Navigating the

Digital Personal
Data Protection Act:
A comprehensive guide for
compliance with ManageEngine solutions
Table of contents

Introduction to the Digital Personal Data Protection Act, 2023 1

Summary 1
Why a data protection act is needed in India 1
Overview of the DPDP Act and its objectives 1
Brief history of data privacy laws in India 2
Status, applicability, and scope of the DPDP Act 2
Exclusions from the DPDP Act 2

Demystifying the Digital Personal Data Protection Act, 2023 3

Key principles and definitions 3
A. Key principles of the DPDP Act 3
B. Key definitions of the DPDP Act 4

Obligations of Data Fiduciaries under the DPDP Act 5

Rights of Data Principals under the DPDP Act 7

A CXO's guide to achieving DPDP compliance 9

A. Essential steps for DPDP compliance 9
B. Developing a DPDP compliance checklist 9
Table 1� DPDP compliance checklist for businesses 9
C. Understanding the role of Data Protection Impact Assessments (DPIAs) 11
D. Managing consent and Data Principal rights 12

Leveraging ManageEngine AD360 for DPDP compliance 13

Leveraging ManageEngine Log360 for DPDP compliance 15

Conclusion and recommendations 19

www.manageengine.com/active-directory-360/
Introduction to the Digital Personal
Data Protection Act, 2023

Summary
The Digital Personal Data Protection (DPDP) Act, 2023 marks India’s formal entry into the global
landscape of modern data governance. Unlike previous regulations, it shifts the focus from mere
compliance to accountability, placing clear obligations on businesses while empowering individuals with
enforceable rights over their digital footprint. Understanding and adhering to the DPDP Act is crucial for
all entities that handle personal data within India or process the data of Indian citizens, regardless of their
geographical location.

This e-book provides an in-depth analysis of the DPDP Act, explains its key requirements, and explores
how ManageEngine AD360 and Log360 can assist organizations in meeting their compliance
obligations. By leveraging AD360 and Log360, businesses can enhance their data protection posture,
streamline compliance efforts, and build trust with their stakeholders.

Why a data protection act is needed in India

With the rapid growth of digital technologies and online services, the collection and processing of
personal data has become increasingly prevalent. Prior to the DPDP Act, India lacked a comprehensive
privacy law. While the Supreme Court of India recognized the right to privacy as a constitutionally
protected right in 2017, the existing Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) had limitations.

The DPDP Act aims to fill this crucial gap by providing a comprehensive legal framework for data
protection in India. Furthermore, there was a lack of clarity regarding individuals' legal rights regarding
their personal data and a lack of accountability for organizations processing this data. The DPDP Act
establishes the Data Protection Board of India (DPB) to enforce the law and hold organizations
accountable, thereby empowering individuals with greater control over their personal data.

Overview of the DPDP Act and its objectives

The DPDP Act is aims to establish a robust framework for data protection, ensuring accountability,
transparency, and consent-based data handling practices across various sectors. It establishes a balance
between the need for lawful data processing and an individual’s right to safeguard their personal data.
Under this law, entities handling personal data (referred to as Data Fiduciaries) are assigned specific
responsibilities to ensure proper data management. At the same time, individuals whose data is being
processed (known as Data Principals) are granted defined rights and obligations to maintain control over
their personal information. Additionally, it enforces accountability by imposing monetary penalties on
organizations that violate its regulations.

www.manageengine.com/active-directory-360/ 1
Brief history of data privacy laws in India
Prior to 2023, India did not have a standalone law on data protection; the use of personal data was
regulated under the Information Technology (IT) Act, 2000 and the SPDI Rules.

In 2017, the Supreme Court of India's Puttaswamy judgment recognized the right to privacy as a
fundamental right. Following this, the government developed draft legislation to protect the privacy of
Indians. This included the Personal Data Protection Bill, 2019, which was based on the recommendations
of a Committee of Experts on Data Protection chaired by Justice B. N. Srikrishna. This bill was referred to
a Joint Parliamentary Committee but was eventually withdrawn in August 2022.

Subsequently, the Ministry of Electronics and Information Technology proposed the Digital Personal
Data Protection Bill, 2022 in November 2022. After further deliberation and amendments, the Digital
Personal Data Protection Act, 2023 was passed by the Indian Parliament in August 2023 and received
presidential assent.

Status, applicability, and scope of the DPDP Act

The DPDP Act applies to the processing of digital personal data within India where the data is collected
online or offline and is subsequently digitized. It also has extraterritorial application, extending to the
processing of digital personal data outside of India if such processing is related to offering goods or
services to individuals within India. This means organizations based outside India but targeting the
Indian market will also need to comply with the DPDP Act.

