Navigating India’s digital personal data protection: a human and AI-centric approach with Proofpoint 

Key takeaways 

• DPDPA is a catalyst for stronger digital trust in India. It gives organisations a clear framework to protect personal data with greater accountability, transparency, and demonstrable safeguards. 
• Everyday employee actions can create significant data protection risk. From misdirected emails and overshared links to sensitive data entered into generative AI tools, routine work now creates more opportunities for accidental exposure. 
• A unified, human and AI-centric security approach is essential. Effective data protection means aligning user behaviour, data sensitivity, and threat signals across email, cloud, endpoints, collaboration tools, and AI workflows. This is where Proofpoint helps. 

A customer list gets pasted into a GenAI prompt to “clean up duplicates.” 

A finance analyst shares a spreadsheet, but then realises it uses the “anyone with the link” share setting. 

An employee forwards a file to a partner, but the autocomplete function selects the wrong “Rahul.” 

None of these look like headline-making breaches. They’re just examples of modern work moving fast. 

But these everyday moments can expose personal data. And under India’s new privacy framework, companies face clearer expectations for accountability, safeguards, and incident readiness. 

At Proofpoint, we see this as a positive step. India’s Digital Personal Data Protection Act, 2023 (DPDPA) defines the outcomes organisations must achieve to process digital personal data responsibly. The Digital Personal Data Protection Rules, 2025 (DPDPR) add the detail needed to make those outcomes practical. Together, they raise the baseline for how organisations handle personal data, without forcing a one-size-fits-all checklist. 

More importantly, DPDPA can be a catalyst. It gives leaders a clear reason to rethink data security as one connected system. That means aligning controls across people, data, and threats. It also means securing multiple channels: email, cloud apps, collaboration platforms, endpoints, and AI workflows.  

The goal is not just compliance. It’s protection you can prove. 

What DPDPA covers 

DPDPA focuses on digital personal data, including data collected offline and later digitised. In general, it applies to data processing within India. It can also apply outside India when goods or services are offered to individuals in India. 

Why DPDPA matters 

DPDPA is principle-based. It is not about buying a specific tool. 

It’s about being able to show that you: 

• collect and use personal data for lawful, specific purposes 
• are transparent and respect individual choice 
• protect personal data with reasonable security safeguards 
• respond quickly when something goes wrong 
• remain accountable throughout the data lifecycle 

In short: the shift is from defining policy to proving execution. 

India’s data security landscape and the challenges in practice 

DPDPA arrives at a time when data risk is already high. 

• In Proofpoint’s Voice of the CISO 2025 report, 99% of CISOs in India reported sensitive data loss in the past year. Additionally, 90% expect a material cyberattack in the next 12 months and 96% link at least some data loss to departing employees. 
• IBM’s Cost of a Data Breach Report 2025 found that the average breach cost in India was INR 220 million and an average breach lifecycle of 263 days to identify and contain.  
• Proofpoint’s 2025 Data Security Landscape report shows that data loss is widespread and often concentrated. 85% of organisations experienced data loss in the past year, and just 1% of users were responsible for 76% of data loss events. 

These aren’t edge cases—they reflect how data moves in modern work environments. 

How Proofpoint helps operationalise DPDPA 

Proofpoint’s view is simple: data protection is a people problem.  

Strong outcomes come from connecting user behaviour, data sensitivity, and threat signals. Controls must work with the tools people use every day. 

We focus on three outcomes: 

1. Know where personal data is (so you can prioritise what matters) 
2. Prevent exposure where people work (email, cloud, endpoints, collaboration, and AI tools) 
3. Investigate and respond quickly (so you can act, notify, and demonstrate accountability) 

Proofpoint’s unified data security solution brings together key capabilities that align with DPDPA requirements: 

• Data Security Posture Management (DSPM): Discover, classify, and prioritise sensitive data across cloud and software as a service (SaaS) environments. 
• Enterprise DLP and Adaptive Email DLP: Prevent data loss across email, cloud, and endpoints, including accidental sharing and misdirected communications. 
• Insider Threat Management (ITM): Detect risky behaviour by careless, compromised, and malicious users. Prioritise investigations with behavioural context. 

Read the white paper 

DPDPA and the DPDPR are meaningful steps toward stronger digital trust in India. They also create a clear opportunity to modernise data protection, especially as AI adoption grows. 

To learn how Proofpoint can help you align with DPDPA expectations and strengthen personal data protection, read the white paper Navigating India’s Digital Personal Data Protection Act. You can also contact your Proofpoint representative to request a consultation. 

Learn more 

To learn more about our unified data security approach, explore Proofpoint Data Security solutions or schedule a demo.