This hub provides best-practice implementation guidance for the Digital Personal Data Protection Act, 2023. Timelines and thresholds should be verified against the DPDP Act and the DPDP Rules as notified. This is not legal advice — consult CyberSigma's DPDP team for a formal assessment.

DPDPA Enterprise Compliance Dashboard

Advanced enterprise-grade compliance workflow platform for Digital Personal Data Protection Act (DPDPA) implementation across multiple industries. Check off tasks to track your compliance in real time.

0%

Compliance Readiness

Control Tasks

72h

Breach Reporting SLA

₹250Cr

Penalty Exposure
Common Controls
Industry Controls
Critical Risk Areas

Universal DPDPA Framework

Core compliance controls mandatory for every organisation that collects, processes, or stores personal data of Indian citizens — the baseline before any sector-specific layer applies.

AllIndustries
₹250CrMax Penalty

Data Discovery & Mapping

Enterprise-wide data classification and inventory.

Universal
Personal DataSensitive DataChildren's Data3rd-party Flows
Progress
0%
0 / 5 done
Identify all personal data collected across CRM, ERP, and digital systems.
Map data flows — collection sources, processors, and third-party sharing.
Create and maintain a Data Processing Register (DPR) with full audit trails.
Classify data by sensitivity — general, sensitive, and children's data categories.
Tag all data assets with retention schedules and cross-border transfer flags.

Consent Management

Granular, purpose-specific and revocable consent framework.

Universal
Consent RecordsPurpose LogsWithdrawal AuditParental Consent
Progress
0%
0 / 5 done
Build granular, purpose-specific consent notices in plain language — no legal jargon.
Implement revocable consent — withdrawal operational within 24 hours of request.
Verifiable parental consent mechanism for all users under 18 years of age.
Maintain timestamped, immutable consent artefacts with IP address and source metadata.
Track consent version history — re-obtain consent when processing purpose changes.

Data Principal Rights

Rights handling, DPO and grievance workflows.

High Priority
Access RequestsCorrectionErasureGrievance
Progress
0%
0 / 5 done
Right to access — respond with data summary within 72 hours of request.
Right to correction and completion — automate correction workflows across all systems.
Right to erasure — trigger automated deletion across all processors and backup stores.
Appoint a Data Protection Officer (DPO) — mandatory for Significant Data Fiduciaries.
Grievance redressal portal — escalation matrix with DPBI escalation within 30 days.

Security Safeguards

Advanced security architecture and breach management.

Mandatory
EncryptionSIEMDLPMFAPAM
Progress
0%
0 / 5 done
AES-256 encryption at rest; TLS 1.3 in transit for all personal data flows.
RBAC, MFA, PAM and SIEM real-time monitoring deployed across all systems.
72-hour breach reporting pipeline to DPBI — automated detection and escalation.
Vendor and Data Processor due diligence — signed Data Processing Agreements (DPA).
Annual penetration testing and vulnerability assessment across all data systems.

Governance & Accountability

DPIA, audit framework and board-level oversight.

Governance
DPIA ReportsAudit LogsTraining Records
Progress
0%
0 / 4 done
Conduct Data Protection Impact Assessments (DPIA) for all high-risk processing activities.
Annual internal DPDPA compliance audit with documented findings and remediation plan.
Employee awareness and mandatory training program for all data-handling staff.
Board-level data governance committee and quarterly privacy policy review cycle.

Significant Data Fiduciary (SDF) Obligations

Enhanced duties for entities designated SDF by the Central Government.

Critical
SDF DesignationDPO AppointmentDPIAAlgo AuditDPBI Register
Progress
0%
0 / 6 done
Self-assess SDF status — volume, sensitivity and national security criteria against MeitY thresholds; legal sign-off on determination.
If designated SDF: appoint a qualified Data Protection Officer (DPO) — publish name and contact details publicly on website.
Conduct DPIA for every high-risk processing activity — maintain DPIA register; DPO must sign off before processing commences.
Annual algorithmic transparency audit for all AI/ML systems processing personal data at scale — findings submitted to DPBI.
Annual SDF compliance report to Board — signed by DPO and CISO; summary filed with DPBI per notified format and timeline.
Register with DPBI on the designated portal within the notified timeline after SDF designation order is received.

Children's Data — Universal Baseline

Absolute obligations applicable to every sector before any industry-specific layer.

Critical
Age VerificationParental ConsentNo ProfilingSegregated Store
Progress
0%
0 / 5 done
No collection or processing of personal data of users below 18 without verifiable parental consent — self-declaration of age is not sufficient.
Absolute prohibition on behavioural profiling, targeted advertising or monitoring of children — even with parental consent.
Children's data stored in a segregated, enhanced-protection data tier — separate encryption keys; every access triggers a DPO alert.
Age verification deployed at every registration and data collection point across all digital and physical channels.
Minor flag set in all systems at point of identification — processing engines check the flag before any automated decision or data sharing.

Data Portability & Nomination Rights

Section 11 & 12 — portable format delivery and posthumous rights.

Mandatory
Portable Format72h SLANominee RegisterJSON / CSV
Progress
0%
0 / 5 done
Right to data portability — deliver all personal data in structured, machine-readable, interoperable format within 72 hours of request.
Portability scope includes: data provided by the principal, processed data and inferred profiles held by the fiduciary.
Portability format follows MeitY notified standards — JSON or CSV minimum; FHIR for health data; delivered via secure download link.
Nomination registration — data principal may register a nominee to exercise all DPDPA rights on their behalf after death or incapacity.
Nominee activation requires verified death certificate or incapacity proof — automated workflow with DPO oversight.

Breach Notification Workflow

72-hour DPBI pipeline — detection, classification, notification and post-incident report.

Critical
DPBI Portal72h SLAP1/P2/P3 MatrixPost-Incident
Progress
0%
0 / 6 done
Breach detection to classification pipeline — SIEM alert triggers automated severity classification within 1 hour of detection.
Severity matrix: P1 (confirmed breach) → DPBI within 72 hrs; P2 (probable) → internal escalation within 4 hrs; P3 → monitor and document.
P1 DPBI notification — pre-drafted template; DPO and legal sign-off; submitted via DPBI designated portal within 72 hours.
Affected data principal notification without undue delay — must include: nature of breach, data affected, steps taken, DPO contact.
Post-incident report to DPBI within 30 days — root cause analysis, corrective actions, systemic remediation documented and signed.
Annual breach simulation drill — tabletop exercise testing detection-to-notification pipeline; findings remediated within 30 days.

Lawful Processing Basis Register

Document and review legal basis for every processing activity in the DPR.

Governance
Consent BasisLegal ObligationState FunctionContractual Need
Progress
0%
0 / 5 done
Document lawful basis — consent or specific deemed-consent ground — for every processing activity in the DPR; no undocumented processing.
State function processing — map each activity to the specific statutory power authorising it; legal opinion kept on file.
Contractual necessity — verify only data strictly necessary for the contract is collected; no surplus fields in any form or API.
Medical emergency processing — document the emergency case; restrict to emergency purpose only; cease immediately when emergency resolves.
Quarterly DPR review — DPO verifies actual processing matches documented basis; flags any drift; corrective action within 30 days.

Data Minimisation & Purpose Limitation

Collect only what is necessary; process only for stated purpose.

Universal
Purpose RegisterMinimisationSecondary UseAnonymisation
Progress
0%
0 / 6 done
Document lawful purpose for every data category in the Processing Register — no open-ended purposes.
Collect only data fields strictly necessary for the stated purpose — remove surplus fields from all forms.
Prohibit secondary use of data without fresh explicit consent or a new lawful basis.
Anonymise or pseudonymise data as soon as purpose is fulfilled — verify anonymisation is irreversible.
Automated retention triggers — delete data on schedule without manual intervention.
Quarterly purpose creep review — identify any processing that has drifted from its original stated purpose.

Cross-Border Transfer Controls

SCCs, whitelist countries and transfer impact assessments.

Mandatory
Whitelist CountriesSCCsTransfer ImpactCloud Regions
Progress
0%
0 / 6 done
Inventory all offshore processors and cloud regions processing Indian personal data.
Execute Standard Contractual Clauses (SCCs) with all non-whitelisted country processors.
Transfer Impact Assessment (TIA) for every country where data is processed.
Monitor MeitY whitelist updates — quarterly review; pause transfers to removed countries within 48 hours.
Cloud provider DPAs include India-specific data residency and audit access clauses.
Disclose cross-border transfers in privacy notice — countries, purpose, safeguards in plain language.

Data Processor Management

DPA execution, sub-processor oversight and vendor audits.

Universal
DPA ContractsSub-ProcessorsVendor AuditsBreach SLA
Progress
0%
0 / 6 done
Signed Data Processing Agreements (DPAs) with every processor before any data is shared.
Register all sub-processors — processors must notify changes with 30-day advance notice.
Annual vendor security assessment — VAPT evidence or SOC 2 Type II report mandatory.
DPA breach SLA — processor must notify fiduciary within 6 hours of discovery.
Data return/deletion clause — all data returned or deleted at contract termination within 30 days.
Processor audit rights — right to audit or appoint independent auditor at fiduciary's discretion.

Privacy by Design & Default

Embed privacy into product architecture and engineering.

Governance
PIA ReviewsPrivacy SprintData Flow DiagramsDefault Settings
Progress
0%
0 / 6 done
Privacy review gate in SDLC — no new feature with personal data shipped without PIA sign-off.
Default settings must be most privacy-protective — users must opt-in to less restrictive settings.
Data flow diagrams mandatory for all new systems processing personal data — reviewed quarterly.
Threat model for each major product release — privacy risks documented and mitigated.
Privacy champion programme — designated privacy lead in each engineering team.
No silent data collection — every data collection event must have a visible, user-facing disclosure.

Fintech & BFSI

High-risk financial data governance aligned with RBI, SEBI, PCI-DSS, UIDAI, and DPDPA. Entities with large user bases are likely Significant Data Fiduciaries with enhanced obligations including a mandatory DPO.

SDFLikely Status
₹250CrBreach Penalty

KYC & Financial Data Protection

Critical financial and transaction data governance.

Critical
PANAadhaarUPI IDsBank AccountsCredit ScoresKYC Docs
Progress
0%
0 / 5 done
Map PAN, Aadhaar linkage — comply with UIDAI restrictions on storage and masking.
Classify credit scores, transaction history and bank data as sensitive personal data.
Document all data shared with payment gateways, credit bureaus and NBFCs.
RBI data localisation — India-only storage for payment system data.
PCI-DSS card tokenisation — zero raw card credentials stored on servers.

Consent for Data Monetisation

Profiling, cross-sell, and Account Aggregator alignment.

Industry
Account AggregatorFIP/FIU DataLending DataInsurance
Progress
0%
0 / 4 done
Explicit, revocable consent for profiling financial data for cross-sell and upsell purposes.
Align with RBI Account Aggregator (AA) framework for FIP/FIU data sharing flows.
Decouple consent artefacts for lending, insurance and investment product data.
No pre-ticked boxes — opt-in only for all marketing and analytics processing.

Cross-Border Transfer Controls

SWIFT, card networks, and offshore processor governance.

Critical
SWIFTCard NetworksOffshore APIsSCCs
Progress
0%
0 / 4 done
Audit all offshore processing — SWIFT, Visa/Mastercard and card network data flows.
Standard Contractual Clauses (SCCs) with every overseas processor and cloud provider.
Comply with RBI localisation mandates alongside DPDPA whitelist country requirements.
Parallel breach reporting to DPBI + RBI/SEBI within their respective timelines.

AI / ML Credit Decisioning

Algorithmic fairness, explainability and audit controls.

Industry
Credit ModelsFraud DetectionCIBIL Data
Progress
0%
0 / 3 done
Disclose when automated credit decisions are made — provide right to human review.
Explainability documentation for all AI/ML models using personal financial data.
Bias audit for credit scoring models — ensure non-discriminatory processing outcomes.

AML / CFT & PMLA Data Controls

PMLA obligations and DPDPA dual-compliance for financial crime data.

Critical
CDD / EDDSTR / CTRFIU-INDPMLA 5yr Retention
Progress
0%
0 / 6 done
Map all AML/CFT obligations under PMLA 2002 against DPDPA — prepare dual-compliance matrix identifying conflicts and overrides.
Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) data — retained for 5 years per PMLA; DPDPA erasure requests documented but overridden by PMLA.
Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) — separate governance; zero access by commercial teams.
FIU-IND data transmission — encrypted channel; access restricted to MLRO and designated compliance officers only.
AML data cannot be deleted on DPDPA erasure request — communicate legal basis (PMLA statutory obligation) in writing to the data principal.
AML analytics using financial personal data — internal compliance use only; prohibited for commercial profiling or marketing.

Digital Lending & NBFC Controls

RBI Digital Lending Guidelines 2022 + DPDPA compliance for credit apps.

Critical
Loan DataDevice PermissionsLSP AgreementsRecovery Agents
Progress
0%
0 / 6 done
RBI Digital Lending Guidelines 2022 alignment — no access to borrower contacts, photos, call logs or device storage for any purpose.
Loan application data — purpose-limited to credit assessment only; no secondary use for cross-sell without fresh explicit consent.
Quarterly app permission audit — remove all unnecessary device permissions; document each retained permission with justification.
Lending Service Partners (LSPs) — signed DPAs specifying data shared is limited to loan processing fields; sub-processor list maintained.
Loan recovery — data shared with recovery agents restricted to outstanding amount, EMI schedule and registered contact only; no personal relationship data.
FLDG (First Loss Default Guarantee) arrangements — data shared with guarantor entities covered under DPA; purpose-limited to risk coverage only.

Insurance & IRDAI Data Governance

Policyholder and claims data aligned with IRDAI guidelines and DPDPA.

Industry
Policyholder DataClaims RecordsUnderwritingBima Sugam
Progress
0%
0 / 5 done
IRDAI data governance circular compliance — policyholder data handling aligned with both IRDAI guidelines and DPDPA requirements.
Policyholder data purpose-limited to: policy issuance, renewal, claims processing and mandatory regulatory reporting only.
Health underwriting data — require separate explicit consent; cannot be used for any non-insurance purpose or shared with non-insurance entities.
Claims data — retain for statutory dispute window (3 years post-settlement); delete all non-mandatory data after settlement is complete.
Bima Sugam and insurance aggregator data flows — DPAs in place; customer personal data not to be monetised by aggregator platforms.

Crypto, Web3 & Emerging Fintech

VDA tax, DeFi and co-branded fintech product data controls.

