Two Indian women professionals discuss DPDP audit over coffee in glass conference room

DPDP readiness assessment: a Bengaluru NBFC’s 4-hour day

Last updated: 16 June 2026

09:14 AM. Bengaluru. The lift was broken, so I walked up four floors with a laptop bag and a coffee that had gone cold somewhere on the third landing. This is a dpdp readiness assessment, on the day the CISO had stopped sleeping. He was waiting on the landing, not in his office. That was the first thing I noticed. The second was that he had not slept.

“Yaar Priya,” he said, “thank god you came.” His auditor had filed an exception note the previous Tuesday. One line, six words. DPDP readiness inadequate for personal data scale. The board meets on Friday. The CFO had been forwarding the note around with three question marks. The CISO had no answer ready.

This is what a dpdp readiness assessment actually looks like from inside the building. Not the slide. The day.

09:30 AM. Why we start with the map, not the policy

The first hour is not about controls. It is about a whiteboard and a marker. We draw where personal data enters the company, where it sits, and where it leaves. For a 250-employee lending NBFC, that map fits on one wall. Customers, sales agents, the loan origination system, the credit bureau API, the collections WhatsApp group, and the HR drive on SharePoint. Six boxes.

The CISO had assumed the map was bigger. Most do. The job in the first hour is to make the picture small enough to see, not large enough to impress.

Bas one rule for this hour: every box on the map needs an owner whose name we can write down. If a box has no owner, that is already a finding. We had two. The collections WhatsApp group, where 11 field agents shared customer KYC photos with each other to “sync” cases, was owned by nobody. The HR drive was owned by an HR analyst who had left in April.

09:58 AM. Two findings, no scan yet.

11:00 AM. The control scan, and the gap that is always there

By 11, we run the actual control scan. Twelve domains, each with five to nine items. Consent capture, data retention, third-party processor list, DPO appointment, breach notification SOP, employee access, encryption at rest, encryption in transit, vendor DPAs, training records, grievance redressal, and child-data handling. The NBFC had something live in 9 of 12. Strong on the back end, thin in the middle.

The gap that is always there: employee access. The RBI Master Direction on IT Governance (Nov 2023) for NBFCs is explicit on least-privilege access. Most NBFCs we scan are not on the wrong side of the rule by intent. They are on the wrong side of the rule by drift. Not the firewall. Not the cloud. The people inside the building who quietly have more access than the role chart says they do. At this NBFC, the entire collections team had read access to the customer KYC folder. 47 people. Eight of them had not logged in for three months and one of them had left in February. The role review had not run since November.

We have seen this exact pattern at a Mumbai cooperative bank, a Chennai BPO, and a Pune wealthtech. The control fails the same way every time. Not because the tool is missing. Because nobody owns the quarterly review of who still needs the door key.

250 crore rupees. That is the maximum penalty under Section 33 of the DPDP Act 2023. The Data Protection Board does not have to prove a breach. They have to prove a gap. Your auditor is roughly 60 days away from asking which one you have closed.

Get my free DPDP readiness check
200+ Indian businesses. Response within 8 hours. No card, no contract.

12:30 PM. The HR interview, where the real story is

At 12:30 we sit with Reshma from HR. She is not on the DPDP project. She has not read the DPDP Act. She is the most important person in the building for the next 30 minutes.

“How do you handle a resignation?” I ask. She walks me through it. The exit interview form goes to a shared Outlook inbox. The PF settlement letter sits in a folder anybody in finance can open. The Aadhaar copies from joining are filed under the candidate’s name on the HR drive. Forever. “Forever?” I ask. “Achha, I think so, yes,” she says. “Nobody told me to delete.”

This is the postmortem of every DPDP gap we have scanned in two years. The IT team builds the wall. HR holds the keys. Nobody told HR they were holding keys.

By 1 PM we have 18 findings. Six are critical. Four are quick. Eight are medium.

13:30 PM. What the dpdp readiness assessment report contains

The report is not a slide deck. It is built for a CFO who will read it on a phone on Friday morning before the board.