Exclusions from the DPDP Act

While the scope of the DPDP Act is broad, it also outlines certain exclusions. It does not apply to personal
data processed for personal or domestic purposes by individuals. It also excludes non-automated
personal data, meaning data processed manually and not digitized, as well as offline personal data that
remains in physical form and is not converted into a digital format. Personal data that has been made
publicly available by the Data Principal themselves or by any other person under a legal obligation to do
so is also generally outside the purview of the Act. Additionally, data processed for law enforcement or
national security purposes may be exempt. Data processed for journalistic or artistic expression is also
exempt. Understanding these exclusions is crucial for organizations to accurately determine which of
their data processing activities are governed by the DPDP Act.

www.manageengine.com/active-directory-360/ 2
Demystifying the DPDP Act, 2023

Key principles and definitions

A. Key principles of the DPDP Act

The DPDP Act is built upon six fundamental principles that serve as guidelines for the lawful processing
of personal data. These principles provide the ethical and legal foundation of the Act.

Key principles Explanation

Lawfulness This principle dictates that personal data must be processed in a manner that is lawful,
fair, and transparent to the individuals concerned. This implies that processing must
have a legal basis, be conducted in good faith, and provide individuals with clear
information about how their data is being handled.

Purpose This principle mandates that personal data should be collected for specified, explicit,
limitation and legitimate purposes and not further processed in a way incompatible with those
original purposes. This means that organizations must clearly define why they are
collecting personal data and can only use it for those stated reasons, unless a new
purpose is compatible with the original purpose.

Data This principle emphasizes that personal data must be adequate, relevant, and limited to
minimization what is necessary for the purposes for which it is processed. Organizations should
only collect and retain the personal data that is strictly required to fulfill the specified
purposes.

Accuracy This principle requires that personal data is accurate and kept up to date where
necessary. Data Fiduciaries have an obligation to make reasonable efforts to ensure the
accuracy and completeness of personal data.

Storage This principle stipulates that personal data should be retained only as long as necessary
limitation to fulfill the purposes for which it was processed. Data Fiduciaries must erase personal
data when the Data Principal withdraws consent or when it is reasonable to assume the
specified purpose is no longer being served, unless retention is necessary for compliance
with any law. For government entities, storage limitation may not always apply.

Integrity and This principle necessitates that personal data is processed in a manner that ensures
confidentiality appropriate security, protecting against unauthorized or unlawful processing,
accidental loss, destruction, or damage through suitable technical and organizational
measures. Data Fiduciaries are responsible for implementing reasonable security
safeguards to prevent personal data breaches.

www.manageengine.com/active-directory-360/ 3
B. Key definitions of the DPDP Act
A clear understanding of the DPDP Act's key definitions is essential for effectively navigating and
complying with its provisions.

Entity Definition

Personal This is defined as any data about an individual who can be identified by or in relation to
data such data. This is a broad definition encompassing a wide range of information,
including name, address, contact details, date of birth, financial information, online
browsing history, social media posts, and location data. The Act also considers indirectly
identifiable information such as vehicle numbers and employee codes as personal data.

Digital This refers to personal data that is in digital form, irrespective of whether it was initially
personal data collected digitally or in non-digital form and subsequently digitized. The Act's scope is
primarily focused on digital personal data.

Processing This includes any operation performed on digital personal data, whether wholly or
partly automated, such as collection, recording, organization, structuring, storage,
adaptation, retrieval, use, sharing, and erasure. This definition covers the entire life
cycle of digital personal data.

Data This is the individual to whom the personal data relates. This includes parents or lawful
Principal guardians acting on behalf of children or persons with disabilities. The DPDP Act grants
several rights to Data Principals concerning their personal data.

Data This is any person who, alone or in conjunction with others, determines the purpose
Fiduciary and means of processing personal data. Data Fiduciaries bear the primary
responsibility for compliance with the DPDP. They have several obligations, such as
providing notice, obtaining consent, ensuring data accuracy and security, and reporting
data breaches. Certain Data Fiduciaries may be designated as Significant Data
Fiduciaries (SDF), incurring additional obligations.

Significant These are Data Fiduciaries that may be designated as such by the Central Government
Data Fiduciary based on factors like the volume and sensitivity of data processed, the risk to Data
(SDF) Principals' rights, and the potential impact on the sovereignty and integrity of India.
SDFs have additional obligations, including the mandatory appointment of a Data
Protection Officer (DPO) based in India, the appointment of an independent data auditor,
and the undertaking of periodic Data Protection Impact Assessments (DPIAs). The
identification of SDFs signifies a tiered approach to compliance, with more stringent
requirements for entities handling larger volumes of sensitive data or posing a higher risk
to individuals' privacy.

Data This is any person who processes personal data on behalf of a Data Fiduciary. Data
Processor Processors act under the instructions of the Data Fiduciary and have certain obligations
in handling personal data.

www.manageengine.com/active-directory-360/ 4
 Consent This is a registered entity that acts as a single point of contact for Data Principals to
Manager give, manage, review, and withdraw their consent. Consent Managers aim to streamline
the consent management process for Data Principals.