Industry
Crypto WalletsVDA Tax DataWeb3 UsersCo-brand Products
Progress
0%
0 / 4 done
Crypto wallet and transaction data mapped as financial personal data under DPDPA — apply all corresponding safeguards including encryption and access logging.
VDA (Virtual Digital Asset) tax reporting data (ITD) — retained only for statutory tax period; separate consent required for any analytics use.
Web3 and DeFi platforms serving Indian users — DPDPA jurisdiction applies even for decentralised platforms; appoint India representative if offshore.
Fintech-bank co-branded products — separate consent artefact per product; no data sharing between co-brand products without explicit consent.

Regulatory Reporting & Notifications

Dual reporting to DPBI + RBI/SEBI/IRDAI within mandated timelines.

Critical
DPBI ReportingRBI CircularSEBI ReportsIRDAI Filings
Progress
0%
0 / 6 done
Map all breach reporting timelines — DPBI 72 hrs, RBI 6 hrs, SEBI 24 hrs — reconcile into single IR playbook.
Pre-approved breach notification templates for each regulator — legal sign-off before incident.
Regulatory liaison matrix — named contact for RBI, SEBI, IRDAI and DPBI at board level.
Quarterly DPDPA compliance certificate to Board — signed by DPO and CISO.
RBI IT Examination readiness — DPDPA artefacts integrated into IT audit response pack.
IRDAI data governance circular compliance — insurance policy and claims data handled per regulations.

Open Banking & API Data Security

API gateway controls for fintech partner data flows.

Industry
Open APIOAuth TokensFintech PartnersRate Limiting
Progress
0%
0 / 5 done
API gateway enforces data minimisation — partner APIs return only fields explicitly needed per DPA scope.
OAuth 2.0 / FAPI-compliant token scopes mapped to DPDPA consent purposes.
Fintech partner onboarding — security assessment and DPA execution before API key issuance.
API rate limiting and anomaly detection — flag bulk data extraction as potential breach event.
Consent revocation propagates to all API partners within 2 hours via webhook notification.

Healthcare & HealthTech

Health data is sensitive personal data under DPDPA. Hospitals, diagnostic labs, telemedicine platforms, and health-tech apps face the strictest obligations, overlapping with DISHA (pending) and NHA/ABDM guidelines.

SensitiveData Category
3–10 yrNMC Retention

Patient Data Governance

EHR, ABHA, diagnostics and wearable data protection.

Critical
EHR RecordsABHA IDsPrescriptionsDiagnosticsBiometricInsurance
Progress
0%
0 / 5 done
Classify EHR, diagnostic reports and prescriptions as sensitive data — highest protection tier.
Genetic and biometric data — apply additional access controls and separate consent artefacts.
Wearable and IoT health data — map all collection points and classify separately.
Integrate with ABDM / ABHA Health ID consent flows and national health data framework.
Document emergency treatment exemptions clearly in the Data Processing Register.

Patient Consent Architecture

Condition-specific and purpose-limited consent design.

Industry
Diagnosis ConsentResearch ConsentInsurance Sharing
Progress
0%
0 / 4 done
Condition-specific consent — diagnosis, research and insurance sharing are separate artefacts.
De-identify / anonymise data before sharing with pharmaceutical or CRO research partners.
Insurance data sharing — explicit consent only; blanket admission-form waivers prohibited.
Telemedicine sessions — consent for recording and AI transcription obtained before session.

Retention vs Erasure Conflict

Statutory medical obligations vs DPDPA rights.

Critical Conflict
NMC GuidelinesNABH RecordsErasure Requests
Progress
0%
0 / 3 done
Map statutory retention — NMC (3–10 yr), NABH accreditation and insurance dispute windows.
Document legal basis for retaining beyond erasure request — communicate reasoning to patient.
Delete all non-statutory data immediately upon erasure request — apply minimal data principle.

Research & Cross-Border Sharing

Pharma, CRO and international health data flows.

Industry
Clinical TrialsPharma PartnersICMR Guidelines
Progress
0%
0 / 3 done
Anonymise or pseudonymise data before sharing with clinical research organisations.
Cross-border pharma transfers — comply with DPDPA whitelist countries requirement.
ICMR ethics committee approvals for research involving identifiable health data.

Laboratory & Pathology Data

Lab reports, radiology images and reference lab data governance.

Critical
Lab ReportsDICOM / RadiologyPathology SlidesReference Labs
Progress
0%
0 / 6 done
Lab test reports and results — classified as sensitive personal data; AES-256 encryption at rest; patient-controlled access via ABHA or secure portal.
Pathology slides, histopathology images and radiology (DICOM) files — biometric-equivalent protection; no sharing without explicit patient consent.
Lab data sharing with treating physician — minimum necessary data only; patient access controls override default sharing to any third party.
Reference laboratory partnerships — DPAs with strict purpose limitation; bar on secondary analytics use of patient samples or results.
NABL accreditation data — quality control data containing patient samples anonymised before use in any accreditation or benchmarking report.
Home collection and mobile lab data — patient visit location and time retained only for sample chain-of-custody; deleted post-result delivery.

Pharmacy & Drug Dispensing Data

Prescription data, e-pharmacy and pharmacovigilance controls.

Industry
PrescriptionsDispensing Recordse-PharmacyPharmacovigilance
Progress
0%
0 / 5 done
Prescription data — cannot be shared with pharmaceutical companies for marketing or analytics without explicit, separate patient consent.
Dispensing records — retained per Drugs & Cosmetics Act requirements; non-mandatory fields deleted post-dispensing.
Online and e-pharmacy platforms — MoHFW e-pharmacy guidelines + DPDPA dual compliance; prescriptions verified and stored with highest encryption.
Subscription medication services — separate consent per medication product; consent withdrawal stops future dispensing and triggers profile deletion.
Pharmacovigilance and adverse event reporting — anonymise patient data before submission to CDSCO; no identifiable patient data in reports.

Health Insurance & TPA Integration

Third-party administrator data flows and underwriting controls.

Critical
TPA DataClaims ProcessingPre-authUnderwriting
Progress
0%
0 / 5 done
TPA data sharing — minimum data for claims processing only; restrict to diagnosis code, treatment code and billed amount; no full medical records shared.
Insurance underwriting using health data — require separate explicit consent, not bundled with admission or treatment consent forms.
Claim rejection — patient has right to know the full basis; rejection reason cannot be shared with other insurers without patient consent.
Pre-authorisation data — purpose-limited to the specific claim; not retained beyond claim resolution; deleted after dispute window closes.
Aggregate health data shared with reinsurers or actuaries — anonymised and aggregated only; no individual patient identification possible.

AYUSH, Wellness & Traditional Medicine

AYUSH records, wellness apps and MoAYUSH portal data compliance.

Industry
AYUSH RecordsWellness AppsYoga / MeditationMoAYUSH Portal
Progress
0%
0 / 4 done
AYUSH treatment records (Ayurveda, Yoga, Naturopathy, Unani, Siddha, Homeopathy) — classified as health data under DPDPA; same protections as allopathic records.
Online wellness platforms collecting health questionnaires — data classified as health data; separate explicit consent required for each collection purpose.
MoAYUSH portal data — ministry compliance obligations aligned with DPDPA; no secondary commercial use of patient treatment data.
Yoga, meditation and mental wellness app data — fully disclose all data collected; user controls deletion without losing historical wellness data.

Mortality, Death Records & End-of-Life Data

Deceased patient data governance and nominee disclosure controls.

Industry
Death CertificatesNominee AccessResearch AnonymisationPost-Mortem
Progress
0%
0 / 4 done
Deceased patient data — DPDPA applies until data is irreversibly anonymised; registered nominee or legal representative exercises all rights.
Cause of death and death certificates — sensitive; disclosed only to registered nominees, legal heirs or authorities with a documented lawful basis.
Research using mortality data — IRB ethics committee approval mandatory; data anonymised before use; re-identification prohibited by contract.
Post-mortem and autopsy records — law enforcement access only on court order; medical research use requires anonymisation after statutory retention period.

Telemedicine & Digital Health Controls

Video consultations, AI diagnostics and remote monitoring data.

Critical
Video SessionsAI DiagnosticsRemote Monitoringe-Prescriptions
Progress
0%
0 / 6 done
Telemedicine consent — separate artefact for (a) consultation, (b) AI-assisted diagnosis, (c) session recording.
Session recordings — end-to-end encrypted, stored in India, deleted after 90 days unless clinically required.
AI diagnostic tools — explainability required; physician must review and confirm all AI-generated outputs.
Wearable and remote monitoring data — patient owns data; consent required for each monitoring purpose.
e-Prescriptions — DPDPA-compliant encryption and no sharing with pharmaceutical companies without consent.
Telemedicine Act 2020 alignment — Telemedicine Guidelines data obligations mapped to DPDPA controls.

Mental Health & Genetic Data

Highest-sensitivity data categories requiring maximum protection.

Critical
Mental Health RecordsGenetic DataAddiction DataHIV Status
Progress
0%
0 / 5 done
Mental health, genetic, HIV and addiction data — separate storage tier with stricter access controls than standard health data.
Genetic data — additional explicit consent; no sharing for insurance underwriting or employer screening.
Mental Health Act 2017 alignment — patient confidentiality provisions mapped alongside DPDPA.
Zero-knowledge access logs — every access to these records triggers automated alert to DPO.
No disclosure of these categories in any data breach without patient-specific breach notification plan.

E-Commerce & Retail

Large platforms are likely Significant Data Fiduciaries. Dual compliance required with Consumer Protection (E-Commerce) Rules 2020. Personalisation dark patterns and children's data are under active regulatory scrutiny.

SDFLikely Status
HighProfiling Risk

Behavioural & Profile Data

Browsing, purchase and recommendation engine tracking.

Industry
Browsing DataPurchase HistoryWish ListsLocationReviews
Progress
0%
0 / 5 done
Map browsing, purchase, wish-list, review and loyalty data across all channels.
Delivery address and real-time location — explicit consent required, not assumed from checkout.
Separate, revocable consent for personalised ads and recommendation engine profiling.
DPDPA-compliant cookie consent — no pre-ticked boxes, no dark patterns at checkout.
No sharing of behavioural profiles with sellers — restrict to order fulfilment data only.

Payment & Checkout Compliance

Tokenisation, PCI-DSS and UPI data controls.

Industry
Card TokensUPI DataBNPL RecordsCVV — never store
Progress
0%
0 / 4 done
Card / UPI tokenisation — no raw credentials stored; comply with RBI tokenisation mandate.
PCI-DSS compliance aligned with DPDPA payment processor obligations.
Explicit opt-in consent to save payment methods — no default saving at checkout.
BNPL and credit product data — separate consent and disclosure for credit bureau sharing.

Children's Data — Zero Tolerance

No profiling or targeting of users under 18.

Critical
Age VerificationParental ConsentMinor Accounts
Progress
0%
0 / 3 done
No behavioural targeting, profiling or personalised ads directed at users under 18.
Verifiable parental consent before account creation — cannot rely on self-declaration of age.
Age-gating on product categories and checkout flows not suitable for minors.

Marketplace & Seller Data

Logistics, affiliate and seller data governance.

Industry
Seller ProfilesLogistics PartnersAffiliate Data
Progress
0%
0 / 3 done
DPAs with all logistics partners — restrict data to name, address and order details only.
Customer data shared with sellers — minimise to fulfilment-necessary fields only.
Affiliate and referral data flows — consent and purpose limitation documentation.

Social Commerce & Influencer Data

Content creator data, UGC in live commerce and ONDC network flows.

Industry
Influencer DataLive CommerceONDC NetworkUGC Consent
Progress
0%
0 / 4 done
Influencer partnership data — personal data of content creators is subject to DPDPA; inform them how their data is used in brand campaigns and analytics.
Social commerce video and live-stream — consent required for use of a user's image or voice in recordings, replays or promotional clips.
ONDC network data flows — purpose limitation enforced on buyer and seller personal data shared across all network participants via API.
Social profile data used for product recommendations — explicit consent; user can opt out without losing social login or purchase history access.

Cross-Border & International Commerce

Foreign platform obligations and international buyer/seller data controls.

Industry
Offshore PlatformsCBIC / CustomsCross-border PaymentsInt'l Sellers
Progress
0%
0 / 4 done
Foreign e-commerce platforms with Indian users — DPDPA applies; offshore entities must appoint an India representative and comply fully.
Cross-border payment data — RBI regulations + DPDPA combined compliance; payment system data localised per RBI mandate before any offshore transfer.
Import and customs data sharing with CBIC — personal data shared only under statutory obligation; legal basis documented in DPR.
International seller access to Indian buyer data — DPAs with overseas sellers; restrict to fulfilment-necessary fields only; no resale of buyer data.

Subscription & Auto-Renewal Billing

Recurring billing consent, cancellation ease and payment-on-file controls.

Industry
Recurring BillingAuto-RenewalSaved PaymentDunning Data
Progress
0%
0 / 4 done
Subscription consent — clear upfront disclosure of recurring billing amount, frequency and exact next charge date before activation; no buried fine print.
Auto-renewal — mandatory 15-day advance notification before renewal charge; cancellation possible in ≤ 3 clicks from the logged-in account page.
Payment method on file — explicit consent for storing; right to delete stored payment method at any time without cancelling the subscription.
Failed payment and dunning data — retention limited to 90-day dispute window; no credit bureau reporting without separate explicit consent.

Dark Patterns & Deceptive Design Audit

Consumer Protection Rules + DPDPA anti-manipulation controls.

Critical
Consent UICheckout FlowSubscription TrapsRoach Motels
Progress
0%
0 / 5 done
Audit all consent UIs for dark patterns — confirmshaming, hidden opt-outs, forced action — remediate within 30 days.
Checkout flow: no pre-selected marketing opt-ins, newsletter subscriptions or data sharing checkboxes.
Account deletion must be as easy as account creation — no labyrinthine unsubscribe journeys.
Subscription management — cancellation process must complete in ≤ 3 clicks from logged-in state.
Regular UX dark-pattern audit by independent reviewer — quarterly; findings reported to DPO.

Loyalty, Returns & UGC Data

Reward points, refund history and user-generated content governance.

Industry
Loyalty PointsReturn HistoryReviewsReferrals
Progress
0%
0 / 4 done
Loyalty programme — explicit consent for using purchase history in personalised rewards; opt-out without losing earned points.
Return and refund data — retained only for statutory dispute window; delete all financial details post-settlement.
User reviews and ratings — inform users their UGC may be publicly visible; right to delete own reviews.
Referral programme data — consent required; referral contact data deleted after programme period ends.

EdTech Platforms

EdTech platforms with student users under 18 face the most stringent children's data obligations. No profiling or behavioural targeting of students is permitted — even with parental consent. Overlaps with NEP 2020 data governance norms.

MinorsPrimary Risk
ZeroProfiling Tolerance

Parental Consent & Age Verification

Mandatory before onboarding any minor user.

