Summary: This article is the second part of a two-part series, examining the implications of India’s Digital Personal Data Protection Rules, 2025, on internal investigations conducted by organisations and their legal counsel. While Part I addressed the foundational framework and the applicability of exemptions under the DPDP Act, particularly Section 17(1)(c); Part II focuses on the practical compliance obligations that Data Fiduciaries must navigate during internal investigations, including security requirements, breach notification protocols, data retention and erasure mandates, and cross-border transfer complexities.
Introduction
This second part provides a focused overview of the practical compliance obligations imposed on Data Fiduciaries during internal investigations under the Digital Personal Data Protection Rules, 2025. These obligations fundamentally reshape how law firms and their clients must structure investigative workflows, requiring immediate operational redesign to mitigate regulatory exposure and ensure compliance with India’s evolving data protection landscape.
Obligations During Investigations
Even when Section 17(1)(c) applies, Data Fiduciaries must still implement technical and organisational measures, maintain security safeguards, comply with breach notification, observe data retention and erasure requirements, and provide redress mechanisms.
Security
Rule 6 requires Data Fiduciaries to implement strong security measures, including encryption, technical controls, access restrictions, log monitoring, business continuity, and contractually binding processors to adopt similar safeguards with penalties of up to ₹250 crore for non-compliance. This modifies and enhances data security protocols when shared between the company and its counsel, requiring both parties to coordinate and adopt the appropriate technology in consonance.
Breach Notification
Under Rule 7, in the event of a data breach, the Data Fiduciary must promptly notify affected individuals of the details and the precautionary measures undertaken , and report the breach to the DPB immediately, followed by a detailed update within 72 hours.
The EDPB’sGuidelines 9/2022 on personal data breach notification under GDPR[1] (“Breach Guidelines”) establish that Data Controllers (Fiduciaries) become “aware” of a breach when they possess a “reasonable degree of certainty” that a security incident has occurred, triggering the 72-hour notification clock, not when forensic examination is complete.
This standard complicates the process of internal investigations, as establishing the scope of the breach, root cause, and perpetrator’s identity may require weeks or months of analysis. Organisations must, therefore, adopt phased notification protocols: (i) immediate preliminary reports to the DPB within 72 hours based on initial findings, followed by (ii) supplementary updates as the forensic investigation progresses.
Retention and Erasure:
Rule 8 establishes comprehensive retention and deletion obligations: Data Fiduciaries must erase personal data once its purpose is served, unless legally required otherwise, with specific cessation periods for certain entities; logs must be retained for at least one year even after data erasure to enable breach detection and regulatory inquiries; Data Principals must receive 48-hour advance notice before deletion; and fiduciaries must orchestrate erasure across all processors, cloud vendors, and backup systems with contractual safeguards and proof of deletion. For investigations, this creates significant challenges as investigation files often require extended retention for litigation or regulatory inquiries.
For clients, the 48-hour pre-deletion notice requirement necessitates the implementation of automated notification engines linked to deletion workflows, which requires continuous tracking of employee contact details and logging of bounced messages, an acute challenge during investigations, where subjects may have been transferred or placed on garden leave.
For law firms, the challenges multiply. As joint Data Fiduciaries exercising professional discretion, they bear independent liability for retention decisions and must balance attorney work-product preservation against data minimisation principles.
This dual regulatory burden — immediate deletion obligations versus protracted litigation/ regulatory retention needs — forces law firms and clients to adopt legal hold protocols that explicitly document why investigation data retention is “necessary for compliance under any law”, maintain contemporaneous records justifying each retention decision against specific statutory provisions, and implement graduated deletion schedules that erase non-critical data while preserving material evidence subject to ongoing legal proceedings or regulatory examination.
Cross-Border Data Transfers:
Multinational investigations often necessitate transferring employee data across borders, such as from Indian subsidiaries to US parent companies, from EU entities to Indian forensic firms, or from US headquarters to EU affiliates. Each jurisdiction applies incompatible transfer mechanisms.
- India’s DPDP Act adopts an inverse blacklist approach,[2] permitting transfers to any country except those specifically blacklisted by the Central Government. No blacklist has been published yet, creating interim uncertainty, but theoretically offering broader transfer latitude than the GDPR’s whitelist model.
- The GDPR requires adequacy decisions (granted to 15 jurisdictions, excluding India and most US states) or standard contractual clauses (“SCCs”) supplemented by transfer impact assessments.
- The California Consumer Privacy Act (“CCPA”) does not restrict international transfers, provided contractual obligations ensure the recipient’s compliance.
Organisations must, therefore, implement jurisdiction-specific protocols. EU-India transfers require SCCs and transfer impact assessments, whereas India-EU transfers require verification of non-blacklisted status. US-India and US-EU transfers require CCPA flow-through provisions and GDPR SCCs, respectively. This creates a matrix of overlapping, non-harmonised obligations demanding granular legal analysis for each data flow.
Conclusion
Law firms and their clients must act immediately to redesign investigation protocols, execute Data Processing Agreements with external counsel, document exemption claims, implement breach notification workflows, and embed privacy-by-design principles; as waiting for regulatory guidance is not a compliance option, but a liability risk. The regulatory landscape has irrevocably changed, and investigative practices perfected over decades must be fundamentally reimagined for India’s era of data protection.
The introduction of India’s new data rules marks a pivotal shift in how organisations must approach both routine operations and internal investigations. By understanding the requirements of the DPDP Act and implementing best practices, organisations can mitigate legal risks, protect individual rights, and foster a culture of compliance and accountability.
For further information, please contact:
Sahil Kanuga, Partner, Cyril Amarchand Mangaldas
sahil.kanuga@cyrilshroff.com
[1] EDPB’sGuidelines 9/2022 on personal data breach notification under GDPR | European Data Protection Board, https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-92022-personal-data-breach_en.
[2] Rule 15, DPDP Rules.