Personal This is any unauthorized processing or accidental disclosure, acquisition, sharing, use,
data breach alteration, destruction, or loss of access to personal data that compromises its
confidentiality, integrity, or availability. Data Fiduciaries are obligated to give intimation
of a personal data breach to the DPB and each affected Data Principal.

Obligations of Data Fiduciaries under

the DPDP Act

Data Fiduciaries, entities that determine the purpose and means of processing personal data, bear
several crucial obligations under the DPDP Act to ensure the protection of individuals' personal data and
uphold their rights.

Lawful processing of personal data

Data Fiduciaries must ensure that personal data is processed only for a lawful purpose. Processing can
occur based on the consent of the individual or for certain legitimate uses specified under the Act.
Legitimate uses where consent may not be required include voluntary sharing of data by the individual,
processing by the state for permits, licenses, benefits, and services, medical emergencies, and
employment. The aim of the Act is to balance the rights of individuals with the necessity of processing
data for lawful purposes.

Providing notice to the Data Principal

Before collecting personal data, Data Fiduciaries are obligated to provide a clear and easily
understandable notice to the Data Principal. This notice should contain a description of the personal
data sought to be collected and the purpose for the processing of such personal data. The notice should
also inform Data Principals about the manner in which they can exercise their rights and make
complaints. This notice and the request for consent should be accessible in English or any of the 22
languages included in the Eighth Schedule to the Constitution of India, at the option of the Data
Principal.

Obtaining valid consent

When processing relies on consent, Data Fiduciaries must obtain explicit and informed consent from the
Data Principal. The Act emphasizes the importance of informed consent, requiring Data Fiduciaries to
provide clear and easily understandable information regarding the purpose, scope, and duration of data
processing. For individuals below 18 years of age (children), consent must be provided by the parent or
legal guardian, and it must be verifiable parental consent. There are also provisions for deemed consent
under certain circumstances, such as legal or contractual obligations, vital or public interest, and
legitimate interest.

www.manageengine.com/active-directory-360/ 5
Right to withdraw consent
Data Principals have the right to withdraw their consent at any point in time. Data Fiduciaries must
respect this right and have mechanisms in place for Data Principals to easily withdraw their consent.

Cessation of processing upon withdrawal of consent

Once consent is withdrawn by the Data Principal, the Data Fiduciary must cease processing the personal
data, unless there are legal obligations or legitimate interests to continue retention.

Implementing reasonable security safeguards

Data Fiduciaries are required to implement reasonable security safeguards to prevent data breaches and
protect personal data from unauthorized access, disclosure, alteration, or destruction. This includes
adopting robust security practices, conducting regular audits, and implementing necessary safeguards
to mitigate risks. Failure to implement necessary information security measures to mitigate the risk of a
personal data breach could result in significant fines.

Intimation of personal data breach

In the event of a personal data breach, Data Fiduciaries are obligated to inform the DPB and each
affected Data Principal. This intimation should be made in the prescribed manner and likely within a
specific timeframe, although the exact timeline might be further specified in rules. Failure to report
personal data breaches can lead to penalties.

Erasure of personal data

Data Fiduciaries must erase personal data as soon as the purpose for which it was collected has been
met or when the Data Principal withdraws consent, unless retention is necessary for legal purposes. The
Act provides specific guidelines for the deletion and anonymization of personal data. However, storage
limitation and the right to erasure may not apply to government entities.

Publishing contact information for grievance redressal

Data Fiduciaries are required to publish contact information for grievance redressal to enable Data
Principals to raise concerns or complaints regarding the processing of their personal data.

Establishing grievance redressal mechanisms

Data Fiduciaries must establish mechanisms to address and resolve grievances raised by Data Principals
in relation to the processing of their personal data. They are expected to respond to grievances within a
reasonable timeframe, potentially within seven days or a shorter period as may be prescribed.

Obligations regarding children's and persons with disabilities' data

Processing the personal data of children (below 18 years) requires verifiable parental consent. The Act
also prohibits tracking or behavioral monitoring of children and targeted advertising directed at
children. While the definition includes persons with disabilities under the term Data Principal where a
lawful guardian acts on their behalf, specific additional obligations beyond consent through a guardian
are not explicitly detailed in the provided excerpts. However, the general principles of lawfulness,
purpose limitation, and security would apply.

www.manageengine.com/active-directory-360/ 6
Additional obligations for SDFs
Entities identified as SDFs by the central government may be subject to additional obligations due to the
volume and sensitivity of the personal data they process and the associated risks. These additional
obligations may include:

Appointment of a DPO based out of India.

Appointment of an Independent Data Auditor.

Conducting periodic DPIAs to identify and mitigate potential risks to the rights of Data Principals.

These obligations underscore the emphasis on accountability, transparency, and the empowerment of
individuals regarding their personal data under the DPDP Act. Organizations need to be proactive in
assessing their data processing activities and implementing necessary measures to ensure compliance
with these requirements.

