Penetration Testing Under India's DPDP Act 2023 — What CISOs Must Know

Published April 26, 2025 · 14 min read

India's Digital Personal Data Protection Act 2023 (DPDP Act) was notified on 11 August 2023. The Draft DPDP Rules were published by MeitY on 3 January 2025 for public consultation, and the Data Protection Board of India is being constituted under Section 18. Penalties run up to INR 250 crore per breach. This checklist gives Indian data fiduciaries — and their offshore counterparts processing Indian personal data — a concrete to-do list mapped to specific sections of the Act and to the technical evidence your auditor or the Board will look for.

Are you a Data Fiduciary?

If you determine the purpose and means of processing digital personal data of any individual in India — yes. The Act applies extraterritorially under Section 3(b) to processing outside India if you offer goods or services to data principals inside India. That sweeps in B2C SaaS, marketplaces, fintech, edtech, healthtech, ride-hailing, ad-tech, and almost every consumer app. A foreign company with no office in India but a checkout page in INR is in scope.

If you process personal data only on behalf of a Data Fiduciary, you are a Data Processor — and the Fiduciary remains primarily liable, but you inherit contractual obligations and can be brought before the Board on Section 9(3) sub-processor breaches.

Significant Data Fiduciary (SDF) — extra obligations

The Central Government may notify any data fiduciary as "Significant" under Section 10 based on data volume, sensitivity, risk to electoral democracy, or risk to the sovereignty of India. SDF status triggers three additional duties: appoint a Data Protection Officer (DPO) based in India and answerable to the board, commission an independent Data Auditor, and conduct a Data Protection Impact Assessment (DPIA) periodically and on every new high-risk processing operation.

Industry expectation is that telecom operators, payment aggregators, large e-commerce, social media platforms above a user threshold, and consumer credit bureaus will be the first SDFs notified. Build DPO and DPIA capability now if you sit in any of those buckets.

Section 5 — Notice & Consent

Notice must be in English or any of the 22 languages in the Eighth Schedule of the Constitution, at the choice of the principal.
Notice must include: itemised personal data being collected, specified purpose, manner to exercise rights, and grievance redressal mechanism.
Consent must be free, specific, informed, unconditional, unambiguous & affirmative.
Consent withdrawal must be as easy as giving consent (one-click). The Draft Rules clarify this means in-app, not a written postal request.
Pre-checked boxes, bundled consent, and dark patterns (the Draft Rules cite the December 2023 CCPA Dark Patterns guidelines) are explicitly disallowed.
Where consent is for the purpose of providing a service, "data minimisation" under Section 8(3) means you cannot collect a phone number to deliver a ringtone.

Section 7 — Legitimate Uses (no consent path)

The Act enumerates seven legitimate uses where consent is not required: (a) the principal voluntarily shares data for a specified purpose; (b) State functions including subsidies and benefits; (c) compliance with law or court order; (d) medical emergency to the principal; (e) epidemic / public health threat; (f) disaster or breakdown of public order; (g) employment-related processing of an employee. Note the absence of "legitimate interest" that GDPR Article 6(1)(f) provides — a material divergence that breaks many EU privacy templates when ported to India.

Section 8 — General Obligations of Data Fiduciary

Implement "reasonable security safeguards" — interpreted by industry as ISO 27001-aligned controls plus periodic VAPT.
Notify the Board and affected data principals of every breach (no harm threshold, unlike GDPR's "risk to rights" gate).
Erase personal data upon withdrawal of consent or once the specified purpose is served (subject to legal retention obligations under SEBI, RBI, IT Act, etc.).
Maintain audit logs for purposes of Board inquiries — chain of custody and immutability matter.
Publish business contact info of the person who answers data principal queries — a generic support@ alias is not adequate where the Rules specify a named person.
Ensure accuracy and completeness of personal data used for decisions affecting the principal (Section 8(3)).

Children's data — Section 9

Verifiable parental consent for processing data of anyone under 18. No tracking, behavioural monitoring, or targeted advertising directed at children. Penalty for breach: up to INR 200 crore. Verification mechanisms acceptable under the Draft Rules include DigiLocker-issued credentials, Aadhaar-mediated parental consent (subject to UIDAI flow), and authorised consent managers. EdTech, gaming, and social platforms must build parental consent gates that survive a Board audit and that do not themselves collect more child data than the Act allows.

