Skip to main content
Compliance
DPDPA 2023
IAM
Identity Access Management
Data Security
Compliance Checklist
Data Fiduciary
India 2026
DPDP Rules 2025
Security

DPDPA India IAM Checklist 2026: Identity and Access Management for Data Fiduciaries

Identity and Access Management (IAM) is one of the most overlooked areas of DPDPA 2023 compliance. Who in your organisation can access personal data? This checklist covers the full DPDPA IAM requirements — from role-based access control to audit logs — that every Data Fiduciary must implement by May 2027.

Consently Team
12 March 2026
11 min read

What is IAM in the Context of DPDPA 2023?

Identity and Access Management (IAM) refers to the policies, processes, and technologies that control who in your organisation can access personal data, what they can do with it, and when. Under India's Digital Personal Data Protection Act 2023 (DPDPA 2023), IAM is not an optional IT best practice — it is a legal obligation tied to the security safeguards requirement in Section 8.

Section 8(5) of DPDPA 2023 requires every Data Fiduciary to implement technical and organisational measures to protect personal data. The DPDP Rules 2025 (effective from 13 November 2025) specify additional security and access controls for Significant Data Fiduciaries (SDFs).

Failure to implement adequate IAM can result in penalties up to ₹250 crore (~$30 million USD) under Schedule I of DPDPA 2023.

The Complete DPDPA IAM Checklist for Indian Businesses

Section 1: Access Control Fundamentals

  • Role-Based Access Control (RBAC): Employees can only access personal data relevant to their specific job function. A customer support agent should not have access to payment data they do not need to resolve tickets.
  • Least Privilege Principle: Grant the minimum access rights needed for each role. Default to no access and grant access on request with justification.
  • Separation of Duties: The person who approves data access requests should not be the same person who grants them.
  • Access Reviews: Quarterly review of who has access to what personal data. Remove access immediately when an employee changes roles or leaves the organisation.
  • Service Account Controls: All automated systems (APIs, scripts, scheduled jobs) accessing personal data must have their own service accounts with minimum permissions — not shared human credentials.

Section 2: Authentication Requirements

  • Multi-Factor Authentication (MFA): Required for all accounts with access to personal data. Single passwords alone are insufficient under DPDPA's security obligation.
  • Strong Password Policy: Minimum 12 characters, complexity requirements, 90-day rotation for privileged accounts, no reuse of last 10 passwords.
  • Single Sign-On (SSO): Centralise authentication to enable instant access revocation when an employee leaves.
  • Session Management: Auto-timeout for idle sessions accessing personal data (recommended: 15 minutes for sensitive data systems).
  • Privileged Access Management (PAM): Database administrators and engineers with root/admin access to systems storing personal data must use a PAM solution with session recording.

Section 3: Data Access Audit Trails

  • Access Logging: Log every access to personal data — who accessed it, when, from which system, and what action they took (read, write, delete, export).
  • Log Retention: Retain access logs for a minimum of 3 years (aligned with DPDPA rights request timelines and potential Board investigation periods).
  • Tamper-Evident Logs: Access logs must be protected from modification. Write access to logs should be restricted to the logging system itself.
  • Anomaly Detection: Alerts for unusual access patterns — bulk data downloads, access outside business hours, access from unusual locations.
  • Export Controls: Any bulk export of personal data must be logged, require approval, and be tracked to the specific employee and business purpose.

Section 4: Third-Party and Vendor Access

  • Data Processing Agreements (DPAs): Every vendor or SaaS tool with access to your users' personal data must have a signed DPA with you before they can access any data.
  • Vendor Access Review: Audit which third-party tools have API access to personal data. Revoke tokens for tools no longer in use.
  • Vendor Security Assessment: Before onboarding a new vendor that will process personal data, assess their security controls and DPDPA compliance posture.
  • Just-in-Time Access for Vendors: External vendors and consultants should get time-limited access (e.g., 24 hours for a support incident) with automatic expiry.

Section 5: Data Classification and Sensitivity Labelling

  • Classify All Personal Data: Identify and label all personal data in your systems. Categories to distinguish: General personal data, Sensitive personal data (financial, health, biometric, religious, caste, sexual orientation), Children's data.
  • Sensitive Data Handling Controls: Sensitive personal data under DPDPA requires stricter access controls — fewer people should have access and access should require additional justification.
  • Data Discovery: Run data discovery scans to find personal data stored in unexpected places (email attachments, Slack messages, spreadsheets, developer test databases).

Section 6: Employee Training and Awareness

  • DPDPA Awareness Training: All employees handling personal data must complete DPDPA 2023 training covering: what personal data is, their obligations, how to handle data rights requests, and how to report a breach.
  • Annual Refresher: Repeat training annually and when significant DPDPA rules updates occur.
  • Role-Specific Training: Engineers, marketing, customer support, and HR have different data risks — their training should be tailored to their specific access and responsibilities.
  • Confidentiality Agreements: All employees and contractors with access to personal data must sign confidentiality agreements that explicitly reference DPDPA obligations.

Section 7: Significant Data Fiduciary (SDF) Additional Requirements

This section applies if your business is designated as a Significant Data Fiduciary by the Government of India.

