Two mandates, one question
BRSR (Business Responsibility and Sustainability Reporting) Principle 9 asks listed companies to disclose how they treat customer data — privacy complaints, breaches, cyber-security spend. The Digital Personal Data Protection Act (DPDPA) asks every data fiduciary to prove it — consent, rights, retention, accountability. Two regulators, two formats, one underlying capability.
Companies that treat these as separate projects end up building everything twice: two data inventories, two sets of policies, two consent stories that don’t quite agree with each other. An auditor will eventually notice. So will a journalist.
The shared spine
The same artifacts power both regimes. A data inventory with records of processing. A consent-management framework. A working rights-request process — what happens, concretely, when someone asks for deletion tomorrow morning? Impact assessments for high-risk processing. A breach-response plan that has actually been drilled, not just filed.
Build that spine once and BRSR Principle 9 becomes a reporting exercise instead of a scramble — while DPDPA compliance stops being a legal afterthought and becomes something your sustainability report can point to with a straight face.
Where to start
A gap assessment, honestly scoped: what personal data you hold, where it flows, which processors touch it, and how far your current practice is from what the Act expects. From there, a roadmap — notices, consent, data-protection impact assessments (DPIAs), training. Significant data fiduciaries add a Data Protection Officer (DPO) and independent audits to the picture.
We run on this too
Alt operates its own DPDPA-aligned data governance — consent, export, deletion, processing records, the lot. We sell what we practice, which makes the first workshop refreshingly short on theory.
DPDPA work sits in our Governance practice, spanning assessments, advisory, disclosures, and training — most of it atomic-lane sized.