Published on October 23, 2025
Even before the Digital Personal Data Protection Act (DPDPA), 2023, was formally enacted and its Rules notified, Tata Motors had begun strengthening its privacy governance and data protection framework. Earlier governed by the IT Act 2000 and ISO 27001–aligned controls, the company recognised that the evolving digital ecosystem and growing customer expectations demanded a shift from a compliance-based data security approach to a comprehensive data privacy framework. This transition aimed to ensure readiness for the DPDPA and alignment with global standards such as the GDPR.
Identifying Gaps and Setting Priorities
The absence of a unified, end-to-end data privacy framework presented several challenges:
- Data discovery and classification were not consistently managed across all business applications.
- Awareness of privacy obligations varied across functions.
- Consent, notice, and data principal rights management processes were still maturing.
- Monitoring, reporting, and breach management tools were not yet automated.
To address these gaps, Tata Motors established a cross-functional task force in early 2024, led by the IT Security and Compliance teams, to assess privacy maturity and prepare for upcoming legislative changes. The company launched a DPDPA Preparedness Programme focused on identifying, assessing, and operationalising key components of data privacy—well ahead of the notification of the Act’s Rules. Nine critical focus areas were identified to ensure comprehensive readiness:
- Data Privacy Assessment – evaluating current privacy controls and identifying gaps.
- Data Discovery & Encryption – mapping personal data across systems and encrypting critical fields.
- Training & Awareness – developing enterprise-wide privacy learning modules.
- Consent & Notice Management – standardising templates and processes for user consent.
- Data Principal Rights Management – establishing mechanisms for data access, correction, and deletion.
- Third-Party Risk Management – reviewing vendor contracts and controls for compliance readiness.
- Breach Management – defining escalation, notification, and incident management procedures.
- Tools & Automation – exploring privacy automation and monitoring solutions.
- Data Protection Office Setup – establishing a governance office for oversight and coordination.
Leveraging Group Collaboration
Throughout this journey, the Tata Group Privacy Forum proved to be an invaluable resource for Tata Motors’ data privacy and DPDPA compliance efforts. The Tata Group Privacy Forum and Data Privacy Summits were instrumental in shaping the company’s DPDPA compliance roadmap. Through sessions led by Abha Tiwari, Data Privacy Officer, Air India; Rajesh Ranjan, Data Protection Officer, Titan; Aparna Pathak, Global Privacy Specialist, Tata Consultancy Services; Sujatha Sree GS, Data Privacy Specialist, Tata Consultancy Services; Seshadri Manivannan, SVP, Tata Play, and Sanjay Pai, VP-IT, Tata AIG, Tata Motors gained valuable insights on privacy principles, data discovery, consent management, contractual governance, and AI privacy considerations.
The discussions and case studies enabled Tata Motors to benchmark its practices and adopt best-in-class frameworks from other Tata companies. These learnings directly influenced the company’s Nine-Pillar Privacy programme, Awareness Module, and PII Data Encryption initiatives. Most importantly, the Forum fostered cross-company collaboration, helping Tata Motors align with a unified Tata group DPDPA strategy and accelerate its compliance readiness.
Key Initiatives Completed Ahead of Time
- DPDPA Awareness Module: A structured, interactive learning module on DPDPA and privacy principles was developed and rolled out for all employees. Completion of this training was made mandatory to instil a culture of data protection across the workforce.
- PII Data Security Enhancement: Security controls were strengthened for Personally Identifiable Information (PII) across 166+ critical applications, ensuring encryption and access restrictions for sensitive data fields.
- DPDPA Assessments for Customer-Facing Applications: Privacy and compliance assessments were conducted on select customer-facingapplications to identify gaps, assess risks, and define a remediation roadmap.
- Requirement Analysis for Privacy Tools: A detailed Request for Information (RFI) was created to evaluate technology solutions supporting consent management, data rights automation, and breach reporting.
This proactive approach ensured that the organisation was well-prepared to transition into the DPDPA regime with minimal disruption and maximum governance maturity.
Business Benefits and KPI Impact
- Enhanced Regulatory Readiness: DPDPA-aligned framework established well before the Rules were published.
- Improved Data Security: Encryption applied across 166+ applications protecting critical personal data fields.
- Workforce Awareness: 100% of employees trained on data privacy and protection responsibilities.
- Operational Efficiency: Clear accountability structure under the Data Protection Office for managing privacy operations.
- Reduced Compliance Risk: Early identification of gaps helped avoid potential post-enactment remediation costs.
Participant Speaks
“We began our DPDPA readiness journey even before the Rules were formalised because data privacy is not just a compliance requirement — it’s a cornerstone of digital trust. By anticipating regulatory expectations, we ensured that our systems, people, and processes were ready to meet the new era of privacy governance head-on.
A special thanks to Rajesh Kannan, CDIO and Kishore Rawool, Head – Data Engineering, whose foresight and vision enabled us to initiate this journey well in advance, ensuring full alignment with the upcoming compliance framework and future regulatory expectations.
These interactions with Tata group companies provided critical insights that shaped our privacy strategy, enabling us to adopt best practices and avoid common pitfalls. Beyond learnings, the Forum also offered a platform for cross-verification and alignment, fostering a strong internal network across the Group. This collaborative engagement ensured that our DPDPA readiness initiatives are in sync with a common Tata group approach, strengthening our compliance framework and accelerating implementation.
— Rahul Ramesh Mhaskar, Data Manager, Tata Technologies Limited