By Malcolm Gomes, COO, IDfy
Seventy percent of all sensitive data sitting in enterprise systems right now has not been accessed, used, or reviewed in years, according to a Data Risk report from 2021. It was never deleted when it should have been and, in a breach, it is just as exposed as everything else. For years, enterprises treated personal data as an asset to be collected first and governed later. More data meant better personalization, sharper analytics, stronger fraud models, and business intelligence. But in DPDP and cybersecurity, that equation is changing. Data without a clear purpose is no longer an asset. It is an attack surface.
India’s cyber risk environment makes this urgent. In 2025, CERT-In handled over 29.44 lakh cyber incidents. IBM’s 2025 breach research pegged the average cost of a data breach in India at ₹220 million, while the global average stood at USD 4.44 million. Verizon’s 2026 Data Breach Investigations Report found that 31% of breaches now start with software vulnerability exploitation, overtaking stolen credentials as the leading entry point.
What that figure means in practice is that attackers are no longer just looking for weak passwords. They are looking for unguarded data stores, and enterprises that hold more data than they need are giving attackers more to find.
Why DPDP and Cybersecurity Are Now Closely Connected
This is why the Digital Personal Data Protection (DPDP) framework should not be viewed only as privacy compliance. It is also a cybersecurity reset. It forces enterprises to ask a fundamental security question: why are we holding this data in the first place?
Data minimization is not about doing less business. It is about reducing unnecessary exposure. Every extra field collected, every duplicated customer record, every old document retained beyond its purpose, and every vendor copy sitting outside the organization’s control expands the blast radius of a breach.
Security teams can encrypt systems and monitor networks, but they cannot fully protect data that the business does not know exists, no longer needs, or cannot justify.
How DPDP Is Reshaping Data Governance
DPDP and cybersecurity changes that conversation. Organizations must be able to explain what they collect, why they collect it, how long they keep it, whom they share it with, and when it must be deleted.
These are not just legal requirements. They are security design principles.
The law also carries serious consequences. Failure to maintain reasonable security safeguards can attract penalties of up to ₹250 crore, while failure to notify the Board or affected individuals of a personal data breach can attract penalties of up to ₹200 crore.
The most secure piece of personal data is the one you never collected unnecessarily. The second most secure is the one you deleted when its purpose was fulfilled.
Data Minimization as a Cybersecurity Strategy
For Indian enterprises, digital journeys have become data-heavy by default. Onboarding, lending, insurance, healthcare, ecommerce, and fraud prevention journeys may all have legitimate reasons to process personal data. The challenge is to distinguish necessary data from convenient data.
Cyber risk is no longer limited to firewalls and endpoint protection. It includes data hoarding, excessive access, old records, test data, unused integrations, shadow databases, and third-party copies.
When a breach happens, regulators, customers, and partners will not only ask how the attacker got in. They will ask why so much data was there to be exposed.
Data minimization reduces three risks.
- First, it reduces data breach risk. If expired data has already been deleted, it cannot be stolen. If a system contains ten required fields instead of fifty collected by habit, the harm is lower.
- Second, it improves visibility. Many organizations struggle not because they lack security tools, but because they lack a reliable map of personal data across applications, databases, documents, cloud environments, and third parties. You cannot secure what you cannot see.
- Third, it strengthens accountability. Product, operations, legal, vendor, and security teams must now work from the same understanding of purpose, consent, retention, and safeguards.
Together, these three elements create a mature enterprise cybersecurity posture.
Balancing Fraud Prevention and Personal Data Protection
The hardest balancing act will be fraud prevention.
Banks, insurers, fintechs, marketplaces, and digital platforms need strong controls to detect synthetic identities, account takeover, mule activity, payment fraud, and suspicious behavior. But fraud prevention cannot become a blanket justification for collecting everything.
The way forward is not to weaken fraud controls. It is to make them sharper.
Purpose-bound fraud prevention means collecting only the data required for a specific risk decision, using it with clear controls, retaining it for a justified period, and restricting access to systems that genuinely need it.
Good security does not require unlimited data. It requires the right data, governed well.
Why Trust Is Becoming a Competitive Advantage
This is where trust becomes a competitive advantage. Enterprises that can demonstrate why they collect data, how they protect it, and when they delete it will earn customer and partner confidence.
In a market where cyber threats are rising and regulatory scrutiny is increasing, trust will influence both customer choice and institutional credibility.
For boards and leadership teams, the question is no longer, “Are we DPDP compliant?”
The sharper question is, “Can we prove that our data practices reduce risk?”
Answering that question requires more than a compliance audit. It requires a live view of personal data across the enterprise: what exists, where it goes, who can access it, and whether it still needs to.
Privacy and security used to be treated as separate disciplines with separate teams, budgets, and agendas. That separation is no longer viable. A security team that does not know what personal data the business holds cannot protect it. A privacy team that does not have technical visibility into data flows cannot govern them.
The Future of DPDP and Cybersecurity
DPDP is not asking enterprises to choose between innovation and protection. It is asking them to build digital systems where innovation does not depend on uncontrolled data accumulation.
For too long, “collect more” was seen as the safer business strategy. In the DPDP era, the safer cybersecurity strategy may be the opposite: collect with purpose, protect with discipline, and delete with confidence.
Data minimization is no longer a privacy checkbox. It is becoming one of the most practical security controls an enterprise can deploy.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official position of The Cyber Express. This article is published as part of our contributed content program and is intended for informational purposes only.)
