By Mandar Patil, Founding Member and SVP – Global Sales and Customer Success, Cyble
At 02:17 a.m., the SOC phone lights up—an unfamiliar domain has begun hawking what looks like a tranche of employee KYC data. It’s a Sunday, naturally. Screens crowd with IP hops and credential lists, and the analysts’ half-finished coffees go cold while they pivot from Slack screenshots to pastebins to a vendor portal that suddenly returns a 500.
In that dark, crowded minute, there are two clocks. One belongs to the attacker, measuring how long they can monetize before takedowns bite. The other is the regulator’s—silent, precise, increasingly unforgiving.
India’s Digital Personal Data Protection (DPDP) Act, 2023 has been on the books for a few years now. What changes now is less theatrical than a midnight “switch-on” and more like a control room coming alive. Procedural lights turning green, routes getting unblocked, appeal paths lit, and duties operationalized. With the DPDP Rules expected to be notified around September 28, 2025, the norm-setting scaffolding around the Act begins to function in earnest—especially for breach handling, consent governance, and the day-to-day operations of the new Data Protection Board (DPB).
If the Act was the promise, the Rules are the wiring diagram. They don’t change India’s north star—rights-respecting processing at scale—but they do tell DPOs and CISOs how fast to move, what to log, whom to notify, and how to prove it when the Board asks.
What Actually Switches on First
The Rules bring the DPB’s practical life into view: digital office functioning, meeting processes, timelines for inquiries, and the appeals flow to the TDSAT (Telecom Disputes Settlement and Appellate Tribunal). In other words, the Board gets the instruments it needs to work like a modern adjudicatory agency. The draft text details the Board’s digital proceedings, quorum and voting, the six-month inquiry window (extendable in reasoned steps), and the appeal mechanism (filed digitally) to the TDSAT—giving companies and complainants a clear route from complaint to order to appeal.
Crucially, penalty architecture under the Act remains exactly as stark as many first feared. The DPDP allows the Board to levy monetary penalties up to ₹250 crore per instance for the most serious lapses (notably failure to implement “reasonable security safeguards” to prevent personal data breaches). That ceiling is not rhetorical—it is explicit in the law’s schedule and widely summarized by neutral trackers and legal analysis.
Appeals go to the TDSAT. This is not a rumor or a blog rumor mill—it’s baked into the Act’s structure: orders of the Board are appealable to TDSAT, with further recourse to the Supreme Court on limited grounds. Expect a learning curve as a telecom tribunal steps into the privacy beat, but the path is clear.
Also read: India Releases Draft Data Protection Rules for Public Consultation
Breach Notification: The New Choreography with An Old Metronome
Under the Act, data fiduciaries must notify both the DPB and affected individuals in the event of a personal data breach. The DPDP Act itself never prescribed a fixed deadline, and the Draft Rules continue in that pragmatic vein, using the phrase “without delay” rather than a hard timer. Practically, Boards tend to read “without delay” as hours, not days.
Now overlay India’s CERT-In regime—the metronome that’s been ticking since 2022. For a wide set of cyber incidents, CERT-In requires reporting within 6 hours of “noticing” or being informed of an incident. That obligation hasn’t gone away; the DPDP framework sits in addition to it. Your breach response runbook must assume two parallel notifications: one to CERT-In (6 hours) and another to the DPB/individuals (“without delay” under the draft Rules, with final timelines to be read from the notified text). Don’t conflate the two
Implication: If you only discover breaches when victims complain, you’ve already lost the timeline. The only way to make six-hour and “without delay” windows tractable is:
- Continuous detection (across network, endpoint, identity, and dark-web surfaces)
- Pre-approved comms templates and decision trees
- Evidence capture that stands up in an inquiry
Consent Managers: The ‘Interoperable Consent Layer’ Gets Real
The Rules flesh out Consent Manager registration and obligations: the Board can register platforms that enable users to give, manage, withdraw, and audit their consents across multiple data fiduciaries; it may also suspend or cancel registrations for non-adherence. The schedules outline transparency duties, audit mechanisms, conflict-of-interest guardrails, and record-keeping (e.g., maintaining consent logs for at least seven years). Once notified, this interoperable layer should start tightening incentives for clean notices and traceable, revocable consent.
For DPOs, this changes customer-facing UX priorities overnight. “Pretty” is no longer enough—consent has to be verifiable, portable, and provable.
Not Everything Lands on Day 1
Some obligations will phase in over the first 12–24 months, especially for entities the government designates as Significant Data Fiduciaries (SDFs). SDFs shoulder additional duties: appointing a senior DPO in India, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, periodic independent audits, and maintaining beefed-up grievance and redressal processes. The negative-list approach to cross-border transfers (transfer allowed by default except to countries the government specifically restricts) will become clearer as notifications arrive.