Cross-border transfers — Section 16

Transfers are permitted to all jurisdictions exceptthose notified by the Central Government on a negative list. As of early 2025, no jurisdictions have been added — but the framework allows the government to restrict transfer at any time, including via sectoral regulators (the RBI's 2018 payment data localisation circular still applies). Avoid hard-coupling to a single overseas processor; keep an India-resident hot standby for critical workloads, and ensure your DR runbooks include a switch to in-country processing within 24 hours.

Data Principal Rights — Sections 11-14

Section 11 — Right to access information about personal data being processed, identities of fiduciaries / processors, and the personal data itself in a structured form.
Section 12 — Right to correction, completion, updating, and erasure.
Section 13 — Right of grievance redressal — fiduciary must respond before the principal escalates to the Board.
Section 14 — Right to nominate another individual to exercise rights in case of death or incapacity.

Build dedicated API endpoints for each. Auditors will sample principal-rights responses across a 12-month window and look for SLAs (the Draft Rules indicate 30 days for grievance response and a similar window for access / correction / erasure).

Penalty matrix — Schedule

Breach	Max Penalty (INR)
Failure to take reasonable security safeguards	250 crore
Failure to notify Board and affected principals	200 crore
Breach of children's data obligations	200 crore
Breach of SDF additional obligations	150 crore
Other contravention of the Act / Rules	50 crore
Voluntary undertaking accepted by Board	In lieu of inquiry, no fine

Engineering checklist

Data inventory: classify every PII column (Aadhaar, PAN, mobile, email, location, biometric, financial, health). Tag at the column level in a data catalogue (DataHub, Amundsen, OpenMetadata).
Consent management platform: log consent text version, timestamp, IP, mechanism (web/app/SMS/IVR), and granted purposes. Integrate with Consent Manager (Section 6 entity) when notified.
Right-to-erasure endpoint: hard-delete or anonymise within statutory window. Cascade across replicas, backups (within retention policy), and downstream warehouses.
Right-to-correction endpoint: editable profile + audit trail of who changed what when.
Right-to-access endpoint: machine-readable export (JSON or CSV) plus a human-readable PDF receipt.
Breach detection: SIEM alerts on bulk PII export, suspicious DB queries (queries returning > 10k rows of PII columns), S3/GCS bucket policy changes, IAM key creation outside change windows.
Breach playbook: 72-hour notification template ready in advance; Board notification format pre-approved by DPO and CISO.
Sub-processor inventory: written contracts mirroring Section 8 obligations downstream. Vendor risk reviews refreshed annually.
Annual VAPT as evidence of "reasonable security safeguards" under Section 8(5). Quarterly automated scans for the same purpose.
Encryption at rest (AES-256), in transit (TLS 1.2+), and field-level encryption for Aadhaar / PAN / payment data.

Breach notification format

{
  "incident_id": "INC-2026-0042",
  "fiduciary": {
    "name": "Example Pvt Ltd",
    "cin": "U72200KA2018PTC123456",
    "dpo": "dpo@example.in"
  },
  "discovered_at": "2026-04-25T14:30:00+05:30",
  "occurred_between": ["2026-04-23T22:00:00+05:30", "2026-04-25T14:00:00+05:30"],
  "description": "Unauthorised access to user table via SQL injection (CVE-XXXX).",
  "data_categories": ["name","email","mobile","hashed_password"],
  "principals_affected": 17840,
  "containment_actions": ["WAF rule added", "credentials rotated", "patched"],
  "notified_principals": true,
  "notification_channels": ["email", "in-app banner", "SMS"],
  "notified_board": true,
  "cert_in_reference": "CERT-In-2026-04-...",
  "post_mortem_url": "https://example.in/security/2026-04-incident"
}

Note that under the CERT-In Directions of 28 April 2022, "cyber security incidents" must also be reported to CERT-In within 6 hours. The DPDP timeline runs in parallel and is principal-facing — both notifications, with consistent narratives, are mandatory.

