday orders — pizza, groceries, cabs — can expose sensitive personal patterns when leaked.

---

2️⃣ COVID-19 Vaccination Data Leak

During the peak of India’s COVID-19 vaccination drive, reports emerged of Aadhaar numbers, phone numbers, and vaccination details being sold online. In some cases, threat actors exploited vulnerabilities in government-run apps and portals.

What went wrong:
Massive databases storing citizens’ health and identity data were often hosted on poorly secured servers or lacked adequate monitoring.

What it shows:
Critical public health infrastructure must be secured with the same seriousness as banking or defense systems — because the impact is personal and nationwide.

---

3️⃣ Mobikwik Data Leak (2021)

In one of India’s largest fintech leaks, up to 110 million users’ data — including KYC details, Aadhaar scans, phone numbers, and card info — was reportedly exposed and listed for sale on the dark web.

Mobikwik initially denied the breach but later launched an investigation under pressure from cybersecurity researchers and the public.

What went wrong:
Sensitive data like scanned IDs and financial info was allegedly stored without robust encryption or multi-layered security controls.

What it shows:
Fintech startups handling financial and ID data must comply with the strictest security standards — because the damage from leaks can be devastating.

---

4️⃣ Air India Passenger Data Leak (2021)

A breach at Air India’s third-party IT service provider compromised the data of 4.5 million passengers — including passport info, credit card details, and travel histories.

What went wrong:
A supply chain vulnerability: a third-party vendor’s systems were attacked, showing that even if your own security is strong, your partners’ weaknesses can expose your data.

What it shows:
Supply chain security is non-negotiable. Every vendor relationship must be vetted and monitored — because attackers always look for the weakest link.

---

What These Breaches Have in Common

Across these incidents, a few patterns emerge:

🔑 Weak access controls: Poor passwords, lack of multi-factor authentication, and over-permissive access.
🔒 Inadequate encryption: Sensitive data stored in plain text or with outdated encryption makes breaches worse.
⏰ Slow detection: Many breaches went unnoticed for weeks or months.
🤝 Vendor risk: Third-party partners often become the entry point.
🗣️ Poor transparency: Some organizations hesitated to admit breaches or delayed notifications — something the DPDPA 2025 now directly addresses.

---

The Cost for Ordinary People

When personal data leaks, the consequences aren’t theoretical:

• Your phone number can become a magnet for spam and scam calls.

• Stolen Aadhaar or KYC scans can be used for fraud.

• Leaked payment info can lead to unauthorized transactions.

• Your privacy — addresses, travel details, health status — can be exploited for social engineering scams.

---

How the Public Can Protect Themselves

While we can’t stop big companies from failing, we can take steps to limit the damage:

✅ Use strong, unique passwords for each app and service.
✅ Enable two-factor authentication (2FA) wherever possible.
✅ Be alert for phishing: If you get calls or emails claiming to know your private info, verify first.
✅ Monitor bank statements and credit reports for suspicious activity.
✅ Use trusted platforms — check an app’s security reputation before handing over documents or ID scans.

---

What Organizations Must Learn

The DPDPA 2025 is a direct response to these high-profile breaches — setting strict rules for consent, data minimization, encryption, and especially breach notification.

To comply and protect user trust, companies must:

• Invest in robust encryption for stored and transmitted data.

• Apply least privilege access: only those who need data should have it.

• Vet and monitor vendors carefully.

• Test systems regularly for vulnerabilities.

• Have clear breach response playbooks ready — because speed matters.

---

Example: How Better Security Could Have Prevented Damage

Imagine the Domino’s breach with modern protections:

• The database is encrypted at rest.

• Strict access controls require multi-factor authentication for admins.

• Anomaly detection tools alert the security team if massive data is accessed unusually.

• If a breach still occurs, the company informs users promptly, helping them stay vigilant.

---

The Role of the Public Under DPDPA 2025

Thanks to DPDPA, the public now has more tools to hold organizations accountable:

• You can request information about how your data is stored and shared.

