All articles

The compliance events you're already missing

Ayush Joshi9 April 2026
The compliance events you're already missing
DPDPconsentdata breachprocessorsSaaS

Most DPDP obligations are triggered by everyday events you've never thought of as 'compliance' — an unsubscribe, a vendor, a quiet breach. They start a clock whether you noticed or not.

The dangerous thing about DPDP isn't the obligations you know about. It's the ones you don't — the everyday events happening inside tools you already use that quietly trigger legal duties, start a clock, and pass completely unnoticed until they become a problem.

If you run a SaaS or a digital-first business, this is the part that should make you sit up. Because your business is generating these events right now, and almost nobody is catching them.

A customer hits "unsubscribe"

To you, this is an email-marketing setting. Someone clicked the unsubscribe link; your mailing tool removes them from the list. Done.

Under DPDP, that same click is a withdrawal of consent — and withdrawal of consent has consequences. If consent was the basis on which you were holding or using that person's data, withdrawing it changes what you're now allowed to do. It can trigger obligations across every system that held them, not just your email tool.

Most businesses never register an unsubscribe as a compliance event at all. The email platform handles the mechanic; the legal consequence goes unrecorded. That's a gap — and gaps are where failures live.

A vendor holds your customers' data

Your CRM. Your payment gateway. Your support desk. Your analytics. Each of these holds your customers' personal data and processes it on your behalf. In DPDP terms, they're Processors, and you — the Data Fiduciary — remain responsible for what happens to that data inside them.

This matters the moment a customer exercises a right. When someone asks you to delete their data, "delete" doesn't mean only your database. It means everywhere that data lives, including your vendors. If you can't account for which vendors hold what, you can't actually fulfil the obligation — and you won't know you've failed until someone checks.

For a SaaS business with a dozen integrated tools, this is a real, live exposure. Every integration is another place your customers' data sits, and another place your obligations reach.

A breach happens — and the clock starts before you notice

A misconfigured storage bucket. A leaked export. A laptop with a saved login, left in a cab. Breaches rarely announce themselves.

DPDP creates obligations to notify when a personal-data breach occurs — and depending on the circumstances and your sector, the reporting windows can be extremely tight. The critical, counterintuitive part: the clock can start from the moment you become aware, not from when you've finished investigating. By the time you've figured out what happened, a chunk of your reporting window may already be gone.

A business with no detection, no process, and no clock running is a business that will miss the window — and a missed breach notification is its own reportable failure, on top of the breach itself.

The common thread: these events don't wait for you

Look at the three together. An unsubscribe, a vendor holding data, a quiet breach — each one creates an obligation the instant it happens, whether or not you noticed, whether or not you have a process, whether or not it was a busy week.

That's the structural problem with treating compliance as a document you write once. A privacy policy sitting in a drawer doesn't catch the unsubscribe that came in this morning. It doesn't know which vendor holds the customer who just asked to be deleted. It can't start a breach clock. Real compliance isn't a document — it's a system that notices.

What "noticing" actually requires

To not miss these events, you need three things working continuously: a clear map of what data you hold and where (including across vendors), a way to capture the events as they happen, and a way to turn each event into a concrete obligation with a deadline you can act on.

That's precisely what we built Pramaan to do. It captures the events you'd otherwise miss — the unsubscribe, the deletion request, the breach — logs each as an obligation with its clock, and tells you exactly what's required. We never reach into your systems to act for you; we make sure nothing slips through and you always know where you stand.

This article is general information, not legal advice. Specific obligations and timelines depend on your circumstances and sector. To see where your business is exposed, book a free compliance review.

Start here

Get a free DPDP exposure review.

Find out, with no obligation, where your business stands under DPDP — and what it would take to be continuously compliant. A short call with our team.

  • A plain-language read on your actual exposure
  • The specific obligations that apply to your business
  • No jargon, no pressure — just a clear picture

Book your review

We'll get back to you within one business day.

By submitting you agree to be contacted about your review. We don't share your details.