Rights of Data Principals under the DPDP Act

The DPDP Act grants several rights to individuals, referred to as Data Principals, empowering them with
control over their personal data and promoting transparency and accountability in data processing.
These rights include:

Rights Explanation

Right to access Data principals have the right to receive comprehensive information about the
information collection, processing, and purpose of collecting their personal data. This includes the
right to know what personal data is being collected about them, the purpose for which
it is being collected, and third parties with whom it is being shared. Data Fiduciaries are
obligated to furnish clear and concise details concerning the utilization of individuals'
data. Furthermore, individuals have the right to obtain information about the
processing of their personal data.

Right to Data Principals retain the prerogative to request rectification or have their personal
correction and data updated if found inaccurate or incomplete. Data Fiduciaries are required to
erasure promptly put into effect the necessary amendments and inform relevant entities with
whom the data has been shared. Additionally, individuals have the right to request the
deletion or erasure of their personal data under specific circumstances. Data
Fiduciaries must comply with such requests, ensuring that the data is no longer retained
or utilized. This is also encompassed by the right to be forgotten, which allows
individuals to request the erasure of their personal data under specific circumstances,
requiring Data Fiduciaries to undertake necessary measures for permanent removal.
The Digital Personal Data Protection Bill, 2023 explicitly grants the right to seek
correction and erasure of personal data.

www.manageengine.com/active-directory-360/ 7
 Right to The DPDP Act introduces a unique right to nominate another person to exercise rights
nomination in the event of death or incapacity. This ensures that even when a Data Principal is
unable to manage their data rights, a designated individual can act on their behalf.

Right to Data Principals have the right to file a complaint with the DPB if they believe that their
grievance personal data has been processed in a manner that is not in compliance with the DPDP
redressal Act. Data Fiduciaries are obligated to establish processes to address Data Principals'
redressal requests. They are also required to publish contact information for grievance
redressal. Data Fiduciaries are expected to respond to the grievance of Data Principals
within seven days or a shorter period that may be prescribed. This right ensures a
mechanism for individuals to seek resolution for issues related to the processing of their
personal data.

Right to The sources indicate that individuals possess the right to object to the processing of
object their personal data in particular situations. Data Fiduciaries are obligated to respect
these objections unless there exist legitimate grounds for data processing that outweigh
the individual's interests.

Right to While earlier drafts and discussions of data protection legislation in India included the
data portability right to data portability, allowing individuals to acquire and transfer their personal data
from one service provider to another, the Digital Personal Data Protection Bill, 2023
does not grant the right to data portability to the Data Principal.

Right to As mentioned under the right to correction and erasure, the right to be forgotten,
be forgotten allowing individuals to limit the disclosure of their personal data, is effectively covered by
the right to request erasure under specific circumstances within the DPDP Act. The 2023
Bill grants the right to seek erasure.

In summary, the DPDP Act provides Data Principals with significant rights to control and manage their
personal data, emphasizing transparency, accountability, and the ability to seek recourse in case of
grievances. While some rights discussed in earlier stages, such as the explicit right to data portability, are
not included in the final 2023 DPDP Act, the enacted legislation still provides a robust framework for
protecting individual data privacy.

www.manageengine.com/active-directory-360/ 8
A CXO's guide to achieving
DPDP compliance

A. Essential steps for DPDP Act compliance

For CXOs and business leaders, achieving compliance with the DPDP Act requires a strategic and
systematic approach. The first essential step is to determine the applicability of the Act to the
organization's data processing activities. This involves understanding whether the organization
processes digital personal data within India or if its processing outside India relates to offering goods or
services to individuals in India. Following this, organizations need to build a comprehensive data
inventory and data map to understand what personal data they collect, where it is stored, how it is used,
and with whom it is shared. This foundational step is crucial for identifying the scope of compliance
efforts. Implementing robust consent management mechanisms is vital, ensuring that consent is
obtained freely, specifically, informed, unconditionally, and unambiguously, and that individuals have the
ability to withdraw their consent easily. Organizations must also establish processes to enable Data
Principal rights, such as the rights to access, correction, erasure, nomination, and grievance redressal,
ensuring timely and appropriate responses to such requests.

Adopting appropriate data protection measures and safeguards, including technical and organizational
measures, is paramount to ensure the security and confidentiality of personal data and to prevent data
breaches. It is also crucial for CXOs to understand the seriousness of DPDP Act enforcement and the
potential penalties for non-compliance, which can be significant. If the organization qualifies as a
Significant Data Fiduciary, appointing a DPO based in India and conducting DPIAs for high-risk
processing activities will be mandatory. Finally, employee training and awareness programs are
essential to ensure that all personnel handling personal data understand their responsibilities and the
requirements of the DPDP Act. These steps provide a practical roadmap for organizations to navigate the
complexities of DPDP Act compliance.