• You have the right to withdraw consent for data you no longer want companies to hold.

• If your data is leaked, you must be notified quickly — so you can act.

---

Why These Breaches Shouldn’t Be Forgotten

It’s easy to treat each new breach as just another headline. But each incident is a real-world lesson that poor data security costs trust, reputation, and user safety.

As India’s digital economy grows — from UPI payments to online education — companies must understand that safeguarding personal data is not a nice-to-have. It’s now the law, the expectation, and the minimum standard for doing business.

---

Conclusion

India’s recent large-scale data breaches remind us that data protection is not theoretical — it affects our money, privacy, and daily lives. These breaches underline why the DPDPA 2025 is so crucial: to force businesses, public agencies, and startups alike to secure data with the seriousness it deserves. For individuals, they are a call to be vigilant: question where your data goes, take basic security steps, and demand accountability when companies fail.

As India embraces its digital future, we must all — companies, government, and citizens — treat personal data as precious. Because in the wrong hands, it truly is

In August 2023, India’s Parliament passed the long-awaited Digital Personal Data Protection Act (DPDPA) — a landmark privacy law that establishes new standards for how organizations handle, protect, and disclose personal data. Among its most crucial pillars is a clear framework for mandatory data breach notification, which comes into force fully by 2025.

For Indian companies — from tech giants and banks to small startups and hospitals — this provision marks a major shift. It means data breaches can no longer be swept under the rug, quietly handled behind closed doors. Instead, organizations must act quickly, communicate clearly, and take accountability when something goes wrong.

For ordinary citizens, this transparency is a big win: it empowers individuals to respond faster when their personal data is exposed, minimizing potential harm.

As a cybersecurity expert, I want to break down exactly how India’s DPDPA 2025 transforms breach notification practices, why it matters, and what everyone — businesses and the public alike — should do next.

---

Why Breach Notification Matters

In today’s digital world, data breaches are not “if” but “when.” Even the most secure organizations can fall victim to sophisticated attacks, human error, or insider threats. But too often, breaches remain hidden — giving cyber criminals more time to misuse stolen data and leaving people in the dark.

A robust breach notification law does three important things:
1️⃣ Protects individuals: Quick disclosure helps people secure accounts, change passwords, block cards, or monitor suspicious activity.
2️⃣ Drives accountability: Organizations know they can’t hide sloppy security practices anymore.
3️⃣ Builds trust: Openness shows users that a company takes privacy seriously, even when things go wrong.

---

What Does the DPDPA 2025 Require?

Under the DPDPA, any organization (called a Data Fiduciary) that experiences a personal data breach must:

• Report the breach “without undue delay” to the Data Protection Board of India.

• Notify affected individuals whose personal data may be at risk.

• Provide details about the breach, the nature of the data compromised, and steps people should take to protect themselves.

This aligns India with global best practices — like Europe’s GDPR, which requires notification within 72 hours — but also tailors it to India’s context and new Data Protection Board structure.

---

What Counts as a Data Breach?

A breach isn’t limited to cyberattacks alone. Under DPDPA, a breach can be:

• Unauthorized access (like a hacker intrusion)

• Accidental loss (like a misplaced laptop with sensitive files)

• Data leaks due to misconfigured servers

• Unlawful sharing by an insider or vendor

Example:
A health-tech startup accidentally exposes thousands of patient health records due to a misconfigured cloud bucket. Under DPDPA, they must report this quickly and tell patients how they can protect themselves — for example, by changing login credentials or monitoring for fraud.

---

No More “Silent Leaks”

Before the DPDPA, India did not have a single, clear national law mandating breach notification across sectors. Many companies feared reputational damage and chose not to disclose leaks publicly — or did so months later, when the damage was done.

DPDPA ends this practice. “Without undue delay” means companies must act as soon as they become aware — dragging feet could trigger big fines.

