Introduction
The rapid integration of the Internet of Things (“IoT”) into India’s manufacturing sector has transformed supply chain operations. IoT-enabled sensors, Radio-Frequency Identification (“RFID”) tags, and connected logistics systems now support real-time inventory management, predictive maintenance, and optimised delivery processes. This digital infrastructure has enhanced efficiency and competitiveness, but it has also introduced significant vulnerabilities relating to data security and privacy. Weak device-level protections, unencrypted transmissions, and inconsistent vendor security practices expose sensitive operational and personal data to cyberattacks.
From an Indian perspective, these risks assume paramount importance, especially considering that manufacturing accounts for roughly 15% of national GDP and that IoT implementation is being given a thrust under schemes such as Make in India. Recent cyberattacks on manufacturing firms have also witnessed instances in which the compromise of even a single IoT endpoint brings manufacturing to a halt, compromises employees’ information, and causes huge financial and reputational losses.
The enforceability of the Digital Personal Data Protection (“DPDP”) Act, 2023, and the notification of its Draft Rules expected in the near future, would usher in change against this backdrop. The DPDP framework lays down a set of holistic obligations for persons processing digital personal data, including so arising in IoT ecosystems in manufacturing supply chains. This means that explicit consent mechanisms, purpose limitation, solid data security measures, and breach notifications within a reasonable timeframe have to be incorporated in compliance procedures. For manufacturing companies, alignment of IoT functioning with DPDP obligations is most definitely no longer a choice but a legal and strategic compulsion.
IoT VULNERABILITIES AND BREACH LESSONS
IoT has been embraced by the manufacturing industry as a means of increasing productivity, but the quick adoption has resulted in serious security flaws. Many sensors and gateways are implemented at the device level with outdated firmware, default passwords, or no secure boot features. Because of these flaws, attackers trying to gain access to larger networks can easily target them. Once inside, intruders can move laterally and obtain sensitive data thanks to network-level vulnerabilities like unencrypted data transmissions, inadequately segmented systems, or weak authentication protocols. Even a single distributed denial-of-service (“DDoS”) attack can stop entire production lines in highly interconnected supply chains.
Beyond internal operation risks comes the risk involved with third-party dependencies. Manufacturers operate with sprawling vendor ecosystems, and inconsistent security practices across suppliers cause dangerous blind spots. An unsecure API or a poorly set-up gateway from the subcontractor end can release the proprietary design, logistics data, or employee records. It’s an issue quite grave for India, where appointing low-end IoT devices is essential to minimise investment, many of which lack the very basic encryption or patch management capabilities. Therefore, one ends up with an efficient supply chain on paper, yet a fragile one in practice.
There have been several breach reports lately confirming these as real threats. According to industry surveys during 2024-25, IoT-related incidents continue on the rise with threat actors exploiting device misconfigurations and vendor weak links. Global case studies highlight ransomware campaigns that stalled production for weeks, while Indian manufacturers have reported breaches exposing worker IDs, GPS tracking data, and vendor information. The consistent consequences are: downtime, loss of sensitive personal and business data, regulatory scrutiny under the DPDP Act, and reputation soiling that can erode client trust.
For the manufacturers, these patterns manifest the emergency for them to view IoT security not as a technical afterthought but rather as a primary operational safeguard.
DPDP COMPLIANCE LANDSCAPE FOR THE MANUFACTURING SECTOR
The DPDP Act, 2023, and the Draft DPDP Rules, 2025, together establish a compliance framework to which manufacturing companies must adhere when their IoT systems process digital personal data. The core obligations include seeking informed and specific consent (where required), abiding by the principles of purpose limitation and data minimisation, implementing “reasonable security safeguards”, and reporting breaches timely.
The DPDP Act 2023 along with the Draft Rules are expected to set tight breach-reporting timelines: companies must alert the Data Protection Board without delay and provide a detailed report within 72 hours. The Rules also identify “significant data fiduciaries” who must undertake annual Data Protection Impact Assessments (“DPIAs”), audits and extra due diligence on algorithmic risks and transfers. Cross-border transfers are permitted but subject to government-imposed restrictions and specified safeguards, so manufacturers with international vendors should validate transfer routes and contractual protections.
Finally, DPDP compliance for IoT intersects with security and incident rules, meaning device-level security and incident playbooks must be aligned with both data-protection and cybersecurity requirements.
PRACTICAL DATA PRIVACY SAFEGUARDS
Manufacturing organisations should treat privacy as an engineering requirement and operational metric. Start with privacy-by-design: conduct DPIAs to map where worker IDs, GPS traces or supplier contact data flow across sensors, gateways and cloud systems. The Draft Rules and industry guidance expect DPIAs, particularly for Significant Data Fiduciaries.
As technical controls for the subject, encrypt sensitive data at rest and in transit. Also, key management should be made strong and rotate keys in a defined cryptoperiod. Implement least-privilege role-based access control and multi-factor authentication for all system and administrative accounts.
Network design should always assume compromise: segment IoT from corporate networks, micro-segment for critical assets, and apply zero-trust principles whereby each request is continuously verified. Continuous monitoring and automated vulnerability scanning shorten the mean time to detect.
Vendor and supply-chain controls must be in place. Manufacturers must be careful and thorough in assessing supplier security practices during onboarding; verify that devices support secure update and verified boot mechanisms; and make sure that patch-management processes are clear. Contracts should explicitly address the need for timely breach reporting and should permit periodic security audits to ensure supply-chain accountability.
Finally, organisations should conduct regular role-based security awareness programmes and simulation exercises to prepare employees for potential cyber incidents. Provisions for incident response must be in alignment with India’s Computer Emergency Response Team (“CERT-In”) reporting requirements, as well as the breach notification timelines prescribed by the DPDP Act. In order to maintain compliance and operational resilience over time, firms should monitor measurable parameters such as the percentage of data that is encrypted, the timeline for applying security patches, and the average response time for data subject requests.
STRATEGIC ADVANTAGES OF COMPLIANCE
Maximum compliance with the DPDP Act, 2023 and the related cybersecurity laws gives manufacturers legal cover and protects them from significant monetary penalties and heavy regulatory scrutiny attached to non-compliance. By embedding security into IoT-driven supply chains, firms also reduce downtime and disruption, which strengthens overall resilience.
Compliance signals reliability to vendors, clients, and regulators, thereby enhancing trust and opening doors to global partnerships where data protection standards are high. Over time, proactive investment in security also reduces the financial and reputational costs associated with breaches, which are consistently shown to outweigh upfront compliance expenses.
AMLEGALS REMARKS
IoT adoption in manufacturing offers a dual nature of opportunity for transformative efficiency and so far unprecedented risk. The vulnerabilities stand at the tier of devices, networks, or vendors; whatever the classification, real-world breaches make it clear that the stakes are very much real.
The DPDP Act, 2023 and regulations aligned thereto are not just obstructions but are opportunities for Indian manufacturers to necessitate greater standards of accountability and resilience. Treating data protection as a strategic investment rather than a mere checkbox of compliance will build the leaders in this field. Those companies that act fast will nurture stronger trust, reduce costs in the long run, and compete better in their own domestic as well as global arenas.
For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com