Know where the data is
You cannot protect, delete or account for data you cannot find. The foundational discipline the DPDP Act demands — and the one most organisations lack — is a live map of what personal data exists, where it lives, why it was collected and how long it is kept. Build that inventory into the system rather than reconstructing it under pressure, and most other obligations become tractable.
Collect less, keep it shorter
The cheapest data to secure is the data you never collected. Purpose limitation and data minimisation are not just legal principles; they are sound security engineering. Every field you do not store is a field that cannot leak, cannot be subpoenaed and cannot be misused.
- Collect only what the stated purpose actually requires, and record that purpose.
- Set retention windows and enforce them with automated deletion, not good intentions.
- Separate and tightly scope access to the most sensitive categories of data.
- Make consent granular, revocable and honoured downstream — not just captured at signup.
Rights requests are a system feature
The Act gives individuals the right to access, correct and erase their data. If honouring those rights means a person manually querying a dozen databases, the process will be slow, error-prone and unauditable. We build data-subject rights in as a first-class feature — an authenticated request that fans out across every store, produces a complete and correct response, and logs the whole thing for audit.
Secure by design, provable by default
Security that cannot be demonstrated is worth little when it matters. Encryption in transit and at rest, least-privilege access, immutable audit logs and a rehearsed breach-response plan are not extras — they are the baseline. Building them in from the start means that when scrutiny arrives, the honest answer is not 'we think we are fine' but 'here is the evidence.' That posture is cheaper to maintain than to retrofit, and it is what turns compliance from a liability into a genuine market advantage.
Key Takeaways
- 1You can only protect data you can find — build a live data inventory in.
- 2Minimisation and short retention are security wins, not just legal ones.
- 3Make data-subject rights an automated system feature, not a manual scramble.
- 4Provable security beats claimed security — bake in encryption, least privilege and audit logs.