Critical
Age GateGuardian ConsentMinor Profiles
Progress
0%
0 / 4 done
Verifiable parental / guardian consent before enrolment — cannot rely on self-declaration of age.
Age-gating mechanism — OTP or verification sent to parent/guardian, not the student.
Consent renewal workflow triggered automatically when a user turns 18.
Under-13 accounts — school institution must act as consent intermediary.

Anti-Profiling Controls

No AI targeting or behavioural profiling of students.

Critical
Learning AnalyticsAI RecommendationsAd Tech
Progress
0%
0 / 4 done
Zero behavioural targeting or personalised advertising directed at users under 18.
AI/ML personalisation engines — disable for minor accounts; use anonymised aggregate signals only.
Remove all ad-tech SDKs from student-facing apps, web sessions and learning portals.
Prohibit sale or transfer of student learning data to any third party whatsoever.

Learning Data Governance

Purpose-limited use of academic and performance data.

Industry
Assessment ScoresAttendanceClass RecordingsParent Info
Progress
0%
0 / 4 done
Learning progress and scores — purpose-limited to learning improvement only, no marketing use.
Recorded class sessions — explicit prior consent; deletion after academic year unless appealed.
Institution data-sharing — DPAs with schools; share only relevant academic progress data.
Account deletion within 30 days of request — complete erasure including all backup stores.

Online Proctoring & AI Invigilation

Exam recording consent, AI behaviour analysis and biometric verification.

Critical
Exam RecordingsAI Behaviour AnalysisBiometric VerifyProctoring Vendor
Progress
0%
0 / 5 done
Proctoring software installation — separate, explicit informed consent before installation; full disclosure of what data is collected, processed and retained.
Exam video recording — end-to-end encrypted; accessible only to authorised invigilators and grievance reviewers; deleted 90 days after results are published.
AI behaviour analysis during examination — fully disclosed in advance; right to human review of any AI-flagged event before malpractice action is taken.
Biometric identity verification for exams — separate consent; biometric template deleted immediately after each exam session ends.
Proctoring technology vendor DPA — strict purpose limitation; no secondary use of exam recordings for AI model training or commercial analytics.

Competitive Exam & Government Recruitment

JEE, NEET, UPSC and state PSC data — critical national data governance.

Critical
JEE / NEET DataUPSC / PSCAnswer ScriptsHall Tickets
Progress
0%
0 / 5 done
JEE, NEET, UPSC and state PSC exam data — classified as critical sensitive personal data; enhanced security tier; zero third-party commercial access.
Exam registration data — purpose-limited to exam administration; no secondary use for marketing or coaching institute sharing without consent.
Answer scripts and marks — disclosed to candidate only via secure portal; no sharing with coaching institutes, media or third parties.
Hall tickets and admit cards — contain biometric and identity data; access controlled; purged after admission process completes.
Mock test and preparation data — kept entirely separate from official exam systems; coaching platforms prohibited from sharing without candidate consent.

Student Loan & Financial Aid Data

Education finance data, NSP and family income data governance.

Industry
Education LoansScholarship DataNSP PortalIncome Data
Progress
0%
0 / 4 done
Student loan data — classified as financial sensitive data; separate consent from educational data; purpose-limited to loan processing and repayment tracking.
Scholarship and financial aid data — cannot be used for profiling, marketing or sold to financial institutions under any circumstances.
National Scholarship Portal (NSP) data flowing through EdTech platforms — government data subject to additional obligations; purpose strictly limited to disbursement.
Family income and financial background data — segregated storage; access restricted to financial aid officers; deleted after aid decision is finalised.

International Students & Cross-Border Education

Passport, visa, foreign partner data and study-abroad controls.

Industry
Passport / VisaForeign PartnersStudy AbroadSCCs
Progress
0%
0 / 4 done
International student passport, visa and residency data — sensitive; purpose-limited to enrollment and statutory reporting; not shared with third parties.
Student data shared with foreign education partners — cross-border transfer controls apply; SCCs or equivalent safeguards executed before any transfer.
Foreign university credential verification — purpose-limited to verification; original documents not retained after verification decision is recorded.
Study-abroad programme data (medical, emergency contacts) — shared only in genuine medical emergency; deleted when student returns to India.

Teacher, Faculty & Institution Data

Staff data governance and school partnership controls.

Industry
Faculty RecordsSchool DPAsLMS DataCertificates
Progress
0%
0 / 5 done
Teacher and faculty personal data — separate consent from employment contract; purpose-limited to educational delivery.
School and institution partners — signed DPAs specifying which student data may be shared and for what purpose.
LMS usage analytics — anonymised before sharing with schools; no individual student identification in reports.
Certification and credential data — retain only for certificate validity period; provide data portability to student.
NEP 2020 data governance alignment — verify EdTech practices align with national education policy norms.

Telecom & ISP

TSPs and ISPs will almost certainly be designated Significant Data Fiduciaries. Overlaps with TRAI Customer Data Regulations and the Telecom Act 2023. CDR and real-time location data carry the highest processing risk in this sector.

SDFCertain Status
DoT+TRAIDual Regulator

Subscriber & Call Data Records

CDR, location intelligence and IPDR governance.

Critical
CDRSIM KYCLocation DataIPDRIMEI
Progress
0%
0 / 5 done
CDR — strict purpose limitation; no analytics sharing without explicit subscriber consent.
Real-time location data — explicit consent; no passive or background location collection.
SMS and communication metadata — no processing without lawful basis under DPDPA.
Lawful interception — separate governance channel; no cross-contamination with commercial data.
IPDR retention — cap at DoT-mandated 1-year minimum; delete all records beyond statutory window.

SIM & KYC Compliance

DoT and UIDAI dual-compliance framework.

Industry
Aadhaar eKYCSIM RegistrationVideo KYC
Progress
0%
0 / 4 done
SIM registration data — dual compliance with DoT subscriber registration rules and DPDPA.
Aadhaar eKYC — UIDAI restrictions apply in addition to DPDPA; no full Aadhaar number storage.
Video KYC recordings — retention limited to verification period; delete post-verification.
Post-deactivation data — cap at statutory minimums; purge all non-mandatory records.

VAS & Partner Data Sharing

OTT, analytics and third-party API controls.

Industry
OTT ServicesAd AnalyticsAPI Partners
Progress
0%
0 / 3 done
OTT / VAS data sharing — separate consent per service; bundled consent not permitted.
Analytics sold to advertisers — opt-in only; aggregated and anonymised before sharing.
API access for third-party apps — data minimisation enforced at gateway level.

5G, Edge Computing & Network Analytics

Network slicing, edge node data and subscriber analytics controls.

Industry
5G SlicingEdge NodesNetwork AnalyticsIoT via 5G
Progress
0%
0 / 5 done
5G network slicing — personal data processed in dedicated network slices is fully subject to DPDPA; slice-level data governance documentation required.
Edge computing nodes — personal data processed at the edge (not centralised) remains subject to DPDPA; DPO mapped to each edge deployment region.
Network usage analytics for planning — subscriber behaviour data anonymised before aggregation; individual CDR not used in planning models.
Network Function Virtualisation (NFV) — virtualised subscriber data flows mapped and access-controlled with same rigour as physical infrastructure.
5G-enabled IoT devices (smart city, health, industry) — subscriber data collected via 5G governed under same subscriber consent and purpose-limitation framework.

Subscriber Rights Self-Service Portal

DPDPA-mandated portal for CDR access, consent management and grievances.

Critical
CDR AccessConsent CentreMNP DataGrievance Status
Progress
0%
0 / 5 done
DPDPA self-service portal — subscribers can view CDR summary, active consents, and file rights requests without calling customer care.
CDR access request — subscriber receives their call records in machine-readable format within 72 hours via secure download link.
Consent management centre — all VAS and OTT service consents visible; individual withdrawal per service without call-centre dependency.
Account closure and MNP — all personal data handled per DPDPA; mobile number portability data minimised and deleted post-porting.
Grievance tracking in portal — real-time status of privacy complaints; DPBI escalation link visible; resolution within 30 days guaranteed.

Dual Breach Reporting (DoT + DPBI + CERT-In)

Three-regulator breach matrix — reconciled playbook for telecom incidents.

Critical
DoT ReportingDPBI 72hCERT-In 6hSubscriber Alert
Progress
0%
0 / 5 done
Telecom Act 2023 breach reporting to DoT — timeline and format as notified by DoT; reporting obligation separate from DPDPA DPBI notification.
DPBI breach notification within 72 hours — DPDPA obligation for subscriber personal data breaches; pre-drafted template approved by legal.
CERT-In cybersecurity incident reporting within 6 hours — mandatory under CERT-In directions; CERT-In format pre-prepared and tested.
Three-regulator breach matrix — single incident triggers correct notifications to all three regulators; named contacts and escalation paths documented.
Subscriber breach notification — plain-language alert via SMS and registered email within reasonable time; includes what data, what action to take.

Lawful Interception & Network Security

LI data separation, surveillance governance and security log controls.

Critical
LI / LIPFSurveillance RequestsSecurity LogsLI Audit
Progress
0%
0 / 5 done
Lawful interception (LI) data — strictly separated from commercial data warehouses; accessible only to designated security personnel with logged access.
Surveillance request governance — verify authority and legal basis before complying; all requests logged with reference number, authority name and date.
LI systems audited annually — independent audit confirming no cross-contamination of intercept data with commercial subscriber data systems.
Network security logs containing personal data (IP, device IDs) — purpose-limited to security; retained per DoT mandate; deleted beyond statutory window.
LI vendor systems (LIPF/LEMF) — DPAs in place even for government-mandated systems; vendor personnel access logged and monitored continuously.

International Roaming & Mobile Services

Cross-border subscriber data and mobile financial flows.

Industry
Roaming DataInternational CDRMobile MoneyPartner TSPs
Progress
0%
0 / 4 done
International roaming agreements — SCCs or equivalent safeguards with foreign TSPs receiving Indian subscriber data.
Roaming CDR shared with foreign networks — data minimisation; disclose to subscriber in privacy notice.
Mobile money and UPI services — RBI PPI guidelines + DPDPA consent aligned; no cross-product profiling.
Emergency services data — separate governance; no commercial use; data retained per DoT mandates only.

Government & Public Sector

Government entities processing for sovereign functions are largely exempt. However, PSEs, digitalisation projects (DigiLocker, e-RUPI) and outsourced e-gov vendors are fully subject to DPDPA. Scoping the exemption boundary is the first critical step.

PartialExemption
MeitYNodal Regulator

Sovereignty vs Compliance Scoping

Exempt sovereign functions vs commercial operations.

Govt-Specific
PSE Datae-Gov VendorsDPDPA Scope
Progress
0%
0 / 4 done
Legal opinion to identify which operations qualify as sovereign-exempt vs commercial activity.
PSEs and autonomous bodies — treat as fully DPDPA applicable regardless of government ownership.
Outsourced IT vendors to government — must sign DPAs and bear full liability for data breaches.
Map all DigiLocker, UMANG and Aadhaar-integrated services for DPDPA applicability.

Citizen Data & Welfare Schemes

Purpose limitation and inter-departmental sharing controls.

Govt-Specific
Citizen IDsWelfare RecordsCertificatesGrievances
Progress
0%
0 / 4 done
Welfare scheme data — purpose-limited; no inter-departmental sharing without explicit legal basis.
Anonymise citizen analytics before use in policy planning dashboards and reports.
Citizen grievance portal — DPO-led escalation with resolution tracking and acknowledgement SLA.
Implement citizen rights — access, correction and erasure request workflows across all portals.

Data Localisation & Sovereign Cloud

Critical data storage and MeitY cybersecurity alignment.

Critical
Critical Personal DataSovereign CloudMeitY CSCRF
Progress
0%
0 / 3 done
Critical personal data categories (to be notified by Govt) — mandatory India-only storage.
Cloud provider contracts — include data sovereignty and audit access clauses.
Cybersecurity posture aligned with MeitY CSCRF and CERT-In incident reporting guidelines.

Section 17 Exemptions Governance

Law enforcement disclosures, research exemptions and exemption register.

Critical
Sec 17 MappingLaw EnforcementResearch ExemptionExemption Register
Progress
0%
0 / 5 done
Every exemption claim mapped to a specific statutory provision — general "national security" or "public interest" claims without legal basis are insufficient.
Law enforcement data disclosures — each disclosure requires documented request with case reference and authority; register maintained by DPO.
Research, journalism and education exemptions (Sec 17(2)) — verify processing truly serves stated purpose; minimum data principle still applies.
Exemption register maintained by legal and DPO — reviewed quarterly; expired or legally unsupported exemption claims discontinued immediately.
No commercial use of exempt data — data processed under sovereign exemption cannot be repurposed for any revenue-generating activity.

National & State Security Boundaries

Formal designation of security exemptions and boundary documentation.

Critical
Security DesignationDefence DataBorder SecurityDiplomatic Data
Progress
0%
0 / 4 done
National security exemption — formal determination required by the competent authority; cannot be self-declared by the processing department.
Military and defence data — outside DPDPA scope under separate defence statutes; document the boundary clearly in legal opinion and DPR.
Border security and intelligence data — exemption boundaries documented in annual legal review; approved by ministry's legal counsel.
Even exempt agencies prohibited from sharing exempt data with commercial entities — exemption applies only to the designated security function.

e-Governance Vendor Onboarding

IT vendor due diligence, DPAs and MeitY-empanelled cloud selection.

Govt-Specific
NIC EmpanelmentVendor DPAsMeghRaj CloudStaff BGV
Progress
0%
0 / 5 done
IT vendor security assessment — mandatory before any citizen data access; NIC empanelment or equivalent STQC certification required.
DPA executed with every IT vendor handling citizen data — breach notification SLA of 4 hours; audit rights; data return or deletion at contract end.
Cloud provider selection — prefer MeitY-empanelled cloud (NIC Cloud, MeghRaj) for critical citizen personal data; avoid non-empanelled providers.
Vendor personnel accessing citizen data — background verification and signed NDAs mandatory before access credentials are issued.
Annual vendor compliance review — security assessment refreshed yearly; non-compliant vendors removed from active e-governance projects.

Census, Population & Welfare Data

DBT, welfare scheme data controls and statistical publication standards.

Govt-Specific
Census ActNSSO SurveysDBT DataJan Dhan
Progress
0%
0 / 4 done
Census data — protected under Census Act 1948 (sovereign function exempt from DPDPA); data used for policy is aggregated and anonymised before publication.
NSSO and population survey data — individual responses confidential; only statistical outputs published; micro-data shared only under strict licence.
Direct Benefit Transfer (DBT) data — purpose-limited to welfare benefit delivery; no cross-scheme profiling or sharing with commercial entities.
Jan Dhan and financial inclusion data — purpose-limited to financial access; not shared with commercial banks for marketing or credit profiling.

