Home/Case Studies/Case 06
Case 06 · DPDP Exposure

“Our candidate database was on a partner's personal Gmail.”

Hyderabad IP boutique · 11 lawyers · 7 years

Up to 4% of group turnoverStatutory DPDP exposure per breach
06 / 08Composite Indian law-firm case

What broke

During a routine internal audit the firm realised: candidate CVs going back five years were in one partner's personal Gmail, employee Aadhaar copies were on a shared drive accessible to interns, opposing-party contact data was in three different Excel files, and there was no breach reporting protocol. None of this was caught by a regulator — yet. With the DPDP Act 2023 operational from 13 November 2025 and substantive obligations enforceable from May 2027, the runway is short.

Why it broke

The DPDP Act makes any organisation that determines the means of processing personal data a Data Fiduciary. Law firms qualify by default. Most have not yet woken up to it. Penalties go up to ₹250 crore per breach; failure to notify the Data Protection Board can attract up to ₹200 crore. This firm had no Data Protection Officer, no consent framework, no breach response runbook, no audit log.

How CTD would have caught this

  • DPDP readiness audit: inventory of personal data, where it lives, who can access
  • Consent framework for candidate, employee, client, prospect data
  • Breach response runbook with named owners and 72-hour reporting protocol
  • DPO role assignment (in-house or fractional)
  • Data Processing Impact Assessment templates for high-risk processing
  • All HR & BD pipelines built DPDP-aligned from day one of CTD engagement
Tags:
ComplianceDPDP 2023Ops
← Previous case All cases Next case →
If this resonates

Don't become case nine.

Firm Diagnostic10 minutes · score your firm against this pattern ServicesThe pillars that would have caught this Discovery CallDirect conversation with Muskan
Chat with Muskan