Two themes to watch as final Rules emerge:
- Children’s Data: Verifiable parental consent and age-gating standards are described with specificity in the draft, and will likely need technical controls (e.g., digital locker tokens) rather than checkbox rituals.
- Data Retention, Erasure Prompts, and Logs: The Rules sketch detailed triggers for erasure and one-year minimum log retention to support detection and investigation—a direct nod to practical incident response.
The Day-One Survival Kit for Indian DPOs (and their boards)
- Map and minimize. If you can’t draw your data flows in three pages—what you collect, why, where it goes, who processes it, when you erase—you won’t survive discovery, let alone an inquiry. Start with notices, consents, and SDF-risk mapping. (If you operate at population scale, use advanced profiling, or touch the financial system, expect SDF conversations.)
- Build two notification muscles. Hard-wire CERT-In’s six-hour timer into your IR playbooks, and separately: Templated DPB + data-principal notifications “without delay,” with a contact who can answer technical questions. Don’t wait to draft these after an incident.
- Treat “reasonable security safeguards” as a legal control, not a buzzword. The Act’s heaviest penalty (up to ₹250 crore) is tethered to failures here. Think encryption and tokenization at rest and in transit; identity segmentation; monitoring and log retention; supplier hardening; and incident rehearshal. Reasonableness is contextual, but negligence is discoverable.
- Prepare for Consent Managers. If your web and app stacks can’t ingest standardized consent signals and expose machine-readable logs on demand, you’ll feel it in complaint handling and, eventually, in Board proceedings.
- Align privacy with business advantage. The Board will penalize non-compliance, but trust is the bigger prize in a 1.4-billion-user market. Early movers in privacy-by-design will advertise it—and convert on it. The law gives you a stick; take the carrot.
Where Cyble Fits (and Where it Must be Careful)
This is The Cyber Express by Cyble, and I won’t pretend we’re neutral observers. Our vantage point, watching breaches bloom first on the dark web before they hit mainstream, keeps surfacing the same lesson: You cannot compress investigation time if you start detecting late. Continuous monitoring of dark-web markets and closed channels, paired with curated breach intelligence, materially shortens the “time-to-notice” and the “time-to-evidence,” which are the two clocks that DPOs now live by.
It’s tempting to say “only” dark-web intelligence can save you from penalties. That’s not how compliance works. What we can say, humbly and firmly, is that organizations with real-time leak visibility, across dark-web, messaging apps, breach-paste ecosystems, and credential dumps, consistently meet reporting windows that seem impossible on paper, because their first signal arrives earlier than the ransom email. Our teams already liaise (lawfully and appropriately) with sectoral responders and national incident channels so clients can meet CERT-In’s six-hour escalations while assembling the DPB narrative “without delay.”
We’ve been here before. In earlier years, when India’s personal data law was still in committee, Cyble was invited to share practitioner perspectives with the parliamentary process, a reminder that the domestic privacy conversation has always included frontline intelligence and response voices.
Myth-Busting the ‘72-hour Rule’
You will hear “72 hours” in hallways this week. It’s a GDPR reflex, and some sectoral documents and vendor write-ups echo it. The DPDP Act does not contain a hard 72-hour breach deadline, and the Draft DPDP Rules say “without delay” for intimation to the Board and affected individuals. Could the final rules or guidance land on a specific timer? Possibly. But today’s safe reading is: CERT-In = 6 hours, DPDP = promptly/without delay. Design for the stricter timer and you won’t be wrong.
The Long Road: Children, DPIAs, and Transfers
Expect verifiable parental consent to evolve beyond pop-ups; the draft sketches flows using Digital Locker or similar trust frameworks to confirm adult identity before a child account can be created. DPIAs will cease to be shelf-ware for SDFs; they’ll be living documents that justify risk choices before the Board asks. And cross-border transfers will formalize under a negative-list approach: default-allowed except to countries notified as restricted, with sectoral overlays where regulators add their own rails.
None of this is performative. As appeals land at the TDSAT, we’ll see case-law harden what “reasonable safeguards,” “without delay,” and “DPIA quality” mean in India—not as borrowed phrases, but as Indian standards, born in Indian courts.
The breach you prevent won’t make the news. The breach you detect early will feel, internally, like a near-miss. The breach you notify cleanly and quickly will hurt, but it will teach. India’s privacy regime is growing up—less prescriptive than some, more muscular than many. The DPB gives it a working spine; the TDSAT, a safety valve; the penalties, a sharp memory.
For DPOs and boards, the goal isn’t to outrun the regulator. It’s to outrun your own lag—shorten the time between first signal and first decisive action. In that gap, reputations live or die.