Aadhaar & Identity Integration

UIDAI compliance in government digital service delivery.

Govt-Specific
UIDAI ComplianceDigiLockere-KYCUMANG
Progress
0%
0 / 5 done
Aadhaar-linked services — UIDAI Act restrictions are additional to DPDPA; dual compliance mandatory.
No full Aadhaar number stored — only Virtual ID or masked number retained per UIDAI circular.
DigiLocker API — consent captured per document access; no bulk data pull without explicit per-request consent.
UMANG platform — each service module treats citizen data independently; no cross-service profiling.
eSign and e-KYC — post-verification data deleted within 6 months per UIDAI guidelines.

SaaS & IT Services

Cloud-native SaaS companies act as Data Processors for client fiduciaries. Indian customer data triggers DPDPA even if the platform is hosted abroad. Strong sub-processor agreements, tenant isolation and cross-border governance are non-negotiable.

ProcessorDPDPA Role
GlobalJurisdiction Risk

Cloud Security & Tenant Isolation

Multi-tenant isolation and API gateway monitoring.

Cloud
Tenant RecordsAPI TelemetryAuth LogsCloud Backups
Progress
0%
0 / 4 done
Secure multi-tenant isolation — cryptographic and logical separation of Indian customer data.
API gateway monitoring — detect unauthorised cross-tenant data access in real time.
Encrypted backups with geo-restriction — Indian tenant data within DPDPA-compliant regions.
SOC 2 Type II and ISO 27001 certification as baseline evidence for DPA negotiations.

Data Processor Agreements

Sub-processor chain and SCC governance.

Industry
DPA TemplatesSub-processorsSCCsAudit Rights
Progress
0%
0 / 4 done
DPA template ready for Indian enterprise customers — includes audit rights and breach SLA.
Register all sub-processors handling Indian customer data; maintain published sub-processor list.
Cross-border transfer risk assessments for each country where sub-processors operate.
Customer notification when sub-processors change — 30-day advance written notice minimum.

Breach Response & Notification

72-hour DPBI reporting and customer alert pipeline.

Critical
Breach PlaybookDPBI NotificationCustomer Alerts
Progress
0%
0 / 3 done
Automated breach detection — SIEM alerts for data exfiltration patterns within 4 hours.
72-hour DPBI notification playbook — pre-drafted templates with incident classification matrix.
Customer breach notification within DPA-agreed SLA — include remediation steps and data scope.

Customer Offboarding & Deletion Certificates

Verifiable data destruction across all environments and sub-processors.

Critical
Deletion SLACrypto Deletion CertBackup PurgeSub-processor Chain
Progress
0%
0 / 5 done
Customer data deletion SLA — 30 days post-contract termination (or as agreed in DPA); no extension without written customer consent.
Verified deletion certificate — cryptographic proof of data destruction (hash of deletion logs); issued to customer within the deletion SLA window.
Deletion covers all environments — production, staging, DR, cold storage, backup tapes and snapshots; no environment excluded.
Sub-processor deletion chain — each sub-processor provides deletion confirmation within the prime SaaS SLA; aggregated evidence pack sent to customer.
Mid-contract deletion rights — customer can request deletion of specific data subsets at any time; SaaS must honour within 30 days without service disruption.

AI-SaaS & Model Training Controls

Customer data use in AI training, inference logging and automated decisions.

Cloud
Model TrainingInference LogsAI OutputsExplainability
Progress
0%
0 / 5 done
Using customer data to train AI or ML models — explicitly prohibited unless the DPA grants written permission and the customer provides separate consent.
AI model inference logs containing customer personal data — treated as personal data; retention limits enforced; access restricted to authorised ML engineers.
AI outputs referencing identifiable customers — classified as derived personal data; subject to access and deletion rights under DPDPA.
Automated decisions affecting end-users — explainability documentation available; human override mechanism operational before any adverse decision.
Quarterly AI model bias audit — ensure models processing Indian user data do not produce discriminatory outcomes; findings reviewed by DPO.

Privacy Engineering Controls

PETs, synthetic data, differential privacy and re-identification risk.

Governance
Differential Privacyk-AnonymityFederated LearningRe-ID Risk
Progress
0%
0 / 5 done
Differential privacy deployed for aggregate analytics — privacy budget tracked and enforced; prevents re-identification from published statistics.
Data masking and tokenisation in all non-production environments — no real personal data in dev, staging or QA; validated on every release.
Annual re-identification risk assessment for anonymised datasets — datasets above threshold risk level re-pseudonymised before further use.
Federated learning for cross-tenant analytics — raw customer data never leaves tenant boundary; only model gradients shared and inspected.
PET (Privacy-Enhancing Technology) adoption roadmap — DPO and CTO aligned; annual targets set and reviewed in Board privacy committee.

Incident Classification & Response Matrix

P1/P2/P3 severity tiers, customer notification SLAs and breach drills.

Critical
P1 BreachP2 ProbableP3 IncidentQuarterly Drills
Progress
0%
0 / 5 done
P1 (Critical): Confirmed personal data breach — DPBI notification within 72 hours; customer notification within DPA SLA; war-room activated immediately.
P2 (High): Probable breach or confirmed unauthorised access — internal escalation within 4 hours; treated as P1 until ruled out by investigation.
P3 (Medium): Security incident without confirmed personal data loss — documented; monitored for 7 days; DPBI notification triggered if evidence emerges.
Customer DPA tier determines notification SLA — Enterprise tier: 24 hours; SMB tier: 48 hours; tier clearly defined in each executed DPA.
Quarterly breach simulation drills — all three severity levels tested; playbooks refreshed based on findings; results reported to Board.

DevSecOps & Secure SDLC

Privacy engineering gates and secure development lifecycle.

Cloud
SAST/DASTPrivacy ReviewsPipeline GatesSecrets Scanning
Progress
0%
0 / 5 done
SAST and DAST scans mandatory in CI/CD — block deployments with critical personal data exposure vulnerabilities.
No real customer/personal data in development or staging environments — synthetic data only.
Secrets scanning in all repositories — no API keys, credentials or personal data in source code.
Privacy review gate before each product release — signed off by DPO or privacy champion.
Customer data deletion APIs — automated, verifiable; deletion completion reports sent to customer within SLA.

Manufacturing & Industrial

Industrial organisations handle workforce biometrics, IoT telemetry and plant data. OT/SCADA security intersects directly with employee personal data. Biometric attendance systems require careful consent governance under DPDPA.

OT RiskPrimary Concern
BiometricSensitive Data

Employee Biometrics & Attendance

Fingerprint, face recognition and access control data.

Critical
FingerprintsFace RecognitionIris ScansAttendance Logs
Progress
0%
0 / 4 done
Employee biometric enrolment — informed written consent; clear purpose disclosure (attendance only).
No sharing of biometric templates with third parties — on-premise HSM storage only.
Alternative attendance option for employees who refuse biometric consent — legal obligation.
Delete biometric data within 30 days of employee separation — automated offboarding trigger.

IoT & OT Data Governance

SCADA, machine telemetry and sensor data controls.

Industrial
SCADA LogsIoT TelemetryMachine DataCCTV
Progress
0%
0 / 4 done
Segment OT/SCADA networks from IT — air-gap or strict firewall for personal data flows.
CCTV and video surveillance — employee notice posted; retention limit of 30 days unless incident.
Machine telemetry containing employee performance data — classify and apply data minimisation.
IoT vendor contracts — mandatory DPAs; no third-party telemetry monetisation without consent.

Workforce Surveillance Controls

GPS tracking and shop-floor worker monitoring.

Governance
GPS TrackingProductivity MonitoringSafety Sensors
Progress
0%
0 / 3 done
GPS / location tracking of on-road workers — notice and consent; disable outside work hours.
Productivity monitoring tools — disclose what is tracked; limit to work devices and working hours.
Safety wearables and sensor data — anonymise before use in aggregate plant-level analytics.

Smart Products & Connected Device Data

Consumer IoT, connected product telemetry and firmware update controls.

Industrial
IoT Consumer DataSmart MetersFirmware UpdatesProduct Registration
Progress
0%
0 / 5 done
Smart product (consumer IoT) data collection — informed consent at product registration; all data collection points disclosed in clear setup flow.
Connected product telemetry from homes — classified as particularly sensitive; strict purpose limitation to product functionality; no sale of usage data.
Firmware updates that change data collection scope — update notice must disclose new collection before update is applied; consent obtained first.
Smart meter and energy usage data — reveals home occupancy patterns; classified as sensitive; purpose-limited to billing and grid management only.
Product recall safety data involving personal contact details — used for recall communication only; all contact data deleted post-recall completion.

Warranty, Service & After-Sales Data

Service records, authorised service centres and customer survey governance.

Industrial
Warranty RecordsService RequestsASC DataCSAT Surveys
Progress
0%
0 / 4 done
Warranty registration data — purpose-limited to warranty claims and safety communications; marketing use requires separate explicit consent.
Service request and repair records — contain device usage patterns; retain only for service dispute window (90 days); delete all data post-resolution.
Authorised service centre (ASC) data sharing — DPAs restricting data to repair-necessary information only; no sharing with competing outlets or third parties.
Customer satisfaction surveys — entirely voluntary; survey data anonymised before analysis; individual responses deleted after 90 days.

Environmental & Safety Incident Data

Industrial accident records, safety monitoring and near-miss anonymisation.

Industrial
Accident RecordsSafety MonitoringNear-Miss ReportsHealth & Safety
Progress
0%
0 / 4 done
Industrial accident data involving personal injury — retained per Factories Act and Workmen's Compensation Act; anonymised for safety research and cross-site reports.
Environmental monitoring data linked to worker locations — aggregate location data only; individual worker position data anonymised before analysis.
Health and safety compliance data — purpose-limited to safety management and regulatory reporting; not used in performance evaluation or disciplinary actions.
Near-miss and hazard reports — anonymised before sharing in cross-site safety bulletins; reporter identities protected to encourage reporting culture.

Contract Workers & Agency Staff

Joint controller obligations and agency staff biometric consent.

Industrial
Agency StaffJoint ControllerMigrant WorkersContract End
Progress
0%
0 / 5 done
Contract worker data through staffing agencies — both employer and agency are data fiduciaries; DPA between them is mandatory before engagement starts.
Agency staff biometrics on employer premises — same consent requirements as direct employees; alternative non-biometric attendance option mandatory.
Contract worker performance data — cannot be shared with the staffing agency for commercial profiling, rating or cross-client placement purposes.
Worker data at contract end — retain only what is statutorily required; agency must delete their copy within 30 days of engagement conclusion.
Migrant and seasonal worker data — language-accessible notice and consent; special care to verify consent is voluntary, not coerced by employment dependency.

Supply Chain & Dealer Data

Supplier, distributor and channel partner data governance.

Industrial
Supplier ContactsDealer RecordsLogistics DataB2B Personal Data
Progress
0%
0 / 4 done
B2B contact data (supplier and dealer employees) — DPDPA applies; inform individuals how their data is used.
Logistics and delivery partner personal data — DPAs in place; restrict to shipment-specific data fields only.
Dealer portal — separate consent for CRM analytics vs order management; no bundled consent.
End-customer warranty and service data shared with dealers — minimum data; purpose-limited to service only.

HRMS & Recruitment Platforms

HR platforms process payroll, interview recordings, PAN, bank details and biometrics — among the most sensitive personal data categories. Lifecycle governance from hire to secure offboarding deletion is mandatory under DPDPA.

SensitivePayroll & PAN
OffboardingDeletion Risk

Employee Data Lifecycle

Hire-to-retire governance and secure deletion.

Critical
PANBank DetailsPayrollAadhaarAttendance
Progress
0%
0 / 5 done
Map all employee data — PAN, Aadhaar, bank accounts, payroll, health insurance and attendance.
RBAC for HR and payroll systems — only authorised roles can access financial and identity data.
Automated offboarding deletion — execute within statutory retention window post-separation.
PAN and bank details encrypted at rest — tamper-proof access logging enabled.
Employee data portability — provide data summary within 72 hours of access request.

Recruitment & Interview Data

Resume, video interview and candidate assessment governance.

Industry
ResumesVideo InterviewsAssessmentsBGV Reports
Progress
0%
0 / 4 done
Candidate consent for recording video interviews and storing resumes — must be revocable.
Interview recordings and AI psychometric assessments — delete 90 days post-rejection.
Background verification data — purpose-limited; shared only with verified BGV vendors under DPA.
AI hiring tools — explainability requirement; human review mandatory before rejection decision.

Third-Party HR Vendors

Payroll outsourcing, ESOP and benefits platform governance.

Industry
Payroll OutsourcingESOP PlatformBenefits Portal
Progress
0%
0 / 3 done
Signed DPAs with payroll outsourcing vendors — include sub-processor list and audit rights.
ESOP and benefits portals — restrict data to what's needed; no employee data used for marketing.
Vendor security assessments — annual audit right; breach notification SLA under 24 hours.

Employee Health, Wellness & EAP Data

Wellness programme, mental health and occupational health data controls.

Critical
Wellness DataEAP / Mental HealthOccupational HealthMedical Claims
Progress
0%
0 / 5 done
Employee wellness programme data — separate explicit consent; results cannot affect employment decisions, promotions or performance ratings.
Employee Assistance Programme (EAP) and mental health data — strictest confidentiality; no manager or HR access without employee's written consent.
Occupational health assessments — purpose-limited to fitness-for-role determination; not retained in general employee profile after assessment decision.
COVID-19 and vaccination records (legacy) — audit all stores; delete all records that are beyond the statutory retention period now.
Group insurance medical claims data — cannot be used in performance evaluation, role assignment or HR decision-making under any circumstance.

Travel, Expense & Corporate Card Data

Itinerary, expense claims and international travel personal data controls.

Industry
Travel ItineraryExpense ClaimsCorporate CardPassport / Visa
Progress
0%
0 / 4 done
Travel booking and itinerary data — retained only for reimbursement processing and statutory tax audit period; all non-mandatory travel details deleted post-trip.
Corporate card transaction data — purpose-limited to expense reimbursement and fraud detection; cannot be used to profile employee lifestyle or spending habits.
Expense claim data — access restricted to the employee, direct approver and finance team; no broader HR or senior management visibility.
International travel data (passport, visa, itinerary) — highly sensitive; deleted immediately after travel completion; never stored permanently in the employee file.

Gig, Contract & Freelancer Data

Platform workers, gig economy data and freelancer tax record governance.