PageWhat it saysWho reads it
1Risk grade A/B/C/D and one sentence on whyCFO, CEO, Board
2-3Data flow map with ownersCISO, DPO
4-712 control domains, scored 0-5, gap notesCISO, IT lead
8-9Top 6 findings with the rupee exposure of eachCFO
10-11Quick wins (closeable in 14 days)CISO, HR head
1290-day plan, named owners, dates, budget bandEveryone

Page 1 is the page the board reads. Page 12 is the page that gets you off the auditor’s exception list. Everything in between is the evidence that page 1 and page 12 are not invented.

14:00 PM. The 90-day plan, and why ours is short

The temptation in this slot is to write a 40-line plan that sounds like a vendor proposal. We do not do that. The 90-day plan for the NBFC had eight items. Three of them cost nothing. Two of them needed Microsoft Purview, which they already had a licence for and had never turned on. The remaining three needed one new control. Email DLP, scoped to the loan origination team and HR. Not the whole company. Not yet.

We have seen NBFCs of this size sign up for a 40 lakh rupee full-stack DPDP programme on the back of a scan that should have produced an 8 lakh rupee shortlist. Jhamela. The point of the readiness assessment is the shortlist, not the proposal.

If you are a DPO already, the report saves you the four weeks you would have spent building it yourself. If you do not have a DPO, our DPO-as-a-service stands in until you hire one. If you are at the start of a programme, the assessment feeds straight into the DPDP compliance package and you do not pay to scan twice.

Book my 4-hour scan
Free for 250-employee firms. Audit slots open until end of June. 6 booked this month.

14:45 PM. What the CISO took into the board meeting

I had assumed the CISO would carry the full 12 pages. He did not. He carried page 1 and page 12. He left the rest on his laptop. On Friday at 11:18 AM he messaged me one line. Board signed off plan. CFO asked one question. We had an answer. The question was about the 250 crore rupee cap and whether our exposure was credible. The answer was page 8. He had it.

The shape of a DPDP readiness assessment is not 30 controls and a heat map. It is one good morning of asking the right questions of the right people, then a short report that survives a CFO read on a phone. If you want to read what a CISO actually did the day MeitY notified the DPDP Rules in November 2025, the Mumbai bank notification-day story covers that morning hour by hour. If your auditor is asking about USB exfiltration specifically, our Chennai BPO vendor-audit field report shows where that control actually breaks.

Security is a verb. The assessment is the first verb in the sentence. Closing the gaps is the rest of it.

Frequently asked

How long does a DPDP readiness assessment take?
4 hours onsite for a 250-employee firm. 6 to 8 hours for 500 to 1000 people. Two days for 1500+. The report lands within 5 working days.

Do we need to have a DPO before the assessment?
No. The assessment includes the DPO appointment check as a finding, not a prerequisite. If you do not have one, we flag it on page 4. If you want one on retainer, our DPO-as-a-service kicks in after the report.

Is the readiness report enough to satisfy the Data Protection Board?
The report is your defence file. It is not a certificate. It documents that you have scanned, found, and planned. The DPB looks for evidence of a programme, not a sticker. The 90-day plan is the evidence.

What does it cost?
Free for the first scan, for Indian firms under 1000 employees. We do this because the shortlist is the sales conversation. There is no card, no contract, no obligation to take the follow-on work.

What if the auditor has already filed an exception note?
That is the most common reason we get a call. We work the assessment in the 30 days before the next audit cycle so you walk in with the report and the 90-day plan, not with a denial.

Get my free DPDP readiness check
200+ Indian businesses scanned. 30+ in BFSI. Reply on WhatsApp +91 91375 93228 to start.

P.S. Priya here. The NBFC in this story is real, the name is not. We shipped a similar scan for a Pune wealthtech last week. The CISO there had a different question. He wanted to know which of the 18 findings would actually show up in a CERT-In incident notification window. The answer is two. If you are reading this and you can name the two for your own company, you do not need me. If you cannot, that is the call to make.