DPDP vs GDPR — quick contrasts

Aspect	DPDP 2023	GDPR
Legitimate interest basis	Not available (consent or specified legitimate uses)	Available
Lawful basis count	Consent + 7 specified legitimate uses	6 lawful bases
DPO required	Only for SDFs	Many controllers/processors
Breach threshold	All breaches notifiable	Risk-based (high risk to rights)
Fines	INR 250 crore max per breach	EUR 20m or 4% global turnover
Children age	Under 18	Under 16 (member state can lower to 13)
Consent withdrawal	As easy as giving	As easy as giving
DPIA	SDFs only	For high-risk processing
Right to data portability	Not explicitly granted	Article 20
Cross-border transfer	Negative list approach	Adequacy / SCCs / BCRs

Common misreadings of the Act

"DPDP only applies to Indian citizens." Wrong — it applies to processing of personal data of individuals in India regardless of citizenship.
"Anonymised data is out of scope." Mostly correct, but pseudonymisation is not anonymisation. If you can re-identify with reasonably available data, it's personal data.
"A consent banner is enough." A banner is necessary but not sufficient — without itemised purpose, language choice, granular toggles, and easy withdrawal, the consent is invalid.
"Sub-processors are their problem." You remain liable as the Fiduciary; flow-down clauses do not transfer Section 8 duties.
"We're not in scope because we're B2B." You are in scope for any personal data of natural persons you handle — employees, founder profiles, sales contacts.

What this means for your team

Treat DPDP readiness as a 90-day programme owned jointly by Engineering, Legal, and Security. Sprint one is the data inventory and the consent UX. Sprint two wires the rights endpoints and breach playbook into your incident response. Sprint three commissions the independent VAPT and stages the DPIA template if you expect SDF notification. Once enforcement begins, the Board will not accept "we are still building it" as a defence — and the published penalty matrix is structured to be material at any reasonable annual revenue.

Frequently asked questions

Does the DPDP Act apply to companies based outside India?

Yes. Section 3(b) applies the Act extraterritorially to processing of personal data outside India where it is in connection with offering goods or services to data principals inside India. A foreign company with no Indian office but a checkout page in INR is in scope. This sweeps in B2C SaaS, marketplaces, fintech, edtech, healthtech, and almost every consumer app reaching Indian users.

What is a Significant Data Fiduciary and what extra obligations apply?

Under Section 10 the Central Government may notify any fiduciary as 'Significant' based on data volume, sensitivity, risk to electoral democracy, or risk to the sovereignty of India. SDF status triggers three additional duties: appoint an India-resident Data Protection Officer answerable to the board, commission an independent Data Auditor, and conduct periodic Data Protection Impact Assessments (and one on every new high-risk processing operation). Telecom, payment aggregators, large e-commerce, big social platforms, and consumer credit bureaus are expected to be the first SDFs.

What counts as 'reasonable security safeguards' under Section 8?

The Act does not enumerate controls, but industry practice reads Section 8(5) as ISO 27001-aligned controls plus periodic VAPT, encryption at rest (AES-256) and in transit (TLS 1.2+), field-level encryption for Aadhaar/PAN/payment data, breach detection on bulk PII export, and immutable audit logs. An annual independent VAPT plus quarterly automated scans is the working evidence baseline the Board and your auditor will look for.

How does DPDP breach notification interact with the CERT-In six-hour rule?

They run in parallel, not sequentially. DPDP requires notifying the Data Protection Board and every affected data principal of a breach with no harm threshold, while the CERT-In Directions of 28 April 2022 require reporting defined cyber incidents to CERT-In within six hours of becoming aware. Both notifications are mandatory and their narratives must be consistent — build a single incident record that feeds both filings.

How is DPDP different from GDPR in practice?

The biggest divergence is the absence of a 'legitimate interest' lawful basis — DPDP relies on consent plus seven specified legitimate uses, so EU privacy templates that lean on Article 6(1)(f) break when ported. DPDP also has no harm threshold for breach notification (all breaches are notifiable), sets the children's age at under 18 (vs 16 in GDPR), caps fines at INR 250 crore per breach, uses a negative-list model for cross-border transfers, and does not explicitly grant a data-portability right.

Ready to scan your assets? Try AxVeil free.

Generate the "reasonable security safeguards" evidence DPDP requires. Free tier.

Start free scan →