Industry
Gig WorkersFreelancer PANPlatform RatingsBGV
Progress
0%
0 / 5 done
Gig worker data — DPDPA applies regardless of employment classification; gig platforms are data fiduciaries for worker personal data.
Freelancer identity and payment data (PAN, bank details) — retain only for tax compliance period (7 years IT Act); AES-256 encrypted at rest.
Platform-based gig worker data (location, ratings, performance) — subject to DPDPA; workers have right to access and correct their own data.
Background check for freelancers — consent required from the individual before initiating; BGV data deleted after verification decision is recorded.
Freelancer data portability — provide portable record of work history and performance data on request within 72 hours.

Union, Grievance & Collective Bargaining Data

Sensitive union membership, grievance records and whistleblower protection.

Critical
Union MembershipBargaining RecordsWhistleblowerInternal Grievance
Progress
0%
0 / 5 done
Union membership data — sensitive personal data under DPDPA; stored separately with enhanced encryption; never disclosed to management without legal mandate.
Collective bargaining negotiation records — strictly restricted to designated HR/legal and union representatives; no broader disclosure.
Internal grievance records — confidential; no sharing with the accused party beyond what the formal grievance procedure mandates.
Whistleblower data — highest protection tier; access restricted to the investigation committee; identity never disclosed without whistleblower's written consent.
Industrial dispute data — retained per applicable labour laws; anonymised for systemic trend analysis; individual cases not shared with external parties.

Alumni & Former Employee Data

Post-separation retention, reference requests and alumni programme controls.

Industry
Post-SeparationReference ConsentAlumni NetworkRe-hire Data
Progress
0%
0 / 4 done
Post-separation data retention — retain only what is required by statutory obligations (PF, gratuity, tax records — 7 years); delete all other personal data promptly.
Reference verification requests from prospective employers — require written consent of the former employee before disclosing any information.
Alumni network programme — entirely voluntary; right to exit without consequence and data deleted upon exit request within 30 days.
Re-hire consideration data — if maintained, treated as active recruitment data with same consent, retention and purpose-limitation controls.

Performance, Appraisal & Diversity Data

Sensitive HR categories requiring enhanced governance.

Industry
PIP RecordsAppraisal DataDEI DataMedical Fitness
Progress
0%
0 / 5 done
Appraisal and PIP records — restrict access to direct manager and HR; no access to peers or skip-level without case.
AI-assisted performance tools — disclose usage to employees; right to human review of AI-generated assessments.
Diversity data (caste, religion, disability) — voluntary disclosure only; separate encrypted store; no use in promotion decisions.
Pre-employment medical data — purpose-limited to fitness-for-role; not shared with insurance without separate consent.
Termination records — retain for statutory limitation period; restrict access to Legal and HR heads only.

Industry-Specific Policy Register

188 mandatory DPDPA policies across 10 sectors. Each entry shows purpose, scope, key requirements and a sample clause. Click any row to expand. Check the box to mark as Approved.

0Approved
188Total Policies
Open Full Policy Register (Printable)
20 policies  ·  10 Critical  ·  8 High  ·  2 Medium0 / 20 Approved
Privacy Policy (External / Public-facing)
CriticalGovernanceLegal / DPO
Draft
PurposeProvide transparent notice to all data principals about what personal data is collected, why, how it is used, who it is shared with and how rights may be exercised under DPDPA 2023.
ScopeAll customer-facing websites, mobile apps, physical touchpoints and partner platforms where personal data is collected.
Key Requirements
  • Written in plain language; no legalese; available in all 22 Scheduled languages on request within 3 working days.
  • Specifies: data categories collected, processing purposes, recipients, retention periods and how to exercise rights.
  • Published prominently on homepage, app Settings/Privacy screen and all data collection forms.
  • Version-controlled with effective date; all prior versions retained 3 years minimum.
  • Updated within 30 days of any material change; re-consent obtained where required.
Sample Clause

"We collect your name, email and transaction history solely to provide and improve our services. We do not sell your personal data. You may withdraw consent, request access or deletion at any time by writing to dpo@company.com. This Notice is effective from [DATE] and supersedes all prior versions."

Data Processing Register (ROPA / DPR)
CriticalGovernanceDPO / IT
Draft
PurposeMaintain a comprehensive, continuously updated record of all personal data processing activities for DPBI audit readiness.
ScopeEvery department, system and third-party integration that collects, stores, uses or transfers personal data.
Key Requirements
  • Each entry records: data category, purpose, legal basis, processor details, retention schedule and cross-border transfers.
  • DPR updated within 14 days of any change; DPO certifies accuracy quarterly.
  • Exportable for DPBI audit within 72 hours of request.
  • Each entry has a named business owner accountable for accuracy.
Sample Clause

"The DPR shall be maintained by the DPO and updated within 14 days of any new or changed processing activity. Each record shall include: (a) data category; (b) legal basis; (c) processor and sub-processor details; (d) retention schedule; (e) cross-border transfer safeguards."

Consent Management Policy
CriticalConsentProduct / Legal
Draft
PurposeEstablish a standardised, auditable framework for obtaining, recording, managing and withdrawing consent across all channels.
ScopeAll digital and physical channels where personal data is collected from Indian data principals.
Key Requirements
  • Consent must be free, specific, informed and unambiguous; no pre-ticked boxes.
  • Each processing purpose requires a separate consent artefact; bundling prohibited.
  • Withdrawal as easy as consent; effective within 24 hours; propagated to all processors within 48 hours.
  • All consent events timestamped with IP, device, channel, notice version and user agent.
  • Consent records retained for 3 years minimum even after withdrawal.
Sample Clause

"Consent shall be obtained for each distinct processing purpose separately. A data principal may withdraw consent at any time through the privacy dashboard or by writing to the DPO. Withdrawal shall take effect within 24 hours and shall not affect the lawfulness of processing carried out before withdrawal."

Data Retention & Deletion Policy
CriticalLifecycleIT / Legal
Draft
PurposeDefine mandatory retention schedules for every data category and ensure systematic, verifiable deletion upon expiry or on a valid erasure request.
ScopeAll production databases, backups, archives, DR sites and third-party processor stores holding personal data.
Key Requirements
  • Retention schedule defined for every data category in the DPR; default to shortest defensible period.
  • Automated deletion triggers on schedule expiry; no manual approval needed for routine deletions.
  • Erasure requests fulfilled within 30 days across all environments; written confirmation to data principal.
  • Statutory holds documented; reason communicated in writing to the data principal.
  • Deletion certificates issued for biometric, financial and health data categories on request.
Sample Clause

"Personal data shall be retained only as long as necessary for the stated purpose. Upon expiry of the retention period, data shall be securely deleted or irreversibly anonymised within 30 days. Where a data principal requests erasure and no legal hold applies, deletion shall be completed within 30 days and confirmed in writing."

Data Breach Response & Notification Policy
CriticalIncidentCISO / DPO
Draft
PurposeDefine the process for detecting, classifying, escalating and reporting personal data breaches to the DPBI and affected data principals within statutory timelines.
ScopeAll systems, networks and third-party integrations processing personal data; all employees and contractors with data access.
Key Requirements
  • Breach detection to classification within 1 hour via automated SIEM alerting.
  • P1 (confirmed breach): DPBI notification within 72 hours; data principals notified without undue delay.
  • DPBI notification includes: nature, data categories affected, estimated principals affected and remediation measures.
  • Post-incident report to DPBI within 30 days — root cause, corrective actions, systemic remediation.
  • Annual tabletop breach simulation; playbook updated within 30 days of drill.
Sample Clause

"Upon confirmation of a P1 breach, the DPO shall notify the Data Protection Board of India within 72 hours. The notification shall state: (i) nature of the breach; (ii) categories and approximate number of data principals affected; (iii) likely consequences; (iv) measures taken. Affected data principals shall be notified without undue delay."

Data Principal Rights Fulfilment Policy
CriticalRightsLegal / DPO
Draft
PurposeEstablish a consistent, auditable process for responding to all data principal rights requests under DPDPA 2023 within statutory SLAs.
ScopeAll systems processing personal data of Indian data principals; customer-facing teams, HR, IT and Legal.
Key Requirements
  • Access request: full data summary delivered within 72 hours of verified identity.
  • Correction request: update propagated across all systems within 7 days.
  • Erasure request: automated deletion across all environments within 30 days; written confirmation sent.
  • Nomination: nominee registration mechanism with verified activation on proof of death/incapacity.
  • All requests logged; DPO monitors SLA weekly; DPBI escalation path communicated.
Sample Clause

"Any data principal may submit rights requests through the privacy portal or by writing to the DPO. The organisation shall respond to access requests within 72 hours, correction requests within 7 working days and erasure requests within 30 days of verified identity. Unresolved grievances may be escalated to the Data Protection Board of India."

Significant Data Fiduciary (SDF) Compliance Policy
CriticalGovernanceDPO / Board
Draft
PurposeDefine obligations, governance structure and annual compliance programme following designation as a Significant Data Fiduciary.
ScopeAll operations, systems and personnel from the date of SDF designation by the Central Government.
Key Requirements
  • DPO appointed within 90 days of designation; name and contact published on website.
  • DPIA completed for every high-risk processing activity before commencement.
  • Annual algorithmic transparency audit for all AI/ML systems at scale; filed with DPBI.
  • Annual SDF compliance report to Board and DPBI in notified format.
  • SDF registration on DPBI portal within the notified period.
Sample Clause

"As an SDF designated under Section 10 of DPDPA 2023, the organisation shall appoint a qualified Data Protection Officer reporting directly to the Board. The DPO shall conduct DPIAs for all high-risk processing and submit an annual compliance report to the DPBI. The DPO's contact details shall be published on the organisation's website."

Children's Data & Parental Consent Policy
CriticalDataDPO / Legal
Draft
PurposeEstablish absolute controls for processing personal data of children under 18, including verifiable parental consent and profiling prohibitions.
ScopeAll products, services and systems accessible to users under 18 years of age.
Key Requirements
  • No processing of any data of under-18s without verifiable parental/guardian consent; self-declaration insufficient.
  • Age verification deployed at every registration and collection point.
  • Absolute prohibition on behavioural profiling or targeted advertising of children — even with parental consent.
  • Children's data in segregated, enhanced-protection tier; separate encryption keys; access triggers DPO alert.
  • All ad-tech SDKs disabled in minor-accessible product surfaces.
Sample Clause

"No personal data of any person below 18 shall be processed without verifiable parental consent. Irrespective of consent, the organisation shall not engage in behavioural profiling, targeted advertising or monitoring of any user who is, or is reasonably believed to be, below 18 years of age."

Lawful Processing Basis Documentation Policy
CriticalLegal BasisDPO / Legal
Draft
PurposeEnsure every processing activity has a valid, documented legal basis under DPDPA 2023 and that basis is reviewed and maintained in the DPR.
ScopeAll personal data processing activities across all business units and geographies.
Key Requirements
  • Every DPR entry must have a documented legal basis — consent or a specific Section 7 deemed-consent ground.
  • State function basis: specific statutory power cited; legal opinion on file.
  • Contractual necessity: only minimum data for contract performance collected; no surplus fields.
  • Medical emergency basis: processing stops immediately when emergency resolves; documented case-by-case.
  • Quarterly DPR review by DPO to identify and correct any basis drift.
Sample Clause

"The organisation shall not process any personal data without identifying and documenting the applicable legal basis. Where processing relies on a legal obligation, the specific provision of law shall be cited in the DPR. Processing activities without a documented basis shall be suspended immediately pending DPO review."

Breach Notification Workflow & Playbook
CriticalIncidentCISO / DPO
Draft
PurposeProvide a step-by-step operational playbook for executing breach notification obligations from detection through post-incident reporting.
ScopeInformation Security, Legal, DPO and all business units that may discover or be affected by a breach.
Key Requirements
  • Playbook tested annually via tabletop simulation; updated within 30 days of drill.
  • Pre-approved DPBI notification templates ready with legal sign-off before any incident.
  • Escalation matrix: Detection → CISO (1 hr) → DPO (2 hrs) → CEO (4 hrs P1) → DPBI (72 hrs P1).
  • All breach records retained 3 years; DPBI-accessible within 72 hours.
  • All notifications reviewed by Legal before submission.
Sample Clause

"On confirmation of a P1 breach: (1) CISO notifies DPO within 2 hours; (2) DPO and Legal prepare DPBI notification within 48 hours; (3) DPO submits notification within 72 hours; (4) Affected data principals notified without undue delay; (5) Post-incident report submitted to DPBI within 30 days."

DPIA Policy & Assessment Template
HighRiskDPO
Draft
PurposeEstablish a mandatory DPIA process for all new or changed high-risk processing activities before commencement.
ScopeAll proposed new processing activities and material changes to existing high-risk processing.
Key Requirements
  • DPIA mandatory for: large-scale profiling, sensitive data processing, automated decisions with legal effect, children's data at scale.
  • DPO must sign off before processing commences; Board notified of high-risk findings.
  • DPIA register maintained; reviewed and updated annually.
  • Residual risks above acceptable threshold referred to DPBI for prior consultation.
Sample Clause

"Before commencing any high-risk processing, the business unit shall complete a DPIA using the approved template and submit it to the DPO. The DPO shall provide written opinion within 15 working days. Processing shall not commence until the DPO confirms residual risks are acceptable."

Third-Party Processor Management Policy
HighVendorProcurement / Legal
Draft
PurposeEnsure all third-party processors are contractually bound and operationally capable of meeting DPDPA obligations before any personal data is transferred.
ScopeAll vendors, SaaS providers, cloud services and partners that access, store or process personal data on behalf of the organisation.
Key Requirements
  • No personal data transferred to any processor without a signed DPA.
  • DPA must include: processing scope, security measures, breach notification SLA (max 6 hours), audit rights and deletion obligations.
  • Processor security assessment (VAPT or SOC 2 Type II) before onboarding and annually.
  • Sub-processors must notify 30 days in advance of any change; organisation may object.
Sample Clause

"No personal data shall be shared with any third-party processor without a signed Data Processing Agreement. Processors shall notify the organisation of any personal data breach within 6 hours of discovery. The processor register shall be updated within 7 days of any change."

Cross-Border Transfer & SCC Policy
HighTransferLegal
Draft
PurposeGovern all cross-border transfers of personal data to ensure compliance with DPDPA Section 16 and MeitY whitelist requirements.
ScopeAll personal data transfers to processors, affiliates or recipients outside India.
Key Requirements
  • Transfers to whitelisted countries only, or under SCCs/binding corporate rules for non-whitelisted countries.
  • Transfer Impact Assessment (TIA) completed for each country where data is processed.
  • Transfer register updated within 7 days of any new arrangement.
  • MeitY whitelist monitored monthly; transfers to removed countries paused within 48 hours.
Sample Clause

"Personal data shall be transferred outside India only to countries on the MeitY-approved whitelist or under Standard Contractual Clauses approved by the DPO and Legal. A Transfer Impact Assessment shall be completed for every country where data is processed by a sub-processor."