B. Developing a DPDP Act compliance checklist

To provide a more tangible guide for CXOs, a comprehensive DPDP Act compliance checklist can be a
aluable tool. The following table synthesizes key requirements from the Act and related analyses:

Compliance area Checklist item Status

Applicability Determine if the organization processes digital personal Yes No

data within India.

Determine if the organization processes digital personal Yes No

data outside India related to offering goods or services to
individuals in India.

www.manageengine.com/active-directory-360/ 9
Policies and Establish a data usage and protection policy covering data Yes No
procedures protection principles, data subject rights, consent
management, data sharing, breach notifications, etc.

Establish a data processing and retention policy defining Yes No

authorized processing and data retention periods.

Employee training Conduct regular training sessions for employees on DPDP Yes No
Act requirements and data protection policies.

Implement a process for new joiners to receive mandatory Yes No

training on data privacy and security.

Data inventory Map all personal data collected, processed, and stored. Yes No
and mapping

Document how personal data is collected, used, stored, Yes No

and accessed.

Identify data owners and access permissions for Yes No

personal data.

Consent Implement mechanisms to obtain free, specific, informed, Yes No

management unconditional, and unambiguous consent.

Provide clear privacy notices in English and other Yes No

specified Indian languages.

Ensure a process for Data Principals to easily Yes No

withdraw consent.

Maintain records of consent obtained. Yes No

Data security Implement reasonable security safeguards to prevent Yes No

data breaches.

Encrypt personal data at rest and in transit. Yes No

Implement access controls and regularly monitor Yes No

access logs.

Data breach Establish procedures for identifying, reporting, and Yes No

documenting personal data breaches.

Ensure a process for notifying the DPB and affected Yes No

Data Principals of a breach.

www.manageengine.com/active-directory-360/ 10
 Data Principal Establish procedures for Data Principals to exercise their Yes No
rights rights (i.e., access, correction, erasure, nomination,
grievance redressal).

Ensure timely responses to Data Principal requests. Yes No

SDF (If applicable) Appoint a DPO based in India. Yes No

Appoint an independent data auditor. Yes No

Conduct periodic DPIAs. Yes No

Data retention Establish data retention schedules based on the purpose Yes No
and erasure of processing.

Implement procedures for securely erasing personal Yes No

data when no longer needed or upon withdrawal of consent.

This checklist provides a structured framework for organizations to assess their readiness for DPDP Act
compliance and track their progress.

C. Understanding the role of Data Protection

Impact Assessments (DPIAs)
DPIAs are a critical component of a robust data privacy framework, particularly under the DPDP Act. A
DPIA is a process designed to identify and assess potential risks to the privacy of individuals associated
with the processing of their personal data. While the DPDP Act explicitly mandates DPIAs for SDFs, it is
considered a best practice for any organization undertaking processing activities that could pose a high
risk to the rights and freedoms of Data Principals. High-risk processing might include the use of new
technologies, large-scale processing of sensitive data, or activities that could lead to discrimination or
significant harm if data is compromised.

The process of conducting a DPIA typically involves several key steps.

1. First, the organization needs to describe the nature, scope, context, and purposes of the
processing operation. This includes detailing what personal data will be processed, how it will be
processed, the duration of processing, and who will have access to it.

2. Next, a thorough assessment of the necessity and proportionality of the processing in relation to
the purposes is required. This step ensures that the data collected is adequate, relevant, and not
excessive for the intended purpose, aligning with the principle of data minimization.

www.manageengine.com/active-directory-360/ 11
 3. The core of the DPIA involves identifying and assessing the risks to Data Principals, considering
the likelihood and severity of potential impacts such as loss of confidentiality, integrity, or
availability of data, or potential harm to individuals.

4. Finally, the organization must identify measures to address the risks, demonstrating how it will
mitigate, transfer, or accept the identified risks to ensure an appropriate level of data protection.
Conducting DPIAs helps organizations proactively identify and address privacy risks, ensuring that
data protection is integrated into the design and operation of their processing systems and
practices.

D. Managing consent and Data Principal rights

Effective management of consent is central to DPDP compliance, as consent serves as a primary lawful
basis for processing personal data.

1. The DPDP Act sets a high standard for valid consent, requiring it to be free, specific, informed,
unconditional, and unambiguous, given through a clear affirmative action.

2. Organizations must ensure they provide clear and accessible privacy notices to Data Principals
before seeking their consent, explaining the categories of personal data to be collected, the
specific purposes for processing, the process for exercising their rights, the procedure to revoke
consent, and how to file complaints.

3. Obtaining blanket consent for multiple purposes is not permissible; consent must be specific to
each purpose of processing.

4. Furthermore, the process for withdrawing consent must be as easy as giving it. Organizations
need to implement mechanisms to record and manage consent, including the date and time of
consent, the specific purposes for which consent was given, and any subsequent withdrawals.

