MICROSOFT PURVIEW · DPDP ACT · INDIA · COMPLIANCE

Microsoft Purview for DPDP Compliance — Sensitivity Labels, DLP, Insider Risk

DPDP Act 2023 Section 8 turns "reasonable safeguards" into a Data Protection Board-supervised obligation with up to ₹250 crore penalty per failure. Microsoft Purview is the operational layer that enforces and evidences those safeguards across M365 + Azure + SaaS. Ogma runs the 30-day activation plan + delivers the audit evidence your DPO needs.

Free 7-Day DPDP Readiness Assessment
₹250 cr
DPDP max penalty
30 Days
Purview activation
E5 Bundled
Information Protection P2
Native
M365 + Azure integration

DPDP Section 8 → Purview Reference card

DPDP Sec 8(4) — Accuracy
Records Management + retention policies + audit log. Purview tracks data lineage + maintains last-modified attribution.
DPDP Sec 8(5) — Safeguards
Information Protection (sensitivity labels) + DLP (endpoint + email + cloud) + Defender XDR integration. Auto-labelling drives PII coverage.
DPDP Sec 8(6) — Breach notification
Purview incident timeline + forensic export + Communication Compliance. Provides evidence pack for Board notification within statutory window.
DPDP Sec 8(7) — Erasure
Retention policies + auto-deletion on consent withdrawal + legal hold. Auditable retention attainment evidence via Compliance Manager.
DPDP Sec 9 — Processing
Sensitivity label policies + DLP rules with allow/block actions. Cross-border transfer flags via Defender for Cloud Apps + sensitivity labels.
DPO + grievance redressal
Compliance Manager scoring + Communication Compliance audit logs. eDiscovery Premium for Data Principal access / erasure requests.
Indian PII detection
Microsoft pre-built India PII detectors: PAN, Aadhaar, Voter ID, Passport, IFSC, account numbers. ML-based classifiers extend to custom data types.
Commercial via Ogma
M365 E5 / Compliance E5 + Purview licence under Ogma's Microsoft CSP. INR + GST, single PO covers licence + 30-day activation + DPO-aligned governance.

The Purview Capabilities Your DPO Will Want

Each capability produces auditable evidence your Compliance Manager dashboard surfaces monthly.

Sensitivity Labels + Auto-Labelling

5-label taxonomy (Public / Internal / Confidential / Restricted-PII / Restricted-PII-Financial). Auto-labelling rules driven by Indian PII detectors + ML classifiers. Rolls out across Office + SharePoint + OneDrive.

DLP — Endpoint + Email + Cloud

Block external sharing of Restricted-PII at endpoint, email gateway, cloud apps. Microsoft pre-built India PII detector covers PAN, Aadhaar, Voter ID, Passport, account numbers.

Insider Risk Management

Detect data downloads at scale before resignation, anomalous SharePoint access, sensitivity-label downgrades. Anonymised-investigation-mode by default with DPO governance for de-anonymisation.

Records Management + Retention

Retention policies aligned to DPDP Sec 8(7) erasure obligations. Auto-delete on consent withdrawal trigger + legal hold support. Compliance Manager tracks attainment monthly.

eDiscovery Premium + DSARs

Data Principal access + erasure requests (DSARs) executed via eDiscovery Premium — hours not days. Cross-tenant search + legal hold + production reports.

Compliance Manager Dashboard

DPDP + RBI + SEBI + ISO 27001 control attainment tracked monthly. Auditable evidence pack export. Privacy-impact-assessment templates included.

Why Choose Ogma for Purview + DPDP Rollout?

Microsoft CSP Partner

Purview + M365 E5 / Compliance E5 licensing under Ogma's Microsoft CSP — INR + GST, single PO covers licence + 30-day activation + DPO-aligned governance.

DPO-Co-Owned Programme

Purview rollout owned with your DPO + legal team as governance authority — not Security-side-project. Sensitivity-label taxonomy + retention policies + Insider Risk escalation governance signed off by Compliance leadership.

Audit-Evidence Pack

30-day deliverable: data classification report, DLP policy-violation log, Insider Risk trend, retention compliance dashboard, cross-border transfer log, DSAR readiness — DPO + auditor ready.

The 30-Day Purview Activation Plan

1
Week 1 — Sensitivity Labels

5-label taxonomy defined with DPO + business classification input. Auto-labelling rules driven by Indian PII sensitive-info types (PAN, Aadhaar) + ML classifiers. Roll out across Office + SharePoint + OneDrive.

2
Week 2 — DLP for High-Risk PII

Endpoint + Email + Cloud Apps DLP for Restricted-PII categories. Monitor-mode for 7 days then enforce. Block external sharing of Restricted-PII; warn-on-internal-sharing; block USB download.

3
Week 3 — Insider Risk Baseline

Detect data downloads at scale, anomalous SharePoint access, sensitivity-label downgrades. Anonymised-investigation-mode by default with DPO-supervised de-anonymisation governance documented.

4
Week 4 — Retention + Audit Evidence

Retention policies aligned to DPDP Sec 8(7) erasure obligations. eDiscovery Premium for DSARs. Compliance Manager dashboard tracking DPDP-control attainment monthly. Audit-evidence pack handover.

Purview + DPDP FAQ

Purview gives you the data discovery, classification, DLP, retention, and audit-trail tooling that DPDP Section 8 'reasonable safeguards' expects. Your DPO + legal team still own the data-fiduciary policy decisions. Purview is the operational layer that lets you enforce + evidence those decisions across M365 + Azure + SaaS.

Microsoft 365 E5 includes Purview Information Protection P2 + Insider Risk Management + DLP for endpoint + eDiscovery Premium. E3 tenants add Compliance E5 add-on to light up the full Purview stack.

Records Management + Retention policies enforce data-lifecycle rules at scale. Communication Compliance + Insider Risk surface policy violations. Consent records typically live in a CRM + integrate via Compliance Manager for audit-trail.

DPDP allows transfer to countries notified by the Central Government. Purview data-residency mapping + sensitivity labels flag or block cross-region movement based on classification. Defender for Cloud Apps + Conditional Access on the SaaS-side.

Purview detects + alerts on policy violations + data exfiltration patterns. The DPDP Board notification is a DPO decision — Purview's incident timeline + forensic export provide the evidence pack supporting that decision.

Configurable anonymised-investigation-mode by default. DPO oversight on de-anonymisation. Documented privacy-by-design vs blanket-monitoring approach.

For M365-anchored estates, Purview's native E5 integration + zero-deploy endpoint DLP + Defender XDR correlation are decisive. Third-party DLP wins on cross-platform legacy depth + specific regulated-industry policy templates. For 80%+ M365-anchored Indian enterprises, Purview is the right answer in 2026.

Week 1: sensitivity label taxonomy + auto-labelling. Week 2: DLP policy for high-risk PII. Week 3: Insider Risk + Communication Compliance baseline. Week 4: Records Management + retention policies + DPO-ready evidence pack.

Free 7-day DPDP readiness assessment

Ogma audits your current data-protection posture against DPDP Section 8, identifies the gaps, and returns a 30-day Purview activation plan with INR + GST quote tied to your tenant size.

Request the Readiness Assessment

Also see: Microsoft Purview India · Purview DSPM for AI · Purview for DPDP blog