Privacy by Design & Default Policy
HighEngineeringCTO / DPO
Draft
PurposeEmbed privacy protections into all products, systems and processes from inception and ensure the most privacy-protective settings are the default.
ScopeAll product development, engineering and data science teams designing or modifying systems that process personal data.
Key Requirements
  • Privacy review gate in SDLC — no personal-data feature shipped without DPO or privacy champion sign-off.
  • Default settings must be the most privacy-protective option; users must actively opt into less restrictive settings.
  • No real personal data in development, staging or test environments; synthetic data mandated.
  • Data flow diagrams maintained for all systems; updated quarterly.
Sample Clause

"All new products processing personal data shall undergo a Privacy Impact Assessment before development commences. Default settings shall collect and process the minimum personal data necessary. No personal data from production shall be used in development or testing without prior DPO approval and mandatory anonymisation."

Employee DPDPA Awareness & Training Policy
HighTrainingHR / DPO
Draft
PurposeEnsure all employees and contractors who handle personal data understand and apply DPDPA obligations in their day-to-day work.
ScopeAll employees, contractors, interns and third-party personnel with access to personal data systems.
Key Requirements
  • Mandatory DPDPA foundation training within 30 days of joining and annually thereafter.
  • Role-specific training for high-risk roles (data scientists, marketers, HR, support) within 60 days of appointment.
  • Training completion records maintained; non-completion escalated after 14 days.
  • Quarterly simulated data handling exercises; results reviewed by DPO.
Sample Clause

"All employees with access to personal data shall complete mandatory DPDPA awareness training within 30 days of joining and annually thereafter. Completion shall be recorded in the Learning Management System. Non-completion within the stipulated period shall be escalated to the relevant department head."

Data Minimisation & Purpose Limitation Policy
HighGovernanceDPO
Draft
PurposeEnsure the organisation collects only the personal data strictly necessary for the stated purpose and uses it only for that purpose.
ScopeAll data collection forms, APIs, registration flows and internal data pipelines.
Key Requirements
  • Every data field collected must have a documented justification in the DPR; surplus fields removed.
  • Secondary use beyond original purpose requires fresh consent or a new lawful basis.
  • Quarterly DPO data-creep review — identify and remediate purpose drift.
  • Anonymise or pseudonymise data as soon as the primary purpose is fulfilled.
Sample Clause

"The organisation shall collect only such personal data as is strictly necessary for the stated purpose. No personal data shall be used for any purpose other than the purpose for which it was collected without obtaining fresh consent. Processing exceeding its stated purpose shall be immediately suspended pending DPO review."

Data Portability & Nomination Rights Policy
HighRightsDPO / Product
Draft
PurposeEnable data principals to receive their personal data in a portable format and to nominate a person to exercise their rights posthumously.
ScopeAll systems storing personal data of individual data principals.
Key Requirements
  • Portability: structured, machine-readable package (JSON/CSV) delivered within 72 hours via secure link.
  • Portability covers data provided by the principal, derived data and inferred profiles.
  • Nomination: registration via verified identity; activation requires proof of death or incapacity.
  • Portability mechanism tested quarterly; format follows MeitY notified standards.
Sample Clause

"Any data principal may request a portable copy of their personal data through the privacy portal. The organisation shall provide a machine-readable copy within 72 hours of the verified request. Data principals may register a nominee who may exercise all data protection rights on their behalf upon verified proof of death or incapacity."

Vendor Due Diligence & Security Assessment Policy
HighVendorProcurement / CISO
Draft
PurposeEstablish a risk-based security and privacy assessment framework for all vendors before they are granted access to personal data.
ScopeAll vendors, SaaS providers, cloud services, consultants and partners with access to personal data.
Key Requirements
  • Tiered due diligence: Tier 1 (sensitive/large-scale) → VAPT + questionnaire + audit right; Tier 2 → SOC 2/ISO 27001; Tier 3 → questionnaire.
  • Assessment completed before contract execution; re-assessed annually.
  • Critical deficiencies remediated within 60 days or engagement terminated.
  • All assessments documented and accessible for DPBI audit.
Sample Clause

"Prior to granting access to personal data, the Information Security team shall conduct a security assessment proportionate to the vendor's risk level. Vendors accessing sensitive personal data of more than 10,000 principals shall provide SOC 2 Type II or ISO 27001 evidence. Assessments shall be repeated annually."

Annual DPDPA Internal Audit Policy
HighAuditDPO / Internal Audit
Draft
PurposeEstablish a systematic annual process for assessing DPDPA compliance, identifying gaps and tracking remediation across all business units.
ScopeAll business units, systems and third-party relationships involving personal data processing.
Key Requirements
  • Annual DPDPA audit by DPO with Internal Audit; external auditor for SDFs.
  • Audit scope: consent flows, DPR accuracy, rights SLAs, security controls, processor DPAs, training completion.
  • Findings: Critical (30-day remediation), High (60 days), Medium (90 days).
  • Audit report to Board within 30 days; summary filed with DPBI for SDFs.
Sample Clause

"The organisation shall conduct a comprehensive DPDPA compliance audit at least once every calendar year. The audit report shall be presented to the Board within 30 days of conclusion. All critical findings shall be remediated within 30 days. Audit records shall be maintained for a minimum of 5 years."

Privacy Notice & Communication Standards Policy
MediumConsentLegal / Marketing
Draft
PurposeDefine the format, language and channel standards for all privacy communications issued to data principals.
ScopeAll privacy notices, consent forms, breach notifications, rights responses and marketing opt-in communications.
Key Requirements
  • All notices written at maximum 8th-grade reading level; tested with a readability tool.
  • No legalese, double negatives or unexplained defined terms.
  • Visual icons and infographics to supplement text where practical.
  • All notices reviewed by Legal and DPO before publication; annual review cycle.
Sample Clause

"All privacy notices shall be written in clear, plain language comprehensible by the average user without legal expertise. Privacy communications shall avoid technical legal terminology and passive voice constructions. All notices shall be reviewed jointly by Legal and the Data Protection team before publication."

20 policies  ·  8 Critical  ·  10 High  ·  2 Medium0 / 20 Approved
View All 20 Fintech Policies with Full Content
KYC & Financial Data Governance Policy
CriticalDataCompliance / DPO
Draft
PurposeGovern the collection, storage, masking and sharing of KYC data including PAN, Aadhaar, bank accounts and credit information in compliance with DPDPA, UIDAI Act and RBI guidelines.
ScopeAll systems and processes handling customer KYC data across onboarding, lending, payments and investment operations.
Key Requirements
  • PAN and Aadhaar masked in all non-verification contexts; no full Aadhaar number stored.
  • KYC data purpose-limited to identity verification and regulatory reporting only.
  • Credit bureau data classified as sensitive personal data; access logged and audited.
  • All KYC vendor DPAs executed; data minimisation enforced at API level.
  • KYC data retention aligned to PMLA (5 years) and UIDAI guidelines.
Sample Clause

"KYC data including PAN number, Aadhaar Virtual ID and bank account details shall be classified as sensitive personal data and shall be processed only for the purposes of identity verification and statutory regulatory compliance. No KYC data shall be used for marketing, profiling or cross-sell purposes without fresh explicit consent."

AML / CFT & PMLA Data Governance Policy
CriticalRegulatoryMLRO / Compliance
Draft
PurposeEnsure dual compliance between PMLA 2002 obligations and DPDPA 2023 for customer due diligence, transaction monitoring and FIU-IND reporting data.
ScopeAll AML/CFT data including CDD records, STRs, CTRs and FIU-IND submissions.
Key Requirements
  • CDD and EDD data retained for 5 years per PMLA; DPDPA erasure requests overridden by PMLA statutory hold.
  • STRs and CTRs in separate governance channel; no commercial team access.
  • FIU-IND data transmission via encrypted channel; access restricted to MLRO.
  • AML data not usable for commercial profiling or marketing under any circumstance.
Sample Clause

"AML/CFT data processed for compliance with the Prevention of Money Laundering Act 2002 shall be retained for the period mandated by PMLA, notwithstanding any erasure request under DPDPA. Where a data principal requests erasure, the organisation shall communicate in writing the statutory basis for retaining the data and the expected retention end date."

Digital Lending & NBFC Data Controls Policy
CriticalRegulatoryCompliance / DPO
Draft
PurposeAlign digital lending data practices with RBI Digital Lending Guidelines 2022 and DPDPA 2023, prohibiting invasive device data harvesting and ensuring purpose-limited data use.
ScopeAll digital lending apps, NBFC platforms, lending service providers and recovery operations.
Key Requirements
  • No access to borrower contacts, photos, call logs or device storage for any purpose.
  • Loan application data purpose-limited to credit assessment; no cross-sell without fresh consent.
  • Quarterly app permission audit; all unnecessary permissions removed.
  • Recovery agents receive only outstanding amount, EMI schedule and registered contact.
Sample Clause

"The organisation's digital lending application shall not request access to the borrower's device contacts, photographs, call logs, location data or any other device data not strictly necessary for the credit assessment process. Loan data shall not be used for any commercial purpose other than loan processing and recovery."

PCI-DSS Compliance & Tokenisation Policy
CriticalSecurityCISO / CTO
Draft
PurposeEnsure payment card data is never stored in raw form and all card processing complies with PCI-DSS and RBI tokenisation mandates.
ScopeAll payment processing systems, checkout flows, payment gateways and stored credential systems.
Key Requirements
  • Zero raw card credentials stored on servers; tokenisation mandatory per RBI and PCI-DSS.
  • CVV never stored beyond the authorisation transaction.
  • Annual PCI-DSS QSA assessment; findings remediated within 30 days for critical items.
  • Explicit opt-in required to save payment methods; no default saving at checkout.
Sample Clause

"The organisation shall not store, process or transmit full payment card numbers in unencrypted form. All card data shall be tokenised in accordance with the RBI Tokenisation Guidelines and PCI-DSS requirements. The CVV shall not be stored after completion of the authorisation transaction under any circumstance."

Account Aggregator (AA) Consent Policy
HighConsentProduct / Compliance
Draft
PurposeGovern all data sharing under the RBI Account Aggregator framework, ensuring FIP/FIU consents are properly obtained, stored and revocable.
ScopeAll AA-based data flows including FIP data sharing and FIU data consumption.
Key Requirements
  • Separate consent artefacts for lending, insurance and investment products — no bundling.
  • Consent revocation propagated to all FIU partners within 2 hours.
  • Data received from AA used only for the consented purpose; no secondary use.
  • AA consent records linked to DPDPA consent register for dual-compliance tracking.
Sample Clause

"Data received through the Account Aggregator framework shall be used solely for the specific financial product purpose for which consent was granted. Consent for different financial products (lending, insurance, investment) shall be obtained separately. Consent revocation shall be implemented within 2 hours of the data principal's request."

AI / ML Model Governance & Explainability Policy
HighAIRisk / DPO
Draft
PurposeEnsure AI/ML models used for credit decisioning and fraud detection are transparent, auditable and do not produce discriminatory outcomes.
ScopeAll AI/ML models that use personal financial data to produce credit scores, fraud flags or automated lending decisions.
Key Requirements
  • Disclose automated decision-making to data principal; provide right to human review.
  • Explainability documentation for every model using personal financial data.
  • Annual bias audit for credit scoring models; non-discriminatory outcomes verified.
  • Model governance register maintained; DPO and Risk co-sign each model deployment.
Sample Clause

"Where a credit or lending decision is made wholly or partially through automated means, the data principal shall be informed of this and shall have the right to request a review by a human officer. The organisation shall maintain documentation explaining the key factors that influenced any automated credit decision."

20 policies  ·  7 Critical  ·  11 High  ·  2 Medium0 / 20 Approved
View All 20 Healthcare Policies with Full Content
Patient Data Governance & Classification Policy
CriticalDataDPO / CMO
Draft
PurposeClassify all patient health data under the appropriate sensitivity tier and apply corresponding security and consent controls throughout the data lifecycle.
ScopeAll EHR systems, diagnostic labs, imaging systems, telemedicine platforms, wearables and ABHA-linked services.
Key Requirements
  • Tier 1 (highest): genetic, biometric, mental health, HIV, addiction data — HSM key management, zero-trust access.
  • Tier 2 (sensitive): EHR, prescriptions, lab reports — AES-256 at rest; TLS 1.3 in transit.
  • Tier 3: administrative/billing data — standard encryption with RBAC.
  • Every access to Tier 1 data triggers automated DPO alert.
  • Data classification reviewed annually and on new data type introduction.
Sample Clause

"Health data shall be classified into three tiers based on sensitivity. Tier 1 data including genetic information, biometric identifiers, mental health records, HIV status and addiction treatment records shall be processed only with explicit consent and shall be stored with the highest available encryption standard. Every access to Tier 1 data shall be logged and reported to the Data Protection Officer."

Patient Consent Architecture Policy
CriticalConsentCMO / Legal
Draft
PurposeDesign and operate a condition-specific, purpose-limited consent system that keeps treatment, research, insurance and commercial consents completely separate.
ScopeAll patient touchpoints including hospital admission, OPD, telemedicine, diagnostic labs, insurance portals and health apps.
Key Requirements
  • Diagnosis/treatment consent, research consent and insurance sharing consent are three separate artefacts — never bundled.
  • Blanket admission-form waivers prohibited; each purpose requires individual consent.
  • Telemedicine: separate consent for session recording and AI transcription obtained before session starts.
  • Emergency treatment exempt from consent requirement; exemption documented immediately after.
Sample Clause

"Consent for the use of patient health data for research purposes shall be obtained separately from consent for clinical treatment. A patient's refusal to consent to research data use shall not affect the quality of clinical care provided. Insurance data sharing shall require a separately signed consent form distinct from the treatment consent."

Health Records Retention Policy (NMC / NABH)
CriticalLifecycleLegal / DPO
Draft
PurposeReconcile statutory medical record retention requirements with DPDPA erasure rights, establishing a clear priority hierarchy and patient communication protocol.
ScopeAll patient records including EHR, diagnostic reports, operation notes, prescriptions and consent forms.
Key Requirements
  • NMC minimum retention: 3 years for adults; 3 years after majority for minors.
  • NABH accreditation: 5–7 years for clinical records.
  • Erasure requests received within statutory window: communicate legal hold in writing to patient within 14 days.
  • Non-statutory data (marketing, analytics) deleted immediately on erasure request.
  • Post-statutory period: data deleted within 30 days; patient notified.
Sample Clause

"Where a patient requests erasure of their health records and such records are subject to a statutory retention obligation under NMC or NABH guidelines, the organisation shall communicate in writing the specific legal basis for retaining the data, the expected retention end date, and confirm that all non-statutory data has been deleted immediately."

