Microsoft Purview for DPDP Act — what to enable on day 1
Published 02 Jun 2026
· By
Pawan Sharma
· Compliance
· 14 min read
The DPDP Act 2023 + its Rules turn data protection from an "internal policy" obligation into a Data Protection Board-supervised compliance regime with up to ₹250 crore Schedule penalty per failure of reasonable safeguards. Microsoft Purview is the operational layer that enforces and evidences those safeguards across M365 + Azure + SaaS. This post is the 30-day Purview activation playbook anchored on DPDP Section 8 — what to enable, in what order, with the audit evidence each step produces.
₹250 cr
DPDP max penalty
Per instance of failing reasonable safeguards. Schedule, DPDP Act 2023.
30 days
Activation plan
Sensitivity labels → DLP → Insider Risk → Retention. Sequential.
E5 bundled
Purview licensing
Information Protection P2 + DLP + Insider Risk + eDiscovery Premium in M365 E5.
Native
M365 integration
No connectors, no engineering — Purview enforces inside the M365 boundary.
DPDP Section 8 — mapped to Purview features
| DPDP obligation | Purview feature |
|---|---|
| Sec 8(4) — Maintain accuracy + completeness of personal data | Records Management + retention policies + audit log |
| Sec 8(5) — Reasonable security safeguards | Information Protection (sensitivity labels) + DLP (endpoint + email + cloud) + Defender XDR |
| Sec 8(6) — Notify breach to Board + affected Data Principals | Purview incident timeline + forensic export + Communication Compliance |
| Sec 8(7) — Erase on consent withdrawal / retention expiry | Retention policies + auto-deletion + audit trail |
| Sec 8(8) — DPO accountability + grievance redressal | Compliance Manager + Communication Compliance audit logs |
| Sec 9 — Reasonable purpose + processing restrictions | Sensitivity label policies + DLP rules with allow/block actions |
| Cross-border transfer (Sec 16 + Rules) | Data residency labels + Defender for Cloud Apps + Conditional Access |
The 30-day Purview activation plan
Days 1-7 — Sensitivity label taxonomy + auto-labelling
Define labels: Public / Internal / Confidential / Restricted-PII / Restricted-PII-Financial. Auto-labelling rules driven by sensitive-info types (PAN, Aadhaar, account numbers) + ML-based classifiers. Roll out to Word / Excel / PowerPoint / Outlook + SharePoint / OneDrive.
Days 8-14 — DLP for the high-risk PII categories
Endpoint DLP, Email DLP (Exchange + Defender for O365), Cloud Apps DLP for sanctioned SaaS. Policy: block external sharing of Restricted-PII; warn-on-internal-sharing; block download to USB. Microsoft's pre-built India PII detector covers PAN, Aadhaar, Voter ID, Passport.
Days 15-21 — Insider Risk Management baseline
Detect: data downloads at scale before resignation, anomalous SharePoint access, sensitivity-label downgrades. Privacy-preserving by default (anonymised investigation mode until escalation). Aligns with DPDP Sec 8(5) reasonable safeguards.
Days 22-30 — Retention + eDiscovery + audit evidence
Retention policies aligned to DPDP Sec 8(7) — auto-delete on consent withdrawal trigger, retain on legal hold. eDiscovery Premium for Data Principal access requests (DSARs). Compliance Manager dashboard tracks DPDP-control attainment monthly.
What you can show your DPO + auditor on day 30
▸ Data classification report
How many documents carry each sensitivity label, by department + workspace. Auditable evidence of "reasonable safeguards" execution.
▸ DLP policy-violation log
Every attempt to send Restricted-PII externally — blocked, logged, available for Compliance Manager scoring.
▸ Insider Risk indicators
Trend of anomalous data access events; investigation-ready cases; remediated incidents.
▸ Retention compliance dashboard
Data eligible for deletion (consent withdrawn / retention expired) — execution status.
▸ Cross-border transfer log
Restricted-PII movement events surfaced via Defender for Cloud Apps + sensitivity labels.
▸ DSAR readiness
eDiscovery Premium runs Data Principal access / erasure requests in hours not days.
Common pitfalls + mitigations
| Pitfall | Mitigation |
|---|---|
| Sensitivity-label sprawl (15+ labels confuses users) | 5-label taxonomy max; consistent across business units |
| DLP false-positive fatigue (employees overrride every block) | Tune in monitor-mode for 2 weeks before enforce; per-policy false-positive review |
| Insider Risk privacy concerns | Configure anonymised investigation mode by default; DPO oversight on de-anonymisation |
| Retention policies conflict with backup tooling | Coordinate with backup team (Veeam / Druva) — Purview retention is source-of-truth for legal hold |
| "We installed Purview but no one uses it" | Phase rollout team-by-team with training; track adoption via Compliance Manager |
FAQ
Does Microsoft Purview by itself satisfy DPDP compliance?
What's the minimum Purview SKU to start DPDP compliance work?
How does Purview handle the 'reasonable purpose' and 'consent' requirements?
What about cross-border data transfer restrictions under DPDP?
Does Purview surface breach notifications automatically?
Insider Risk Management — what does it cost?
How does Purview compare to Symantec / Forcepoint / Proofpoint DLP?
What's the 30-day Purview activation plan?
Free Purview DPDP readiness assessment
Map your current data-protection posture to DPDP Section 8 in 7 working days
Ogma audits your M365 / Azure / SaaS estate, identifies DPDP gaps, and returns a 30-day Purview activation plan sized to your tenant. INR + GST quote for licences + implementation. No commitment to roll forward.
Request the readiness assessment or explore the Microsoft Purview landingSources
Related: Purview DSPM for AI · Sentinel for India compliance · Microsoft Purview landing
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
