The Act is now in force. Beyond the consent layer, the real teeth are in audit-trail and chain-of-custody requirements for backup data. Here is the mapping we use across every regulated engagement.
What Most CIOs Miss
Public discussion of DPDP 2025 has focused on consent collection and data principal rights. Those are real obligations, but they sit above the storage layer. The teeth of the Act — the parts that create operational liability for an IT department — live in the data fiduciary obligations around retention, deletion, and audit.
If you are a backup admin, the DPDP Act has just rewritten three things about your job:
- Retention is now a maximum, not a target. Holding backups past the documented business need is a compliance breach, not a safety margin.
- Deletion must be verifiable. A deletion API call without a chain-of-custody log is insufficient.
- Audit-trail must be tamper-evident. The auditor must be able to confirm the log itself has not been edited.
The Mapping We Use
Each backup workload maps to a DPDP category, and each category has a retention ceiling. Below is the simplified version we deploy in every regulated engagement — the production version includes a 23-page mapping table, but the structure is what matters:
- Identify which data principal categories the workload contains.
- Map each category to its retention ceiling under DPDP 2025 (and any sectoral overlay — RBI, SEBI, IT Act).
- Engineer the backup platform's retention policy to enforce the shortest applicable ceiling automatically.
- Build deletion verification into the engagement runbook — every scheduled deletion produces a signed report.
- Wire the audit-trail to an immutable log store separate from the backup platform's operational logs.
DPDP did not change what we should have been doing. It changed what we can be sued for not doing. — Compliance briefing, January 2026
The iBART™ Position
iBART™ — itSimple's trademarked Make-in-India data unlock tool — was originally engineered around restoration assurance. The DPDP Act has made its audit-trail and chain-of-custody features the more commercially relevant capability. Sovereign storage, sovereign control plane, sovereign audit log — all on Indian soil, operated under Indian law.
The Three Questions to Ask Tomorrow
- Can our current backup platform produce a signed deletion certificate per workload?
- Is our audit-trail tamper-evident, or merely append-only?
- If a regulator asked us to demonstrate sovereignty for backup metadata, could we — today, in writing?
If any of those answers are uncertain, the next 90 days are the time to remediate. We run a free DPDP backup audit that produces a written compliance gap report.