On November 13th 2025, The Digital Personal Data Protection Rules (or ‘The Rules’) was notified by Ministry of Electronics and Information Technology of India which was a landmark day for the privacy community in India. The Rules lay out clear guidance on how Digital Personal Data Protection Act, 2023 should be interpreted and provides more clarity in regards to key areas such as breach notification, data retention, consent management and reasonable safeguards to be implemented by Data Fiduciaries. Though as per The Rules, Data Fiduciaries have a timeline of about 18 months to comply, Privacy Compliance being a complex and subjective field calls for immediate attention by the organizations.
To start with the timelines, The Rules have laid out clear timeline to develop an appropriate ecosystem before enforcing obligations on Data Fiduciaries for instance, establishment of Data Protection Board of India is effective immediately, however, for the consent ecosystem to develop, consent managers are provided with a timeline of 12 months.
An additional 6 months is provided to Data Fiduciaries to comply with The Rules as The Government of India recognizes that Privacy Compliance is not just a tick mark exercise, rather an overhaul of technological landscape, cultural adaption and re-modelling of business processes. Though the timeline may look insufficient, it provides for adequate time for exploring different compliance roadmaps to meet regulatory obligations.
From a Data Fiduciary perspective, let us look at various tenets to develop a successful privacy program irrespective of the size and maturity of a fiduciary. A key understanding required here is that this strategy may change depending on the scale of operations or maturity of a fiduciary, however the crux of the privacy program remains the same. For instance, the requirement to discover personal data landscape forms the basis of any privacy program; however depending on the scale of operations and existing privacy program maturity, fiduciaries may decide to take a manual approach or onboard a discovery tool.
There are around 16 key tenets of a privacy program, in my experience, which have to be carefully understood, evaluated and prioritized as per fiduciary’s maturity and complexity. In this blog, we will look at how these tenets directly impact a privacy program and in the next set of blogs, we will look at how to manage any risks arising out of these.
Governance and Leadership*: This directly relates to the most important element bringing about a culural change in the fiduciary. This involves activities such as appointment of Data Protection Officer* (if SDF), creation of a Privacy Governance Forum, defining roles and responsibilites of business functions, etc.
Stakeholder buy-in*: This involves activities to establish and run the privacy programs effectively such as developing cross functional alignment, driving a business enabler mindset instead of looking at privacy as an operational overhead, secure senior leaders’ sponsorship to drive change across the organization, etc.
Budgeting and Resourcing*: As with any large impact program of an organization, budgeting and resourcing plays an important role. It is essential to understand the requirements of the organization against the DPDP obligations and secure budget; especially since privacy office is generally considered a cost center for an organization.
Privacy Strategy and Roadmap*: Quiet often, privacy strategy and roadmap is considered a one-time activity in an organization. On the contrary, it is a periodical activity depending on multiple factors such as mergers and acquisitions, business expansion, product revamp, etc. Thus it is important to keep a dynamic approach towards privacy strategy and evaluate the orgnizations’ need on a periodical basis.
Data Inventory and Mapping*: You can’t protect what you don’t understand. Mapping of how data flows across systems, processes and vendors helps identify risks and spot opportunities to simplify or minimize data. It’s the foundation for every other privacy control.
Regulatory Compliance & Policies: Privacy laws keep evolving, and organizations need policies that dynamically adapt with these changes. Clear policies and procedures help teams stay compliant without guessing what’s allowed.
Consent & Notice Management: Data Principals of an organization deserve to know what’s happening with their personal data and to choose what the organization does with it. Thus inclusion of consent manager and having a robust consent process becomes essential. Transparent notices and easy-to-use consent options build trust and long term relationships.
Data Subject (Principal) Rights: Modern privacy programs empower data principals to nominate, access, correct, or delete their information. A smooth, transparent experience shows that an organization respects individuals’ control over their own personal data.
Privacy-by-Design*: Privacy or personal data management should always be part of the product from day one, not as a reactive approach. Building controls into systems early makes them safer, simpler, and more compliant.
Security Controls: Privacy and security go hand in hand. Strong safeguards—like encryption, access limits, and monitoring—are what keep personal data safe from breaches. Even as per DPDP rule, these security safeguards are mandated, though explicit mention of security technologies are not covered.
Third-Party & Vendor Risk: Vendors/Processors can make or break your privacy posture. Checking their practices and holding them to the same standards protects your users and your reputation. DPDPA may be enforced on vendors via various legal instruments and must be looked at with a closer lens.
Data Retention & Disposal: Keeping data longer than needed only increases risk of data breach. Clear retention rules in line with schedule prescribed in The Rules and regular clean-ups help organizations stay lean and secure. Deleting data safely is just as important as collecting it responsibly.
Incident & Breach Management: Even with robust security and organizational controls, incidents can happen. A well-prepared response plan helps teams act quickly, communicate clearly, and reduce harm. It’s how organizations prove reliability when it matters most to the regulators.
Training & Culture*: Privacy isn’t a tick mark exercise—it’s a mindset of the organization. Regular training and awareness help employees understand their role in protecting data. A strong culture keeps privacy top-of-mind every day.
Metrics & Continuous Improvement*: A good privacy program grows with the business. Regular reviews, audits, and measurable goals (KPIs/KRIs) help teams stay ahead of risks.
Technology & Automation*: Privacy Automation tools make privacy operations smoother and more consistent. Automation helps manage consent, retention, rights requests, and monitoring without impacting business. Technology turns complex requirements into smooth operations
Building a privacy program strategy covering all the above key tenets may help organization achieve their privacy targets in a compliant manner. Out of the 16 tenets, 9 tenets (marked with *) are not mandated by DPDP directly, however it helps in building a strong base. Do note that the organizations may decide on the priority of implementation of these principles, however as the program matures, there will be an overlap between them which will automatically enforce implementation of other tenets.
In my next blog, we’ll dive into the risks that arise when these privacy tenets are overlooked—and why addressing them early matters. Until then, please think about: what’s the one tenet you can focus on now to strengthen your privacy program?”