Mental Health & Genetic Data Protection Policy
CriticalDataDPO / CMO
Draft
PurposeApply the strictest protections to the most sensitive health data categories — mental health, genetic, HIV, addiction and reproductive health information.
ScopeAll systems, practitioners and workflows that process mental health, genetic or HIV-related patient data.
Key Requirements
  • Stored in segregated Tier 1 system; separate encryption keys managed via HSM.
  • No sharing with insurers for underwriting purposes without separate, explicit consent.
  • Genetic data: additional consent layer; no use for employer screening or insurance underwriting.
  • Mental Health Act 2017 patient confidentiality obligations applied alongside DPDPA.
  • Every access triggers real-time DPO alert; weekly access report reviewed by DPO.
Sample Clause

"Mental health records, genetic data, HIV status, addiction treatment records and reproductive health data shall be stored in a segregated environment with access restricted to the treating clinical team. These records shall not be disclosed to any insurer, employer or third party without the patient's explicit, written and separately obtained consent."

Health Insurance & TPA Data Sharing Policy
CriticalVendorFinance / DPO
Draft
PurposeGovern the minimum-data sharing with Third-Party Administrators and insurers to ensure patient health data is used only for claims processing and not for underwriting discrimination.
ScopeAll TPA integrations, cashless claim workflows and insurer data sharing arrangements.
Key Requirements
  • TPA data sharing limited to: diagnosis code, treatment code and billed amount only.
  • Insurance underwriting using health data requires separate explicit consent.
  • Claim rejection reason not shared with other insurers without patient consent.
  • Pre-authorisation data deleted within 30 days of claim resolution.
Sample Clause

"Data shared with Third-Party Administrators for claims processing shall be limited to the minimum necessary for claim settlement: the patient's name, policy number, diagnosis code (ICD-10), treatment code and billed amount. Full clinical notes, investigation reports and detailed medical history shall not be shared with TPAs without specific patient consent."

ABHA / ABDM Health ID Integration Policy
HighRegulatoryIT / Compliance
Draft
PurposeAlign ABHA Health ID integration with ABDM consent framework and DPDPA, ensuring patients control their health data across the national health ecosystem.
ScopeAll ABHA-linked services, health locker integrations and ABDM-compliant health record sharing.
Key Requirements
  • ABDM consent artefacts obtained per-document; no bulk pull without per-request consent.
  • ABHA-linked data stored under DPDPA controls in addition to NHA guidelines.
  • Consent manager linked to the national health consent gateway.
  • Data shared via ABDM is subject to the same purpose-limitation as all other health data.
Sample Clause

"Access to a patient's health records through the ABHA system shall require the patient's consent through the ABDM-certified consent manager for each health record accessed. The organisation shall not access, aggregate or store ABHA-linked records beyond the scope authorised by the patient's consent artefact."

20 policies  ·  4 Critical  ·  12 High  ·  4 Medium0 / 20 Approved
View All 20 E-Commerce Policies with Full Content
Behavioural Profiling & Personalisation Policy
CriticalDataProduct / DPO
Draft
PurposeGovern the collection and use of browsing, purchase and interaction data for personalisation and recommendation engines, ensuring separate, revocable consent.
ScopeAll recommendation engines, personalisation algorithms, ad targeting systems and behavioural analytics pipelines.
Key Requirements
  • Separate, revocable consent required for personalisation beyond order fulfilment.
  • No pre-ticked personalisation or marketing consent checkboxes at registration or checkout.
  • Users may opt out of personalisation without losing core service functionality.
  • Children's accounts: all personalisation disabled regardless of parental consent.
  • Profiling data not shared with marketplace sellers.
Sample Clause

"The organisation shall obtain separate, explicit consent before using a customer's browsing history, purchase data or wishlist information for the purpose of personalising product recommendations or targeted advertising. A customer who withdraws consent for personalisation shall continue to receive full access to the platform's core services."

Children's Data & Age Verification Policy
CriticalDataDPO / Legal
Draft
PurposeEnsure zero profiling or behavioural targeting of users under 18 and require verifiable parental consent before account creation for minors.
ScopeAll registration flows, checkout processes, recommendation engines and marketing systems accessible to users under 18.
Key Requirements
  • Age verification at registration; self-declaration insufficient — OTP to parent/guardian mandatory.
  • No behavioural targeting, personalised advertising or profiling of under-18s.
  • Age-gating on product categories not suitable for minors.
  • Parental consent renewal triggered automatically at user's 18th birthday.
Sample Clause

"No account shall be created for a user below 18 years without verifiable consent from a parent or guardian. The organisation shall not display personalised advertisements to users identified or reasonably believed to be below 18 years of age, irrespective of parental consent."

Dark Patterns Prohibition Policy
HighUXProduct / Legal
Draft
PurposeProhibit all deceptive interface patterns that manipulate data principals into consenting to data collection they would not otherwise agree to.
ScopeAll consumer-facing UI/UX including registration, checkout, consent flows, subscription management and account deletion paths.
Key Requirements
  • No confirmshaming, hidden opt-outs, pre-ticked boxes, roach motel or forced action dark patterns.
  • Account deletion must be as easy as account creation — max 3 clicks.
  • Cancellation of subscription completable in max 3 clicks from logged-in state.
  • Independent UX dark-pattern audit quarterly; findings reported to DPO within 30 days.
Sample Clause

"The organisation's user interfaces shall not employ any dark patterns, deceptive designs or interface elements that manipulate users into consenting to data collection beyond what they would freely choose. Account deletion and subscription cancellation shall be accessible through a clearly labelled path requiring no more than three steps from the user's account settings page."

Cookie & Tracking Technology Policy
CriticalTechnologyProduct / Legal
Draft
PurposeGovern the deployment and management of cookies, pixels, fingerprinting and other tracking technologies in compliance with DPDPA consent requirements.
ScopeAll websites, mobile apps and digital properties that deploy any form of tracking or analytics technology.
Key Requirements
  • Strictly necessary cookies: no consent required; all others require explicit opt-in.
  • Consent Management Platform deployed; consent choices persisted across sessions.
  • No tracking before consent is obtained; cookie banner cannot default to "Accept All".
  • Cookie audit quarterly; unauthorised cookies removed within 48 hours of discovery.
Sample Clause

"The organisation shall deploy tracking cookies, web beacons, pixels or similar technologies for analytics, marketing or personalisation purposes only after obtaining the user's explicit consent. The consent interface shall not pre-select any non-essential cookies and shall provide a 'Reject All' option as prominent as the 'Accept All' option."

20 policies  ·  7 Critical  ·  10 High  ·  3 Medium0 / 20 Approved
View All 20 EdTech Policies with Full Content
Student Data Protection Policy
CriticalDataDPO / Academic
Draft
PurposeEstablish the foundational governance framework for all personal data of students, parents and teachers processed by the EdTech platform.
ScopeAll student records, learning data, assessment outcomes, attendance, class recordings and parent contact information.
Key Requirements
  • Student data purpose-limited to educational delivery and learning improvement only; no commercial use.
  • No sale, transfer or sharing of student data with any third party for commercial purposes.
  • Account deletion completed within 30 days of request; all backups purged.
  • Ad-tech SDKs prohibited in all student-facing applications.
  • Separate data registers for under-13, 13-18 and adult learners.
Sample Clause

"Student personal data including learning progress, assessment scores, attendance records and class interactions shall be used solely for the purpose of delivering educational services and improving learning outcomes. Student data shall not be sold, licensed or transferred to any third party for marketing, advertising, profiling or any commercial purpose."

Online Proctoring & AI Invigilation Policy
CriticalTechnologyCTO / DPO
Draft
PurposeGovern consent, data handling and retention of exam recordings, AI behaviour analysis and biometric verification in online proctoring systems.
ScopeAll online examinations using proctoring software, AI monitoring, biometric verification or remote invigilation.
Key Requirements
  • Separate explicit informed consent before proctoring software installation; full disclosure of data collected.
  • Exam recordings encrypted; deleted 90 days after results publication.
  • AI-flagged behaviour: right to human review before any malpractice action.
  • Biometric template deleted immediately after exam session ends.
  • Proctoring vendor DPA prohibits secondary use for AI model training.
Sample Clause

"Before a student installs proctoring software, the organisation shall obtain explicit, informed consent that details every category of data collected, how it is analysed and the retention period. Where AI behaviour analysis flags potential malpractice, the student shall have the right to request review by a human invigilator before any formal action is taken."

Anti-Profiling & Zero Targeting Policy (Minors)
CriticalDataDPO
Draft
PurposeEstablish an absolute prohibition on behavioural profiling and targeted advertising directed at students under 18, irrespective of parental consent.
ScopeAll EdTech platforms, learning management systems, student apps and partner services accessible to users under 18.
Key Requirements
  • Zero behavioural profiling or targeted advertising for under-18s — not permissible even with parental consent.
  • AI/ML personalisation engines disabled for minor accounts; only anonymised aggregate signals used.
  • All ad-tech and third-party tracking SDKs removed from minor-accessible product surfaces.
  • No transfer of student learning data to any third party for commercial purposes.
Sample Clause

"The organisation shall not engage in behavioural profiling, monitoring, targeting or personalised advertising directed at any student below 18 years of age. This prohibition applies irrespective of parental consent. AI-driven personalisation systems shall be disabled for all accounts identified as belonging to users below 18."

20 policies  ·  8 Critical  ·  10 High  ·  2 Medium0 / 20 Approved
View All 20 Telecom Policies with Full Content
CDR & Network Data Governance Policy
CriticalDataDPO / CTO
Draft
PurposeGovern the processing, access and retention of Call Detail Records, IPDR and network usage data with strict purpose limitation and subscriber consent.
ScopeAll CDR, IPDR, location data, IMEI and SMS metadata systems across all TSP/ISP operations.
Key Requirements
  • CDR strict purpose limitation: network management and billing only; no analytics sharing without explicit subscriber consent.
  • Real-time location data requires explicit consent; no passive or background collection.
  • IPDR retention capped at DoT-mandated 1-year minimum; purged beyond statutory window.
  • Subscriber data access logs retained for 2 years; accessible for TRAI/DoT audit within 48 hours.
Sample Clause

"Call Detail Records shall be used solely for network management, billing and statutory compliance purposes. CDR data shall not be shared with any third party for analytics, marketing or commercial purposes without the subscriber's explicit consent. All CDR access by internal teams shall be logged and reviewed monthly by the DPO."

Dual Breach Reporting Policy (DoT + DPBI + CERT-In)
CriticalIncidentCISO / DPO
Draft
PurposeReconcile three simultaneous breach notification obligations (DPBI 72h, CERT-In 6h, DoT Telecom Act) into a single coordinated response playbook.
ScopeAll security incidents involving subscriber personal data, network infrastructure or subscriber systems.
Key Requirements
  • CERT-In: cybersecurity incident reported within 6 hours in CERT-In format.
  • DPBI: personal data breach notified within 72 hours of confirmation.
  • DoT: breach notified per Telecom Act 2023 within notified timeline.
  • Three-regulator matrix pre-mapped; named contacts for each regulator documented.
  • Subscriber breach alert via SMS and email within reasonable time after DPBI notification.
Sample Clause

"On confirmation of a breach affecting subscriber personal data, the organisation shall simultaneously initiate: (1) CERT-In notification within 6 hours in the prescribed format; (2) DPBI notification within 72 hours per DPDPA; (3) DoT notification per the Telecom Act 2023 timeline. The DPO shall co-ordinate all three notifications and maintain a unified breach log."

Subscriber Rights Self-Service Portal Policy
CriticalRightsDPO / Product
Draft
PurposeOperate a self-service digital portal enabling subscribers to access their CDR, manage all VAS consents, file privacy complaints and exercise DPDPA rights without calling customer care.
ScopeAll subscriber-facing digital portals, mobile apps and USSD-based self-service channels.
Key Requirements
  • CDR access request: subscriber receives own call records in machine-readable format within 72 hours.
  • Consent centre: all active VAS consents visible; individual withdrawal per service without call-centre dependency.
  • Grievance tracking visible in portal; escalation to DPBI link prominently displayed.
  • Portal accessible in English and regional languages per subscriber's registered language preference.
Sample Clause

"The organisation shall operate a self-service privacy portal accessible to all subscribers through the mobile app and website. Through this portal, subscribers shall be able to: (a) request a copy of their CDR; (b) view and manage all active service consents; (c) file and track privacy grievances; and (d) exercise their right to access, correction or erasure without requiring a call centre interaction."

20 policies  ·  8 Critical  ·  10 High  ·  2 Medium0 / 20 Approved
View All 20 Government Policies with Full Content
Sovereign Function Exemption Boundary Policy
CriticalLegalLegal / DPO
Draft
PurposeFormally demarcate which government processing activities qualify for the sovereign function exemption under DPDPA Section 17 and which are fully subject to the Act.
ScopeAll government departments, PSEs, autonomous bodies and outsourced IT vendors handling citizen data.
Key Requirements
  • Legal opinion mapping every processing activity to either sovereign-exempt or DPDPA-applicable status.
  • PSEs and autonomous bodies treated as fully DPDPA-applicable regardless of government ownership.
  • Outsourced IT vendors bear full DPDPA liability via signed DPAs regardless of government client.
  • Exemption boundary reviewed and updated annually by Legal and DPO.
Sample Clause

"The organisation shall obtain and maintain a legal opinion identifying each processing activity as either (a) sovereign function exempt from DPDPA under Section 17, or (b) fully subject to the DPDPA. Commercial activities and citizen services conducted by PSEs and autonomous bodies shall be treated as DPDPA-applicable irrespective of government ownership."

Section 17 Exemptions Governance Policy
CriticalLegal BasisLegal / DPO
Draft
PurposeGovern law enforcement disclosures, national security exemptions and research exemptions under DPDPA Section 17 through a formal register and legal authorisation process.
ScopeAll data disclosures to law enforcement, intelligence agencies and research or journalism entities claiming Section 17 exemptions.
Key Requirements
  • Every exemption claim mapped to a specific statutory provision; general claims insufficient.
  • Law enforcement requests logged with case reference, authority and legal basis before compliance.
  • Research/journalism exemptions verified against the actual purpose; minimum data applied.
  • Exemption register reviewed quarterly; invalid claims discontinued.
  • No commercial use of data processed under an exemption.
Sample Clause

"Data disclosed to law enforcement or intelligence agencies shall be logged in the Exemption Register with the specific statutory authority, date, case reference and category of data disclosed. This log shall be reviewed by the DPO monthly. No data disclosed under a Section 17 exemption shall be repurposed for any commercial, marketing or non-exempt activity."

