India’s Digital Personal Data Protection Act has shifted from policy discussion to operational mandate. With the rules now notified, enterprises have clarity on expectations and timelines. What was once viewed as a compliance requirement is now a leadership imperative.
As India’s digital economy expands rapidly, organizations face mounting scrutiny over how they collect, manage, and process personal data. In a recent episode of the Analytics Insight Podcast, host Priya Dialani spoke with Sachin Tayal, Managing Director at Protiviti’s India Member Firm, about why CEOs must embed accountability for data across the enterprise.
Priya opened the discussion by asking why the Act can no longer be delegated solely to legal or IT teams. Sachin was clear in his response. He stated, “DPDP has changed the way, actually, not only every CEO but even every board needs to think about data privacy. So it is no longer a CIO, a compliance, or an HR issue. It is pretty much an organization-wide issue.”
He noted that many boards now dedicate formal agenda time to DPDP compliance. However, he stressed that this shift goes beyond regulatory adherence. “It is just not a compliance that they are thinking about,” he explained, outlining three critical reasons CEOs must personally engage.
The first reason lies in how the Act defines responsibility. “This aid clearly states that accountability lies with the data fiduciary. It clearly fixes the responsibility at the organization level, not just at an individual level,” Sachin said.
Corporate accountability ultimately rests with key managerial personnel, “the responsibility lies actually with the CEOs. They are the ones who are responsible to comply with that.” The DPDP Act, therefore, transforms data governance into a boardroom matter.
The Managing Director of Protiviti India Member Firm also highlighted the financial implications. “The penalty can go up to 250 crores,” he stated, underscoring the seriousness of non-compliance.
Yet for him, the greater risk is reputational. “It is just not about a compliance issue. It is about a trust issue,” he emphasized. Customers increasingly reward organizations that handle their data responsibly. Conversely, breaches can erode confidence overnight.
Referencing a widely known Western credit bureau, Sachin Tayal responds that delayed responses and weak governance led to market value erosion and executive fallout. “It all started with this data breach,” he said.
For Indian enterprises, particularly those serving Gen Z and Gen Alpha consumers, data protection must be embedded into strategy, culture, and governance. As the MD of the company concluded, CEOs must ensure that “what data means has to be on their agenda and they should include it in their meetings and in their board meetings.”