5. A consent-first approach necessitates a re-evaluation of existing data collection and processing

practices to ensure they align with these stringent requirements.

6. Operationalizing the rights of Data Principals, such as the rights to access, correction, and erasure,
requires organizations to establish clear procedures and ensure timely responses.

7. For access requests, organizations need to verify the identity of the Data Principal and provide
them with a summary of their personal data being processed, the processing activities
undertaken, and the identities of any Data Fiduciaries or Processors with whom the data has been
shared.

www.manageengine.com/active-directory-360/ 12
 8. For correction requests, organizations must allow Data Principals to request the rectification of
inaccurate or misleading personal data, the completion of incomplete data, and the updating of
their data.

9. Handling erasure requests involves deleting the personal data of the Data Principal when they
withdraw consent, unless retention is necessary for compliance with other laws.

Organizations should have dedicated channels and trained personnel to handle these requests
efficiently and within the timelines that may be specified in the forthcoming rules. Implementing robust
identity verification processes and maintaining accurate records of data processing activities are crucial
for effectively managing Data Principal rights requests.

Leveraging ManageEngine AD360 for

DPDP Act compliance

ManageEngine AD360 is a unified identity and access management (IAM) solution designed to simplify
complex IT challenges, including meeting various requirements of the DPDP Act. It achieves this by
integrating multiple components into a single platform for managing, auditing, securing, and reporting
on the IT infrastructure, including Windows Active Directory, Microsoft 365, Exchange Servers, and cloud
applications.

Here's an overview of AD360's key features and how it helps enterprises comply with the DPDP Act:

DPDP Act Feature/ Description How it addresses DPDP

requirement component Act compliance

Data accuracy

Maintaining accuracy of Management and ADManager Plus, one of By providing tools for
data. Automated automation the components of AD360, managing and
processes reduce capabilities - provides management, automating user account
manual errors in data ADManager Plus reporting, automation, and creation and
management within workflow capabilities for modifications in Active
Active Directory. Active Directory. This Directory, AD360 can
includes ensuring accurate help maintain the
user information during accuracy of data stored
provisioning and updates. within these systems.
Also, the automated
processes help reduce
manual errors effectively.

www.manageengine.com/active-directory-360/ 13
Data security

Preventing data MFA ADSelfService Plus, Implementing MFA

breaches, ensuring -ADSelfService another AD360 significantly enhances
confidentiality and Plus component, offers MFA to security by adding an
integrity significantly secure access to critical extra layer of verification,
enhances security and resources and apps. This thus protecting data from
reduces the risk of includes various unauthorized access, a
unauthorized access to authenticators and key requirement of the
data. adaptive MFA based on DPDP Act. Adaptive MFA
context. further strengthens
security based on risk
factors.

Preventing Role-Based AD360 provides RBAC, RBAC helps limit access to

unauthorized access, Access Control allowing non-admin users data to only those with a
ensuring confidentiality (RBAC) to perform IT tasks with legitimate need,
and integrity. Limits help desk delegation and minimizing the risk of
data access based on custom roles. Granular unauthorized disclosure or
necessity, minimizing delegation based on OUs, breaches, which aligns
the risk of unauthorized groups, etc., ensures with the DPDP Act's
disclosure. controlled access. emphasis on data security
and confidentiality.

Preventing data Real-time ADAudit Plus, an AD360 Continuous monitoring

breaches, detecting auditing and component, performs and alerting capabilities
security incidents. alerting - real-time change auditing help in the early detection
Continuous monitoring ADAudit Plus and alerting for Active of security incidents and
helps in timely Directory. This includes unauthorized access
intervention against monitoring user activities attempts that could lead
unauthorized access and detecting suspicious to personal data breaches,
attempts that could lead logons and file access. allowing for timely
to data breaches. intervention as mandated
by the DPDP Act.

Accountability

Demonstrating Comprehensive AD360 integrates reporting Maintaining detailed audit

accountability, audit reports - from components like logs of activities related
facilitating audit trails. ADAudit Plus, ADAudit Plus, Exchange to data processing across
Maintaining logs of data Exchange Reporter Plus, and M365 various systems helps
processing activities Reporter Plus, Manager Plus. These organizations
provides evidence of M365 Manager provide detailed audit demonstrate
security measures and Plus reports on Active Directory, accountability, a key
data handling practices. Exchange, and Microsoft principle of the DPDP Act.
365 activities that includes These reports can be used
user management actions for investigations and
like creation, deletion, compliance audits.
password resets, and
permission changes, along
with details on who did
what, when, and from
where.

www.manageengine.com/active-directory-360/ 14
Leveraging ManageEngine Log360 for
DPDP Act compliance

ManageEngine Log360 is a unified security information and event management (SIEM) solution that
integrates data loss prevention (DLP) and cloud access security broker (CASB) capabilities. Its primary
function is to help organizations proactively detect, prioritize, investigate, and respond to security threats
while also aiding in meeting compliance requirements like the DPDP Act.