---

Penalties for Failing to Notify

Failing to notify the Board and affected users can cost an organization up to ₹200 crore (~$24 million USD) per instance. That’s a clear signal: hiding breaches is not worth the risk.

---

How This Protects the Public

This provision is more than just corporate red tape — it’s about empowering people. Imagine if your bank details, Aadhaar number, or medical records were stolen and you didn’t find out for six months. By then, your identity could be misused, credit ruined, or worse.

Fast notification gives people a fighting chance to:
✅ Change passwords or PINs
✅ Block cards or accounts
✅ Freeze credit
✅ Report fraud attempts

It also creates a “paper trail” — affected people can hold organizations accountable if they fail to act responsibly.

---

Real-World Example: A Bank Leak

Suppose a mid-sized Indian bank is hit by ransomware, and customer transaction histories are stolen. Under DPDPA, the bank must:
1️⃣ Notify the Data Protection Board immediately.
2️⃣ Inform every customer whose data may be compromised.
3️⃣ Explain exactly what was stolen — account numbers, transaction amounts, phone numbers.
4️⃣ Advise customers how to respond — like setting up transaction alerts or changing online banking passwords.

Such transparency builds trust — even if the breach damages reputation short-term, customers appreciate honesty and guidance.

---

Public Tip: How You Can Use This Law

When you hear about a breach:

• Read the notification carefully — what type of data was exposed?

• Follow instructions — change passwords, enable multi-factor authentication, block cards if needed.

• Stay alert — watch for phishing calls or messages pretending to be your bank or service provider.

If a company fails to notify you and you suspect a breach, you can escalate it to the Data Protection Board or consumer protection channels.

---

What Companies Must Do Differently

For businesses, complying with DPDPA’s breach notification requirement means:
✅ Having a clear incident response plan in place.
✅ Appointing a Data Protection Officer to coordinate actions.
✅ Training teams to detect, contain, and report breaches quickly.
✅ Running drills to test how fast they can notify users.
✅ Updating contracts with vendors — if a vendor causes a breach, the main organization is still responsible.

---

Example: Small Businesses Aren’t Exempt

It’s not just big tech firms that must comply. Even a small travel agency that loses passport data, or a coaching center that leaks student Aadhaar numbers, must report the breach.

So small businesses need basic cybersecurity:

• Secure storage (encrypted drives or secure cloud)

• Strong passwords

• Limited access — only those who need the data should have it

• A simple plan for “what to do if we get hacked”

---

Challenges Organizations Will Face

Some challenges companies must tackle include:
🔍 Detecting breaches: Many breaches stay hidden for months — better monitoring tools are a must.
🕒 Defining “without undue delay”: Companies must be ready to act fast — no excuses.
🤝 Communicating clearly: Notifications must be understandable, not buried in legal jargon.
💼 Balancing disclosure and panic: Organizations must tell people enough to act, but without causing unnecessary fear.

---

Aligning with Global Expectations

With the DPDPA, India aligns its data protection framework with global norms. International partners expect this level of transparency — it reassures foreign investors and boosts confidence in India’s growing digital economy.

---

Why It Matters for India’s Future

India is home to one of the world’s largest digital populations — hundreds of millions of people share personal data daily, often without realizing how vulnerable they are.

Mandatory breach notification is a signal that India is serious about protecting that data. It creates a culture where:

• Businesses can’t hide mistakes.

• The public is treated with respect.

• Trust becomes a competitive advantage.

---

Conclusion

The DPDPA 2025’s strict breach notification requirements are more than just legal checkboxes — they are a commitment to a culture of transparency, accountability, and trust in India’s digital economy. For businesses, this means building the systems, skills, and mindsets to respond fast when the worst happens. For citizens, it means having the right to know when their data is at risk — and the tools to protect themselves when it is.

The message is clear: security is everyone’s job. When breaches happen, quick and honest disclosure is the first step to making things right — and building a safer digital India for all.