A compliance lead told me last week:
"We're buying a ₹40L DPDPA compliance tool. We'll be ready by deadline."
I asked: "Do you know which S3 buckets contain user PII?"
She didn't. Neither did the CTO.
Here's the reality: DPDPA isn't a compliance-tool problem. It's a cloud-config problem wearing a legal costume.
The 7 misconfigurations that cause DPDPA violations (and cost ₹2-10L to fix post-notice):
- S3 buckets with user data + public-read ACL
- RDS instances storing PII outside India without proper consent flow
- CloudTrail logging disabled or not centralized
- IAM users with AdministratorAccess who can't explain what they do
- Cross-region replication of PII without documented justification
- Backup retention silently exceeding user deletion-request SLA
- Third-party integrations (Datadog, Segment, etc.) receiving PII you didn't inventory
No compliance tool catches all of these. They catch what's in their signature database, generate a PDF, and collect ₹40L.
The real DPDPA readiness is 4 steps:
→ Map your data flows (1 spreadsheet. 1 engineer. 2 weeks.)
→ Tag cloud resources by data class (PII / sensitive / public)
→ Enforce via SCP: block public buckets, require encryption, require logging
→ Document residency + retention per table, per bucket, per queue
Cost: ₹0 in tools. ~80 hours of senior engineer time.
The ₹40L tool is useful — after the foundation is set. Before that, it's a dashboard showing you a list of configuration issues you could fix yourself in two sprints.
If your compliance lead is in RFP mode for a DPDPA tool right now, repost. Save them a quarter and a lakh.
Top comments (0)