Here's an overview of Log360’s key features and how it helps you comply with the DPDP Act:

DPDP Act Feature/ Description How it addresses DPDP

requirement component Act compliance

Accountability

Accountability of Data SIEM - Enables the collection, Provides a central

Fiduciaries maintaining Centralized log parsing, analysis, storage, repository of
audit trails for management and searching of log data security-related data for
demonstrating from diverse sources across audit trails and
compliance and the IT infrastructure, investigation of potential
investigating incidents, including network devices, breaches. Helps in
aiding in understanding servers, applications, and demonstrating
the purpose of processing cloud platforms. accountability.
and data collected.

Facilitates demonstrating Compliance - Offers 30+ prebuilt audit Aids in demonstrating

accountability and Comprehensive templates for popular compliance with data
adherence to the DPDP compliance mandates and regulatory protection regulations by
Act by providing reporting standards including those providing evidence of
audit-ready reports on related to data security security measures and
security measures and (e.g., ISO 27001, PCI DSS). data handling practices.
data processing activities. For optimal fine-tuning to
meet organization specific
reporting and new
regulations, the core
modules can be tailored
and custom compliance
reports can be constructed
through customization
wizard, which includes
correlation rule building,
report generation, alert
criteria mapping, anomaly
modeling, and audit report
generation.

www.manageengine.com/active-directory-360/ 15
Directly supports the Audit a Maintains comprehensive Essential for
accountability of Data accountability - audit trails of data access demonstrating
Fiduciaries by maintaining Detailed audit and processing activities accountability for the
a historical record of data trails across the IT infrastructure, processing of personal
access and processing, including Active Directory, data and for investigating
crucial for audits and network devices, potential security
investigations. applications, and cloud incidents or breaches.
platforms. Provides a
historical record of actions
taken within the system.

Data security

Preventing data breaches, Integrated DLP Identifies unusual file or Aids in the early detection
ensuring data security, data accesses, cut down of potential data
upholding the integrity malicious communication breaches and
and confidentiality of to command and control unauthorized access to
personal data, and (C&C) servers, and prevent data, aligning with the
facilitating timely action data from being exfiltrated. principle of integrity and
upon suspicious activity confidentiality.
that could lead to a breach.

Enhancing data security SIEM - Advanced Leverages threat Improves the ability to
by leveraging threat threat analytics intelligence feeds and dark detect and prevent
intelligence to prevent web monitoring to security incidents that
breaches and enhance the accuracy of could compromise
unauthorized access to threat detection by personal data.
personal data. providing up-to-date
information on known
malicious entities and
emerging threats.

Ensuring data security, Integrated DLP Helps to discover, classify, Directly contributes to the
maintaining the integrity and protect sensitive data, integrity and
and confidentiality of including personal data, confidentiality of
personal data, and within the network to personal data by
preventing unauthorized prevent unauthorized preventing data leakage
disclosure. access and exfiltration. and unauthorized
Includes features for data handling.
discovery, classification,
and monitoring.

Securing personal data in Integrated CASB Provides security Extends security controls
cloud environments, monitoring and and visibility to cloud
ensuring data security governance for cloud resources where personal
and preventing environments, ensuring data might reside.
unauthorized access in that personal data stored
line with the obligations of and processed in the cloud
Data Fiduciaries. is protected and compliant
with security policies.

www.manageengine.com/active-directory-360/ 16
Data breach

Efficiently identifying and Attack detection It integrates: 1) Provides end-to-end

responding to potential - Comprehensive Multi-layered threat protection of data by
breaches, contributing to threat detection detection (i.e., rule-based preventing breaches,
the duty to prevent data and data correlation, ML-driven ensuring security via
breaches by reducing protection UEBA, and MITRE ATT&CK continuous monitoring of
noise and highlighting framework integration); 2) data access and
genuine threats. Data protection; 3) modifications, and
Compliance management; maintaining integrity
4) Incident response. It through file tracking and
covers on-premises, cloud, change alerts.
and hybrid environments
with features like shadow IT
monitoring, web content
filtering, and remote
workforce security.

Detecting insider threats SIEM - UEBA Uses ML to establish Helps in detecting unusual
and compromised baselines of normal activity activities that could signal
accounts, contributing to for users and entities, and a personal data breach or
the duty to prevent data then identifies anomalous unauthorized access.
breaches and ensure data behavior that could
security. indicate a security threat,
insider risk, or
compromised accounts.

Efficient incident Security Automates incident Facilitates a faster and

response to potential data Orchestration, management workflows, more efficient response
breaches, aiding in Automation, and streamlining the process of to potential personal data
fulfilling the duty to Response alert resolution, threat breaches, which is crucial
report data breaches to (SOAR) neutralization, and for meeting notification
the DPB and affected Data response to security requirements.
Principals in a timely incidents.
manner.

