MUMBAI — Bengaluru-based privacy technology company PrivaSapien and the Data Security Council of India (DSCI) have launched Operationalising DPDP and Privacy by Design through PETs. The co-authored industry report provides Indian organisations with a practical framework for implementing technical safeguards to unlock data and avoid penalty of upto Rs 250 Crore as per the Digital Personal Data Protection Act, 2023. The industry report was unveiled at FINSEC 2026, India’s premier banking and financial security conference, in Mumbai.
The report is very timely as organizations are confused between following traditional GRC approach vs the need for technical safeguard as per DPDP which provides exemption and not having them can result in penalty. Traditional approach of collecting consent and cookie, doing manual DPIAs and discovery alone don’t solve the problem. It’s the risk mitigation of Data-in-use is where the data unlocking happens and consent based processing limits organizational risk. Its central argument: data protection cannot be treated as a compliance formality applied after the fact. It must be engineered into systems before data processing begins. Data in Use protection using PETs provides unlocks data through regulatory exemptions and enable value creation, while protection personal data rights of citizens.
At the heart of the report is a four-stage Privacy by Design framework that takes organisations from defining lawful purpose and consent, through Privacy Threat Modelling and Data Protection Impact Assessments, to technical enforcement via Consent-Based Access Control and Privacy-Enhancing Technologies. Anchoring this framework is the Privacy Triad of Disassociability, Predictability, and Manageability, which the white paper uses to show that many consent failures are structural design problems requiring technical remedies. It examines a range of PETs, including mathematical anonymization, differential privacy, homomorphic encryption, synthetic data, private set intersection and Zero Knowledge Proof, mapping their application across healthcare, financial services, telecommunications, and AI-driven platforms through sectoral use cases.
One of the key take aways from the paper is the distinction between privacy and security. Security is a Data at rest and transit problem and Privacy is a post security data use problem. Security does not change the data while in Use, Privacy changes the data depending upon the purpose or processing. Security addresses unauthorised access; privacy governs whether authorised data use is lawful, proportionate, and purpose-bound. Many organisations, it notes, may be technically secure yet non-compliant under the DPDP framework, because consent failures are often architectural problems rather than legal oversights.
Speaking at FINSEC 2026 on DPDP compliance strategy, Abilash Soundararajan, CEO and Co-Founder of PrivaSapien, reinforced the paper’s core premise that privacy governance must move out of legal departments and into engineering pipelines.
“DPDP is one of the very first regulations where the technical safeguard carries the highest penalty. Indian regulation clearly says the highest penalty is going to be for technical safeguards in the first place. That is a very positive move. What the government wants to build on top of DEPA, the JAM trinity, and UPI is very foundational for the country, and privacy-enhancing technologies are going to play a very critical role in unlocking data the right way and creating value, because India believes it will be first data-rich and then citizens will actually become rich. Privacy Enhancing Technologies protect people from harm while at the same time unlocking data, that is fundamental. This is India setting the standard for the world to follow.”
Speaking at the launch, Vinayak Godse, CEO, DSCI, highlighted the strategic value that privacy engineering brings beyond regulatory compliance.
“Privacy-Enhancing Technologies give organisations a path beyond compliance as a threshold, towards building privacy into the architecture of digital systems from the ground up. Organisations that invest in strong privacy practices are not just reducing risk; they are creating business value, earning stakeholder trust, and positioning themselves to innovate responsibly.”
Drawing on regulatory experience across the EU, UK, California, and Singapore, the white paper closes with recommendations for industry, regulators, and government. Key among them: that the Data Protection Board recognise verifiable PET deployment as a mitigating factor in enforcement proceedings, and that privacy engineering be formalised as a discipline across academic and professional curricula to address India’s growing implementation capacity gap.
