DPDP Rules: A pragmatic, risk-based path forward for Indian enterprises

India’s Digital Personal Data Protection (DPDP) Rules—released after years of consultations—mark a decisive step toward creating a mature, enforceable data protection environment. For enterprises, the Rules bring welcome clarity, but also a clear message: compliance must be embedded into technology, governance, and day-to-day business operations.

To decode the practical implications of the new Rules, Express Computer spoke with Lalit Kalra, Partner – Cybersecurity Consulting at EY India, who shared deep insights into the risk-based obligations, enforcement expectations, and the operational readiness Indian companies need to build.

High-Risk Processing: The Real Compliance Trigger

According to Lalit Kalra, one of the government’s key focus areas is the identification and governance of “high-risk” processing activities. These are activities where the misuse or breach of personal data can significantly harm the Data Principal.

Kalra explains:

“High-risk processing is going to be the real inflection point for compliance. Organizations dealing with large ...