DPDP and Cybersecurity: Why Deleting Unused Data Strengthens Protection

Seventy percent of sensitive data within enterprise systems remains untouched for years, as highlighted by a 2021 Data Risk report. This data, often never deleted when it should have been, poses a significant risk during breaches, as it is as vulnerable as actively used data. Historically, enterprises have viewed personal data as an asset to be amassed before governance. The prevailing belief was that more data would lead to enhanced personalization, improved analytics, and stronger fraud detection. However, with the advent of the Digital Personal Data Protection (DPDP) framework and evolving cybersecurity threats, this perspective is shifting. Data lacking a clear purpose is increasingly seen not as an asset, but as a potential attack surface.

India’s cybersecurity landscape underscores the urgency of this issue. In 2025, CERT-In reported handling over 2.9 million cyber incidents. IBM’s breach research indicated that the average cost of a data breach in India reached ₹220 million, compared to a global average of USD 4.44 million. Furthermore, Verizon’s 2026 Data Breach Investigations Report revealed that 31% of breaches now originate from software vulnerabilities, surpassing stolen credentials as the primary entry point. This shift signifies that attackers are not merely searching for weak passwords; they are targeting unprotected data stores. Enterprises that retain excessive data inadvertently provide more opportunities for attackers.

The Interconnection of DPDP and Cybersecurity

The DPDP framework should not be seen solely as a compliance measure for privacy; it represents a fundamental reset in cybersecurity practices. It compels organizations to critically evaluate the necessity of the data they hold. The core question becomes: why is this data being retained?

Data minimization is not about limiting business operations; rather, it aims to mitigate unnecessary exposure. Each additional data field collected, every duplicate customer record, and all outdated documents retained beyond their utility increase the potential impact of a data breach. Security teams can implement encryption and monitor networks, but they cannot fully protect data that is unknown, unnecessary, or unjustifiable.

Reshaping Data Governance through DPDP

The DPDP framework reshapes the conversation around data governance. Organizations must articulate what data they collect, the rationale behind it, the duration of retention, the parties with whom it is shared, and the timeline for deletion. These requirements extend beyond legal compliance; they embody essential security design principles.

The law imposes significant penalties for non-compliance. Organizations that fail to implement reasonable security measures could face fines up to ₹250 crore, while neglecting to notify affected individuals of a data breach may incur penalties of up to ₹200 crore. The most secure data is that which is never collected unnecessarily; the second most secure is that which is deleted once its purpose has been fulfilled.

Data Minimization as a Cybersecurity Strategy

For many Indian enterprises, the digital landscape has become inherently data-heavy. Sectors such as onboarding, lending, insurance, healthcare, and e-commerce often necessitate the processing of personal data. The challenge lies in distinguishing between essential data and data collected for convenience.

Cyber risk now encompasses more than just firewalls and endpoint protection. It includes issues such as data hoarding, excessive access permissions, outdated records, test data, unused integrations, shadow databases, and third-party copies. In the event of a breach, stakeholders will inquire not only about how the attacker gained access but also why such a substantial amount of data was exposed.

Data minimization addresses three critical risks:

1. Reducing Data Breach Risk: If expired data is deleted, it cannot be stolen. A system with ten required fields is less vulnerable than one with fifty fields collected out of habit.
2. Enhancing Visibility: Many organizations struggle not due to a lack of security tools but because they lack a comprehensive understanding of their personal data across various applications, databases, and third-party environments. You cannot secure what you cannot see.
3. Strengthening Accountability: Teams across product, operations, legal, vendor management, and security must align on data purpose, consent, retention, and safeguards.

Together, these elements contribute to a mature cybersecurity posture.

Balancing Fraud Prevention and Personal Data Protection

The challenge of balancing fraud prevention with data protection is particularly complex. Financial institutions, insurers, fintech companies, marketplaces, and digital platforms require robust controls to detect synthetic identities, account takeovers, and other fraudulent activities. However, fraud prevention should not justify indiscriminate data collection.

The path forward involves refining fraud controls rather than diluting them. Purpose-driven fraud prevention entails collecting only the data necessary for specific risk assessments, applying stringent controls, retaining data for justified periods, and limiting access to essential personnel.

Effective security does not necessitate unlimited data; it requires the right data, governed appropriately.

Trust as a Competitive Advantage

In this evolving landscape, trust emerges as a competitive advantage. Organizations that can clearly demonstrate their data collection practices, protection measures, and deletion protocols will foster confidence among customers and partners. As cyber threats escalate and regulatory scrutiny intensifies, trust will significantly influence customer choices and institutional credibility.

For leadership teams, the pivotal question has shifted from mere compliance with DPDP to demonstrating how their data practices actively reduce risk. This requires more than a compliance audit; it necessitates a real-time understanding of personal data across the organization—its existence, its flow, access permissions, and its ongoing necessity.

Historically, privacy and security were treated as separate domains with distinct teams and agendas. This separation is no longer tenable. A security team unaware of the personal data held by the organization cannot adequately protect it. Conversely, a privacy team lacking visibility into data flows cannot effectively govern them.

The Future of DPDP and Cybersecurity

The DPDP framework does not compel enterprises to choose between innovation and protection. Instead, it encourages the development of digital systems where innovation is not predicated on unchecked data accumulation. For too long, the mantra of “collect more” was perceived as a safer business strategy. In the era of DPDP, the safer cybersecurity strategy may well be the opposite: collect with purpose, protect with discipline, and delete with assurance.

Data minimization is evolving from a mere checkbox for privacy compliance to one of the most practical security controls an enterprise can implement.

Source: thecyberexpress.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.