DPDP Act Enforcement: 2026 Audit Findings

DPDP Act Enforcement: A Year of Phased Rollout

India’s Digital Personal Data Protection Act, 2023, moved from “passed” to “enforceable” in stages through 2024–2025. By April 2026, the Data Protection Board has heard its first organisational complaints, and sectoral regulators have built DPDP expectations into their existing audit cycles. The law is now operational.

For an overview of the official rules and notifications, see MeitY’s portal.

Five Recurring DPDP Act Enforcement Findings

1. Retention without justification. “We keep call recordings for two years because we always have” is not a defensible answer. Auditors expect a documented purpose-and-retention map. This is the most common finding by a wide margin — cited in our DPDP debt-collections case study.
2. Unencrypted data at rest. Specifically: voice recordings, document scans, CRM exports stored on shared NFS without disk-level encryption. The “reasonable security safeguards” standard is now interpreted to require encryption at rest for personal data by default.
3. No DSAR workflow. Data Subject Access Requests arrive — an email, a webform, sometimes a notice from legal. Most organisations have no documented process to assemble the response inside the prescribed timeline.
4. Sub-processor opacity. Many SaaS-heavy organisations cannot list which third parties process their personal data. The vendor-risk register is now an audit document, not just a procurement artefact.
5. Consent that doesn’t reflect actual processing. Consent forms describe one purpose; the data is used for three. Legitimate-interest reasoning is poorly documented. This is the highest-risk gap because it underpins every downstream processing activity.

What DPDP Act Enforcement Auditors Ask in Plain Language

The questions translate consistently across audits:

• “Show me the inventory of personal data you hold, where it lives, and who can access it.”
• “Show me the consent or other lawful basis for each processing activity.”
• “Show me how a data principal would request deletion, and how long it would take.”
• “Show me the last DPIA you did for a high-risk processing activity.”
• “Show me the breach notification process and the last time you tested it.”

What Has Worked — Across BFSI, Healthcare, and BPO

• A single source of truth for the data inventory. Not a sprawling Confluence page — a structured repository with explicit owners. We use OneTrust where the budget allows, simple structured spreadsheets where it does not.
• Encryption-at-rest by default. The cost of retroactively encrypting petabytes is much higher than the cost of doing it correctly the first time. Treat new data stores as encryption-default.
• RBAC tightening on call recordings and document archives. The “everyone in the team can see everything” model is the fastest finding to flag. See our collections case study for what proper RBAC looks like operationally.
• Tabletop the DSAR workflow. Walking through an actual hypothetical DSAR with the responsible team surfaces process gaps faster than any policy review.

The 2026 DPDP Act Enforcement Outlook

Two trends for the next 12 months:

1. DPB enforcement actions will become public. The 2026 audit year is when the first significant penalty actions land. Expect them to emphasise the gaps above — particularly retention without justification and consent mismatches.
2. DPDP-aligned VAPT will become a procurement requirement. Sectoral regulators (RBI, IRDAI, SEBI) are folding DPDP control evidence into their existing technical-audit expectations. Pure-network VAPT without privacy-control coverage will fall short of audit needs.

FAQ

What is the highest-risk DPDP gap most organisations have?

Consent / lawful-basis documentation. Almost every other DPDP control depends on the lawful-basis assertion being correct. If the consent does not match the actual processing, every downstream activity is vulnerable to challenge.

Are DSARs actually arriving?

Yes, increasingly. Through 2025 most arrived as “show me my data” emails to support addresses. Through 2026 we are starting to see formal DSARs routed through legal counsel — particularly in BFSI and healthcare.

How often should we run DPDP audits?

Annually as a minimum, plus after any significant data-processing change (new SaaS vendor, new product line, change of legal basis). Many regulated entities run a half-yearly cadence aligned with sectoral audit cycles.

Is DPDP enforcement aligned with GDPR?

Conceptually yes — both are principles-based, with a regulator-led enforcement model. Operationally India’s Data Protection Board is taking a different posture in 2026, with more emphasis on remediation and consent integrity than headline-grabbing fines, at least so far.

How DPDP Act Enforcement Will Evolve Through 2026

DPDP Act enforcement is moving from policy theatre to operational reality faster than most BFSI and BPO operators expected. The 2026 DPDP Act enforcement posture is documented action: every consent collected has provenance, every retention window has a cited basis, every DSAR can be answered within timelines. Treat DPDP Act enforcement as an operational compliance discipline, not a legal-team project. The teams who internalised that shift through 2025 cleared their first audits cleanly; the teams still treating DPDP Act enforcement as paperwork will spend the next 12 months catching up.