India's DPDP Act: Rising Cost of Data Breaches, and End of Data Complacency Era India is seeking more accountability from businesses and is quite stringent about complacency stemming from digital hoarding, unvetted vendor access, and slow breach reporting responses.

India's digital hypergrowth story is set to continue in 2026. The last year, however, did see a much needed governance nudge via the Digital Personal Data Protection (DPDP) Act. The rules are aimed at simplifying the framework for the usage of digital personal data that is citizen-focused and supports innovation. The framework also aims to be wholesome for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals).

Even as the government has been flexible in implementing the DPDP, Indian businesses now stand at a critical crossroads where they have to bring accountability and transparency among other things. It's unclear how the companies, specifically smaller ones, will ensure compliance, especially at a time when the cost of breaches are exponentially high.

ALSO READ: India Pushes For Digital Privacy With DPDP Rules, 2025

According to an analysis by Seqrite, the average cost of a data breach in India has hit a record INR 22 crore in 2025. The analysis covers recent mega breaches including healthcare facilities and major telcos. These costs, however, come from three specific failures that the DPDP Act has been extremely strict about: patching delays, unvetted vendor access, and digital hoarding.

For instance, there's this "Scapegoat Strategy", wherein companies blame it on a sophisticated attack, or say "it was our vendor's fault, not us" is now simply untenable. The new laws ensure that these operational lapses are no longer overlooked as incidents but also liable for penalties up to INR 250 crore.

Lazy tax

In the new regime, Indian businesses cannot afford to be complacent with data of users. For instance, laws do not allow companies to retain users' data after a certain period.

Roshmik Saha, cofounder and CTO at Skyflow, explains that under DPDP, retaining ex-customer data isn't harmless storage; it's an exposed, unjustifiable liability. The most sensitive data is what you've forgotten; duplicated across logs and spreadsheets outside modern controls. The real failure is the inability to explain why that data existed in uncontrolled locations. Isolating PII into a governed system is now your strongest financial defense.

The data which the company didn't use is now their biggest liability. Most enterprises accumulated customer data on the assumption that storage was cheap and future analytics might extract value. Under DPDP, that calculus inverts completely. Section 8(7) mandates erasure once the purpose is fulfilled—meaning every dormant record, every ex-customer profile sitting in a backup, every "just in case" dataset is now either a compliance task or a breach multiplier.

"When a Chennai based insurance company leaked 31 million records, a substantial portion was likely data that served no active business purpose. The breach cost scales with volume; the regulatory penalty now does too. The real sting: most organizations don't actually know what they're hoarding. Data discovery isn't optional anymore—it's the difference between an INR 50 lakh incident and a INR 50 crore one," Shashank Karincheti, cofounder and CPO at Redacto.ai, explains.

The Vendor Excuse

Indian businesses cannot just adopt the above-mentioned escapegate theory, and pin the blame on the vendors for a mishap. The new data privacy rules break this familiar playbook as the Data Fiduciary construct doesn't care about vendor contracts - liability stays with the fiduciary.

Moreover, section 8(2) requires "valid contracts" with processors, but the DPDPB can still hold the fiduciary accountable for processor failures.

"The implication: that SOC 2 report the vendor sent last year isn't a shield. All need continuous visibility into processor controls, not annual checkbox exercises. The telco breaches you're referencing almost certainly had third-party vectors—contractors with excessive access, SaaS tools with unmonitored integrations. For BFSI specifically, this compounds with RBI's outsourcing circulars. A vendor breach is now a regulatory event on two axes," Karincheti added.

Amit Das, founder and CEO at Think360.ai, also notes that the DPDP Act makes accountability unambiguous: responsibility for data remains with the Data Fiduciary, regardless of where a breach originates.

"We cannot get away with - it was X's mistakeFor CxOs. This marks a structural shift in how third-party risk must be monitored and governed. Traditional reliance on contracts, certifications, or point-in-time audits is no longer sufficient. What is now required is continuous assurance visibility into vendor access, consent alignment, data movement, and enforceable deletion," Das said.

"Leaders must view their vendor ecosystem as an extension of their own data architecture. Under DPDP, compliance strength is only as strong as the weakest link in the data supply chain and that risk sits squarely at the enterprise level. This also implies a change in cost of compliance, as well as the attention to audit details."

Time is of the essence

Saha highlights that the 72-hour reporting window isn't a legal tweak; it's a systems design mandate. Most companies can't quickly answer 'what was accessed' because PII is fragmented across inconsistent systems. DPDP forces a shift from after-the-fact forensics to real-time observability. The only way to beat the clock is to centralize PII in a data privacy vault so investigations become deterministic, rather than a multi-day data scavenger hunt, according to Saha.

Das, however, notes that the DPDP Act's 72-hour breach reporting requirement is less about speed and more about preparedness. Most organisations are not good at detecting breaches. However, a bigger risk comes from the lazy lethargic responses where meaningful time is lost in establishing responsibility for the breach. Organisations struggle to quickly assess impact, affected individuals, and data scope. Fragmented systems, incomplete data lineage, and missing consent context slow decision-making at precisely the moment leadership needs clarity. Meeting DPDP expectations requires embedding visibility into data flows where data resides, who can access it, and under what consent.

"In the DPDP era, breach response effectiveness is determined by architecture maturity, not just security spend. With the DPOs being held responsible centrally, the need to realign architecturally, and not just organizationally, will define the speed of response and reporting, he added.