Indian companies will have to invest in comprehensive data mapping, consent management systems, and privacy-by-design approaches, and totally comply with DPDP Act, 2023 and its rules to avoid exposure to exemplary fines of Rs 250 crores per contravention, stipulated under this data protection law. Dr. Pavan Duggal, Advocate, Supreme Court of India and Expert in Cyber & AI laws decodes the cybersecurity trends, impact of AI, emergence of DPO and preparedness of Indian companies for the upcoming law.
Q. Which are the mega trends in the world of cybersecurity and data privacy that will impact Indian organisations in 2025 and why?
Dr. Duggal: Indian organizations need to be prepared for 5 major trends in cybersecurity and data privacy in 2025.
1. Regulatory Compliance Evolution – The full implementation of India’s Digital Personal Data Protection (DPDP) Act, 2023 being a game changing legislation, will force organizations to fundamentally transform their data handling practices. Companies will have to invest in comprehensive data mapping, consent management systems, and privacy-by-design approaches, and totally comply with DPDP Act, 2023 and its rules to avoid exposure to exemplary fines of Rs 250 crores per contravention, stipulated under this data protection law.
2. AI-Driven Security Threats and connected Solutions – As AI adoption accelerates in India, we are likely to see a dual impact – sophisticated AI-powered cyber threats requiring equally advanced defensive capabilities. Organizations will need to implement AI security frameworks that can detect anomalies and respond to threats in real-time. Needless to state, AI solutions to be deployed by Indian organizations must ensure compliance with applicable Indian laws including IT Act, 2000, DPDP Act, 2023 and rules made thereunder.
3. Zero Trust Architecture Adoption – The traditional perimeter-based security model is dead and gone. Indian organizations will increasingly have to embrace zero trust frameworks that verify every user and device continuously, regardless of location, which could further be driving significant changes in network architecture and access management.
4. Supply Chain Security – As threat actors increasingly target vulnerable elements in the supply chain, Indian organizations will need to implement rigorous vendor assessment processes and continuous monitoring of third-party risks.
5. Cyber Resilience – The need for Indian organizations to adopt Cyber Security and Cyber Resilience as a way of doing business operations.
Q. DPDP Act still has many ambiguities and understandably so, being one of the most revolutionary and detailed data privacy acts in decades. What would be a pragmatic approach for CIOs and CISOs of end user organisations to implement DPDP Act?
Dr. Duggal: The upcoming DPDP Act, 2023 promises to change the existing legal landscape on data protection for all times to come. Indian organizations should adopt a phased, risk-based approach to DPDP implementation. CIOs and CISOs must begin by establishing a cross-functional implementation team with clear executive sponsorship and adequate resources. They should conduct a gap analysis comparing current practices against DPDP requirements to identify critical compliance deficiencies, to prevent reinvention of the wheel.
CISOs must prioritize addressing high-risk areas first, particularly those concerning notice and consent, sensitive personal data processing, automated decision-making, and cross-border transfers. Simultaneously, organizations should actively monitor regulatory developments, particularly the Rules, being framed under the DPDP Act, like the draft DPDP Rules, 2025.
Finally, they must maintain comprehensive documentation of compliance efforts and decision-making processes. This creates an audit trail demonstrating good faith compliance attempts, which may mitigate penalties if interpretations differ from eventual regulatory guidance.
Q. DPO (Data Privacy Officer) is becoming the new C-suite role in IT and security hierarchy of companies with DPDP Act. Will DPO emerge as ‘the knight in shiny armour’ for organisations especially the large ones in India?
Dr. Duggal: The DPO will indeed emerge as a critical strategic role in Indian organizations, though over a period, is likely to a universal C-suite position. For larger enterprises and data-intensive businesses, we’ll likely see dedicated C-level DPOs with direct board reporting lines.
Rather than a “knight in shining armour,” the DPO should be viewed as a strategic risk manager and business enabler. Effective DPOs will balance compliance requirements with business objectives, facilitating responsible data innovation rather than simply implementing restrictions. Their value will extend beyond legal protection to include optimizing data governance for competitive advantage.
The most successful organizations will position their DPOs with sufficient authority, independence, and resources to meaningfully influence data strategy while maintaining necessary separation from the operational functions they oversee.