Maintaining the accuracy DLP - Monitors critical files for Helps maintain the
and integrity of personal File integrity any unauthorized changes, integrity of personal data
data, detecting monitoring alerting administrators to by detecting
unauthorized changes, potential tampering with unauthorized
which aligns with the data, including personal modifications and
duties of Data Fiduciaries. data. preserving confidentiality
with content-aware DLP
and exfiltration
prevention.

www.manageengine.com/active-directory-360/ 17
Enables timely reporting Incident handling Provides timely alerts when Facilitates a rapid
of data breaches by - Real-time alerts suspicious activities or response to potential
providing early warnings and notifications potential security incidents personal data breaches,
of suspicious activities, are detected, enabling which is critical for
crucial for meeting security teams to respond minimizing impact and
regulatory requirements quickly. meeting notification
for notification. timelines.

Assists in fulfilling the Incident handling Offers a centralized Supports the process of
duty to report data - Incident platform for managing, investigating and
breaches by providing a management tracking, and documenting documenting personal
centralized platform for console security incidents, data breaches, which is
managing incidents and including data breaches. necessary for notification
documenting the to the DPB and affected
necessary details for Data Principals.
reporting.

Contributes to the duty to Audit and Provides a centralized view Helps in the rapid
prevent data breaches by accountability - of key security events and identification of
providing a centralized Activity activities, allowing potentially malicious
view of security events, dashboard administrators to quickly activities that could lead
enabling quicker identify any suspicious or to a data breach.
detection of threats and unauthorized actions.
unauthorized actions.

www.manageengine.com/active-directory-360/ 18
Conclusion and recommendations

Compliance with the DPDP Act is not merely a legal obligation but a fundamental aspect of building trust
and ensuring the responsible handling of personal data in India. ManageEngine AD360 and Log360 offer
significant value to organizations striving to meet the requirements of this Act.

AD360 strengthens identity and access controls, enforces security policies, and maintains crucial audit
trails, addressing key principles like integrity and confidentiality. Log360 provides real-time security
monitoring, advanced threat detection, robust data breach identification and notification capabilities,
comprehensive audit logging, and integrated data loss prevention, further bolstering an organization's
security posture and compliance efforts.

To effectively leverage these solutions for DPDP Act compliance, organizations should:

Conduct a thorough assessment of their data processing activities to fully understand the scope
and applicability of the DPDP Act.

Implement a comprehensive data inventory and mapping exercise to identify all personal data
being processed.

Utilize AD360 to implement strong MFA, enforce RBAC, and regularly review audit logs to ensure
only authorized personnel have access to personal data.

Deploy Log360 to continuously monitor their IT environment for security threats, detect potential
data breaches, and establish clear procedures for reporting and responding to incidents in a timely
manner.

Stay informed about any further rules, regulations, and guidelines issued by the Indian government
and the DPB to adapt their compliance strategies accordingly.

Invest in comprehensive employee training programs to raise awareness about the DPDP Act and
ensure that all personnel understand their roles and responsibilities in protecting personal data.

Consider seeking expert legal and data privacy advice to ensure a holistic and compliant approach
to the DPDP Act.

By strategically implementing and utilizing AD360 and Log360, organizations can significantly enhance
their ability to comply with the DPDP Act, safeguard the personal data of individuals, and build a culture
of privacy and security.

www.manageengine.com/active-directory-360/ 19
 Our Products
Log360 | ADManager Plus | ADAudit Plus | ADSelfService Plus
Exchange Reporter Plus | RecoveryManager Plus

About AD360
ManageEngine AD360 is a unified identity platform that seamlessly connects people,
technology and experiences while giving enterprises full visibility and control over their
identity infrastructure. It offers automated life cycle management; secure SSO; adaptive
MFA; and risk-based governance, auditing, compliance and identity analytics—all from a
single, intuitive console. With extensive out-of-the-box integrations and support for custom
connectors, AD360 easily integrates into existing IT ecosystems to enhance security and
streamline identity operations. Trusted by leading enterprises across healthcare, finance,
education, and government, AD360 simplifies identity management, fortifies security and
ensures compliance with evolving regulatory standards.

For more information, please visit www.manageengine.com/active-directory-360/.

Get Quote Download

Our Products
AD360 | ADAudit Plus | EventLog Analyzer | DataSecurity Plus
Exchange Reporter Plus | M365 Manager Plus

About Log360
Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects,
prioritizes, investigates and responds to security threats. Vigil IQ, the solution's TDIR module,
combines threat intelligence, an analytical Incident Workbench, ML-based anomaly
detection and rule-based attack detection techniques to detect sophisticated attacks, and it
offers an incident management console for effectively remediating detected threats.
Log360 provides holistic security visibility across on-premises, cloud and hybrid networks
with its intuitive and advanced security analytics and monitoring capabilities.

For more information about Log360, visit manageengine.com/log-management/ and follow

the LinkedIn page for regular updates.

Get Quote Download