  • Data Protection Officer (DPO): Appoint a DPO based in India. The DPO must be a qualified professional (legal, IT, or compliance background) with direct access to senior management.
  • Data Protection Impact Assessment (DPIA): Conduct DPIAs for high-risk processing activities — new products collecting sensitive data, large-scale profiling, use of automated decision-making.
  • Data Audit: Annual audit by an independent data auditor to assess compliance. Results must be submitted to the Data Protection Board.
  • Algorithmic Transparency: If you use automated systems that make decisions about individuals (credit scoring, hiring algorithms), you must document how they work and assess their impact on data principals.

DPDPA IAM: The 5 Highest-Risk Areas for Indian Businesses

1. Shared Admin Credentials

Multiple employees sharing a single admin password to access customer databases is the most common IAM failure. Under DPDPA, this makes it impossible to attribute a data breach to a specific individual and demonstrates a fundamental absence of adequate security measures.

2. No Access Revocation Process

Former employees retaining access to personal data after leaving is a direct DPDPA security violation. Implement an offboarding checklist that includes immediate IAM access revocation as Step 1.

3. Developer Access to Production Data

Developers routinely need to debug production issues, but should not have standing access to production personal data. Use anonymised/pseudonymised data for development and testing. If production access is ever needed, it should require a time-limited, approved access request.

4. Third-Party API Keys Never Rotated

API keys and access tokens for SaaS tools connecting to your personal data systems should be rotated quarterly. Many businesses have "zombie" API keys for tools they no longer use that still have live access to production databases.

5. No Audit Log for Data Exports

Bulk CSV exports from your CRM, database, or analytics platform are the most common vector for internal data breaches. Every export must be logged, attributed to a specific user, and reviewed periodically.

How a DPDPA Compliance Platform Supports IAM

A DPDPA compliance platform like Consently addresses the consent and data principal rights side of DPDPA — but IAM controls must be implemented in your own systems and supported by your internal tools. Here is how the two complement each other:

DPDPA ObligationIAM Controls (Internal)Compliance Platform (Consently)
Obtain valid consentN/AConsent widget, audit trail
Secure personal dataRBAC, MFA, encryption, access logsRow-level security, AES-256, TLS 1.3
Honor rights requestsAccess to locate and extract/delete dataRights request management workflow
Consent audit trailLog all consent-related actionsTamper-evident consent audit logs (auto)
Breach notificationIAM monitoring for breach detectionWebhook alerts for consent anomalies
Data minimisationOnly store data needed per purposeZero PII Consent ID system (CNST-XXXX)

Frequently Asked Questions: DPDPA IAM

Q: Is IAM explicitly required under DPDPA 2023?

Section 8(5) of DPDPA 2023 requires Data Fiduciaries to implement "appropriate technical and organisational measures" to protect personal data. The DPDP Rules 2025 specify security obligations including access controls. While "IAM" is not named explicitly, role-based access control, audit logging, and access revocation are all implied by the security obligations. The Data Protection Board will assess whether your security measures were "appropriate" in the context of the size and sensitivity of your data operations.

Q: When does full DPDPA enforcement begin?

The DPDP Rules 2025 were notified on 13 November 2025. The transition period is underway. Key dates: Consent Manager registration opens 13 November 2026. Full enforcement of all DPDPA obligations is expected by 13 May 2027. Businesses should implement IAM controls now — the Data Protection Board has stated that early-adoption compliance will be a mitigating factor in penalty determinations.

Q: What is the difference between a Data Fiduciary and a Data Processor under DPDPA?

A Data Fiduciary is the entity that determines the purpose and means of processing personal data — essentially the business collecting user data. A Data Processor is a third party that processes data on behalf of the Data Fiduciary (e.g., a cloud provider, analytics tool, or CRM). The Data Fiduciary is primarily responsible for DPDPA compliance; the Data Processor must follow contractual instructions and cannot process data for any other purpose.

Q: Does a startup need a full IAM framework for DPDPA?

The DPDPA applies proportionally. A 5-person startup is not expected to have the same IAM infrastructure as an enterprise. However, even small businesses must implement minimum controls: no shared admin credentials, MFA for systems storing personal data, a process to revoke access when employees leave, and basic access logging. The cost of these controls is low; the cost of a breach or regulatory action is high.

Share this article
TwitterLinkedIn

Related Articles

Compliance

Website Privacy Policy Best Practices 2026: India DPDPA Complete Guide

India's DPDP Rules 2025 have changed what a privacy policy must say. This guide covers exactly what your website's privacy policy must include to comply with DPDPA 2023, what language to use, and the 10 most common mistakes Indian businesses make.

12 Mar 20269 min
Compliance

DPDPA Penalties 2023: How Much Can Your Indian Business Be Fined?

DPDPA 2023 penalties can reach ₹250 crore per violation. This guide explains every penalty tier, what triggers them, real examples, and how Indian businesses can avoid fines using a consent management platform.

24 Feb 202610 min
Compliance

DPDPA 2023 Complete Compliance Checklist for Indian Businesses

A complete, actionable DPDPA 2023 compliance checklist for Indian businesses. Step-by-step guide covering consent management, data fiduciary obligations, rights management, and how to achieve full compliance.

24 Feb 202612 min