Q. Quite a few Indian organisations have added the role and responsibility of DPO to that of their existing CISO. Isn’t it too much for CISO, to handle cybersecurity of IT infra and also data privacy (with DPDP Act)?
Dr. Pavan: Combining the CISO and DPO roles presents significant challenges that can compromise the effectiveness of both functions. While there are overlapping concerns around data security, the roles have fundamentally different objectives, skill requirements, and organizational orientations. The CISO primarily focuses on protecting information assets from unauthorized access and ensuring system integrity, while the DPO’s mandate centers on lawful processing, consent management, and individual rights protection.
Additionally, the DPDP Act’s compliance requirements demand substantial legal expertise and stakeholder management capabilities that many CISOs may not possess. Organizations should consider the DPO as a distinct role with separate reporting lines to ensure appropriate focus and independence, particularly as penalties for DPDP non-compliance become reality.
Q. How do you see advent of AI and Gen AI across organisations accelerate the cybersecurity threats? Are there AI laws on the anvil for India?
Dr. Duggal: The integration of AI and Generative AI across Indian organizations is accelerating rapidly, bringing both transformative benefits and significant risks. These technologies are enhancing productivity and innovation but also introducing novel threats including model poisoning, prompt injection attacks, and AI-generated disinformation campaigns. Security vulnerabilities in AI systems are particularly concerning as they can be exploited at scale, potentially affecting millions of users or critical infrastructure simultaneously.
India is likely to introduce dedicated AI legislation within the next 12 to 18 months. The Digital India Act currently under development is expected to contain substantial provisions regarding AI governance. The need for regulatory clarity is becoming urgent as India positions itself as both a major consumer and developer of AI technologies. Prime Minister Narendra Modi’s slogan of “Sustainable AI” given at Paris AI Action Summit in February 2025, has once again reemphasized the need for having in place enabling legal frameworks to support Sustainable AI.
Q. More stakeholders would increasingly plan the legal norms and regulation of AI that can be effectively chiselled. Any best practices for IT and business stakeholders in this regard?
Dr. Duggal: While the legal principles concerning AI Regulation crystallize, Indian corporate stakeholders cannot be in a wait and watch approach. They need to adopt the prevailing international best practices in this regard, including the following:
Firstly, they need to implement Proactive AI Governance Frameworks. Stakeholders do not need to wait for regulations to be finalized. They should proactively establish internal AI governance committees comprising technical, legal, and business representatives to develop and implement ethical AI usage policies. These frameworks should address data quality, algorithmic bias, transparency, and accountability mechanisms that can adapt to evolving regulatory requirements.
Secondly, stakeholders need to conduct Regular AI Risk Assessments and systematically evaluate AI systems for potential legal, reputational, and operational risks before deployment and periodically thereafter. They need to document decision-making processes, testing methodologies, and mitigation strategies to demonstrate due diligence when regulations are eventually enforced.
Thirdly, stakeholders need to engage in regulatory conversations. As AI Law is in the process of getting evolved, they need to actively participate in industry forums and government consultations on AI regulation.
Q. Besides DPDP Act and AI law, any major cybersecurity legalities or new security laws coming up in 2025 for India?
Dr. Pavan: Several critical cybersecurity legal developments are likely to impact Indian organizations in 2025:
1. The Digital India Act: Set to replace the outdated IT Act of 2000, this comprehensive legislation is expected to address modern challenges including platform regulation, digital competition, and critical infrastructure protection with enhanced penalties for non-compliance.
2. Critical Information Infrastructure Protection (CIIP) Regulations: Expanded regulatory frameworks will impose stringent security requirements on organizations across additional sectors deemed critical to national security and economic stability.
3. Sector-Specific Cybersecurity Frameworks: The RBI, SEBI, and IRDAI are developing enhanced cybersecurity directives tailored to financial institutions, markets, and insurance entities respectively, with particular focus on operational resilience and third-party risk management.
4. National Cyber Security Strategy 2025: The implementation phases of this strategy will introduce new compliance obligations for private sector entities, particularly around threat intelligence sharing and incident reporting.
Read More from This Article: DPDP Act : Brace yourselves for the biggest game-changing legislation for India
Source: News