Citizen Data Governance Policy
CriticalDataDPO / IT
Draft
PurposeEstablish the foundational data governance framework for all citizen personal data collected, processed and stored by the government entity across all its digital and physical services.
ScopeAll citizen-facing portals, welfare scheme databases, identity systems and inter-departmental data exchanges.
Key Requirements
  • Welfare scheme data purpose-limited to benefit delivery; no cross-scheme profiling.
  • Inter-departmental sharing requires documented legal basis per specific scheme rules.
  • Citizen analytics used only in aggregate anonymised form for policy planning.
  • Citizen rights portal deployed: access, correction and grievance requests available online.
Sample Clause

"Personal data collected from citizens in the course of delivering government services and welfare schemes shall be used solely for the purpose of delivering those specific services. Citizens may exercise their rights of access, correction and grievance through the designated citizen rights portal. Inter-departmental sharing of citizen data shall require documented authorisation citing the specific legal basis."

20 policies  ·  8 Critical  ·  10 High  ·  2 Medium0 / 20 Approved
View All 20 SaaS & IT Policies with Full Content
Multi-Tenant Data Isolation & Security Policy
CriticalSecurityCTO / CISO
Draft
PurposeEnsure that personal data of one customer tenant can never be accessed, viewed or derived by another tenant through technical isolation controls.
ScopeAll multi-tenant SaaS environments, shared databases, API gateways and analytics pipelines.
Key Requirements
  • Cryptographic and logical tenant separation; tenant IDs enforced at every data layer.
  • API gateway monitors for cross-tenant data access in real time; anomalies trigger immediate alert.
  • Encrypted backups with geo-restriction; Indian tenant data stays within DPDPA-compliant regions.
  • Annual penetration test of tenant isolation specifically; findings remediated within 30 days.
Sample Clause

"The organisation shall maintain strict logical and cryptographic separation between the data of each customer tenant. Tenant identifiers shall be enforced at the application, database and API layers. Any cross-tenant data access detected by the security monitoring system shall trigger an immediate alert and be treated as a P1 security incident."

Customer DPA Template & Negotiation Policy
CriticalContractLegal / DPO
Draft
PurposeStandardise the Data Processing Agreement offered to Indian enterprise customers and define the minimum non-negotiable DPDPA compliance terms.
ScopeAll customer contracts involving processing of Indian personal data on behalf of the customer as data fiduciary.
Key Requirements
  • Standard DPA includes: processing scope, security measures, breach notification SLA, sub-processor list, audit rights and deletion obligations.
  • Breach notification SLA to customer: Enterprise 24 hours, SMB 48 hours.
  • Sub-processor changes notified 30 days in advance; customer may object.
  • DPO-approved DPA template; significant deviations require DPO and Legal sign-off.
Sample Clause

"The organisation as Data Processor shall process personal data only on the documented instructions of the customer as Data Fiduciary. The organisation shall notify the customer of any personal data breach within 24 hours (Enterprise tier) or 48 hours (SMB tier) of discovery. The organisation shall not engage any new sub-processor without providing 30 days' advance notice to the customer."

Customer Offboarding & Deletion Certificate Policy
CriticalLifecycleCTO / DPO
Draft
PurposeEnsure complete, verifiable deletion of all customer data within 30 days of contract termination, with cryptographic proof issued to the customer.
ScopeAll customer data in production, staging, DR, backups, cold storage and sub-processor systems.
Key Requirements
  • Deletion completed within 30 days post-contract; no extension without written customer consent.
  • Cryptographic deletion certificate (hash of deletion logs) issued within the SLA.
  • Sub-processor deletion chain: each sub-processor confirms deletion; prime SaaS aggregates evidence.
  • All environments covered: production, staging, DR, backups and cold storage.
Sample Clause

"Upon termination or expiry of the customer contract, the organisation shall securely delete all customer personal data from all systems and environments within 30 days. The organisation shall issue a signed deletion certificate to the customer confirming the scope and completion of deletion. Sub-processor deletion confirmations shall be obtained and provided to the customer on request."

20 policies  ·  2 Critical  ·  13 High  ·  5 Medium0 / 20 Approved
View All 20 Manufacturing Policies with Full Content
Employee Biometric Data Governance Policy
CriticalDataHR / DPO
Draft
PurposeGovern the collection, storage, use and deletion of employee biometric data (fingerprints, face recognition, iris scans) used for attendance and access control.
ScopeAll biometric attendance and access control systems across all manufacturing sites and offices.
Key Requirements
  • Informed written consent before biometric enrolment; purpose disclosed as attendance and access only.
  • Biometric templates stored on-premise in HSM; not shared with any third party.
  • Alternative non-biometric attendance option available to employees who refuse consent.
  • Biometric data deleted within 30 days of employee separation; automated offboarding trigger.
  • No use of biometric data for performance evaluation or monitoring beyond access/attendance.
Sample Clause

"Employee biometric data shall be collected only with the employee's informed written consent and shall be used solely for the purposes of attendance recording and physical access control. Employees who do not consent to biometric enrolment shall be provided with an alternative attendance mechanism. Biometric templates shall be permanently deleted within 30 days of the employee's last working day."

OT / SCADA Network Security & Segmentation Policy
CriticalSecurityCISO / OT Head
Draft
PurposePrevent personal data processed in IT systems from crossing into OT/SCADA environments and ensure industrial control systems are isolated from data privacy risks.
ScopeAll operational technology, SCADA systems, industrial IoT devices and their IT network interfaces.
Key Requirements
  • Air-gap or strict firewall between OT/SCADA and IT networks; no personal data flows into OT.
  • Machine telemetry containing employee performance data classified and data-minimised before use.
  • CCTV and video surveillance: employee notice posted; 30-day retention cap unless incident.
  • OT vendor contracts include DPAs; no telemetry monetisation without consent.
Sample Clause

"The organisation shall maintain strict network segmentation between operational technology (OT/SCADA) systems and information technology (IT) systems. Personal data processed in IT systems shall not flow into OT environments. Machine telemetry data that can identify individual worker behaviour or performance shall be anonymised before use in plant-level analytics."

20 policies  ·  6 Critical  ·  10 High  ·  4 Medium0 / 20 Approved
View All 20 HRMS Policies with Full Content
Employee Data Lifecycle Governance Policy
CriticalDataHR / DPO
Draft
PurposeGovern the complete lifecycle of employee personal data from pre-hiring through offboarding, ensuring purpose-limited collection, secure access and statutory deletion.
ScopeAll employee data including PAN, Aadhaar, bank accounts, payroll, health insurance, attendance and performance records.
Key Requirements
  • Employee data collected only for clearly documented HR purposes; no surplus fields.
  • RBAC for HRMS: only authorised roles access financial and identity data.
  • Automated offboarding deletion triggered within statutory retention window post-separation.
  • PAN and bank details encrypted at rest; tamper-proof access logging enabled.
  • Employee data portability: full data summary provided within 72 hours of access request.
Sample Clause

"Employee personal data shall be collected only for the purposes of employment management and statutory compliance. Access to payroll data, PAN numbers, Aadhaar details and health insurance records shall be restricted to authorised HR and Finance personnel. Upon an employee's separation, all non-statutory personal data shall be automatically deleted within the applicable retention window."

Union, Grievance & Collective Bargaining Policy
CriticalHRHR / Legal
Draft
PurposeApply the highest protection standards to union membership, collective bargaining, internal grievance and whistleblower data, preventing any management access that could undermine employee rights.
ScopeAll union registers, bargaining records, grievance files and whistleblower reports.
Key Requirements
  • Union membership data stored separately with enhanced encryption; never disclosed to management.
  • Collective bargaining records restricted to designated HR/Legal and union representatives only.
  • Grievance records confidential; sharing with accused party limited to what the procedure mandates.
  • Whistleblower identity never disclosed without whistleblower's written consent.
Sample Clause

"Union membership data shall be classified as sensitive personal data and stored in a segregated, access-controlled environment. Management personnel shall not have access to union membership records unless specifically authorised by court order. Whistleblower reports shall be accessible only to the members of the designated investigation committee and the identity of the whistleblower shall not be disclosed without their express written consent."

Recruitment & Candidate Data Policy
HighDataHR / Legal
Draft
PurposeGovern candidate data from application through rejection or onboarding, including interview recordings, psychometric assessments, BGV reports and AI hiring tool outputs.
ScopeAll recruitment platforms, ATS systems, interview recording tools, AI hiring tools and BGV vendor integrations.
Key Requirements
  • Candidate consent for video recording and resume storage; must be revocable.
  • Interview recordings and AI psychometric assessments deleted 90 days post-rejection.
  • BGV data purpose-limited; shared only with verified BGV vendors under DPA.
  • AI hiring tools: explainability required; human review mandatory before rejection.
Sample Clause

"Candidates who are not offered employment shall have their interview recordings, psychometric assessment results and AI-generated evaluation reports deleted within 90 days of the final recruitment decision. Where an AI tool is used to evaluate a candidate, the candidate shall be informed and shall have the right to request review of the automated assessment by a human recruiter."

Employee Health, Wellness & EAP Data Policy
CriticalDataHR / DPO
Draft
PurposeEnsure employee health, wellness and EAP data is collected with separate consent and never used in any employment decision, performance evaluation or disciplinary action.
ScopeAll wellness programmes, Employee Assistance Programmes, occupational health assessments and group insurance medical claims.
Key Requirements
  • Wellness data: separate explicit consent; results cannot affect employment decisions.
  • EAP/mental health data: no manager or HR access without employee's written consent.
  • Occupational health: purpose-limited to fitness-for-role; not stored in general employee profile.
  • Medical claims data: not used in performance evaluation under any circumstance.
Sample Clause

"Data from employee wellness programmes, Employee Assistance Programmes and mental health support services shall be collected with separate explicit consent and shall be held in a confidential record entirely distinct from the employee's general HR file. This data shall not be accessible to the employee's manager, used in performance evaluations or considered in any employment decision."

Implementation Phases Tracker

Six-phase DPDPA implementation roadmap with universal and industry-specific milestones. Click any phase to expand milestones. Check off each milestone as it is completed.

6Phases
12Month Roadmap
1

Data Discovery & Mapping

Month 1–2  |  Foundation for all compliance activities

0%
Universal
Complete enterprise-wide personal data inventory across all systems.
Create and populate Data Processing Register (DPR) with all categories.
Map all third-party processors and sub-processors receiving personal data.
Classify all data: general personal, sensitive, children's, and employee data.
Tag all data with retention schedules and cross-border transfer flags.
Fintech / Healthcare
[Fintech] Map all KYC, Aadhaar, PAN and financial account data stores.
[Fintech] Identify all offshore card network and SWIFT data flows.
[Healthcare] Map all EHR, ABHA, biometric and wearable data collection points.
[Healthcare] Identify all clinical research data flows to pharma and CROs.
EdTech / E-Commerce / HRMS
[EdTech] Identify all student, parent and teacher data systems including LMS.
[E-Commerce] Map behavioural, purchase, payment and loyalty data pipelines.
[HRMS] Inventory all employee data including payroll, PAN, Aadhaar and biometrics.
[Telecom] Map all CDR, SIM KYC, IPDR and location data retention systems.
2

Consent Framework Deployment

Month 2–4  |  CMP, notices and consent workflows

0%
Universal
Deploy centralised Consent Management Platform (CMP) with audit-grade logging.
Publish DPDPA-compliant privacy notice across all digital touchpoints.
Deploy purpose-specific consent flows — no bundled consent checkboxes anywhere.
Implement consent withdrawal mechanism — operational within 24 hours.
Consent APIs integrated with all downstream processors and marketing platforms.
Children's Consent
Age verification gates deployed on all user-facing registration flows.
Parental consent OTP flows active for all services accessible to under-18s.
Minor flags set in all databases — processing engines check before automated decisions.
Ad-tech SDKs removed from minor-accessible product surfaces.
Industry-Specific Consent
[Fintech] AA framework consent flows live; FIP/FIU consents decoupled.
[Healthcare] Condition-specific consent artefacts deployed across all patient touchpoints.
[Telecom] Per-service VAS consent decoupled from core subscriber consent.
[Manufacturing] Biometric enrolment consent forms issued; alternative non-biometric option available.
3

Rights & Grievance Infrastructure

Month 4–5  |  Self-service rights portal and DPO office

0%
Universal Rights Portal
Self-service rights portal live — access, correction, erasure, and nomination requests.
Access request workflow — data summary delivered within 72 hours of request.
Erasure workflow — automated deletion across all processors and backups within 30 days.
Correction workflow — propagates update to all downstream systems within 7 days.
Nomination right — data principal can nominate a person to exercise rights posthumously.
DPO & Grievance
DPO appointed (mandatory for SDFs) — role, contact and escalation published on website.
Grievance redressal mechanism — acknowledgement within 48 hours; resolution within 30 days.
DPBI escalation path documented — data principal informed of right to escalate unresolved grievances.
Grievance tracking system — SLA monitoring with dashboards; DPO reviews weekly.
Industry-Specific Rights
[Healthcare] Erasure conflict resolution process — statutory hold vs DPDPA right documented.
[Fintech] Credit data correction — process coordinated with CIBIL and bureaus.
[HRMS] Employee rights portal — separate from customer portal; HR and Legal co-manage.
4

Security Hardening

Month 5–7  |  Encryption, SIEM, DLP and breach pipeline

0%
Technical Controls
AES-256 at rest and TLS 1.3 in transit enforced across all personal data stores.
SIEM deployed with personal data exfiltration detection rules active.
DLP solution deployed across email, cloud storage and endpoint devices.
MFA enforced for all systems handling personal data — no exceptions.
PAM (Privileged Access Management) deployed for all admin-level accounts.
Breach Response Pipeline
72-hour DPBI breach notification playbook tested and approved by legal.
Automated breach detection → classification → escalation pipeline operational.
Tabletop breach simulation exercise completed — findings remediated.
Annual penetration test completed; critical findings remediated within 30 days.
Vendor & Cloud Security
All DPAs executed with processors — breach SLA, audit rights and deletion clauses included.
Cloud provider DPAs include India data residency and MeitY whitelist compliance clauses.
[Fintech] Dual breach reporting pipeline — DPBI + RBI/SEBI timelines reconciled into one runbook.
[Healthcare] PHI encrypted with separate key management — HSM-based key store.
5

Industry-Specific Controls

Month 7–9  |  Sector regulatory overlays and SDF obligations

0%
Regulatory Alignment
[Fintech] RBI localisation confirmed — payment data stored in India; SWIFT/card network SCCs executed.
[Healthcare] ABDM/ABHA integration consent flows live and certified by NHA.
[Telecom] TRAI subscriber data regulation compliance verified — dual compliance with DPDPA confirmed.
[Government] Sovereign function exemption boundaries formally documented and signed off by legal counsel.
[SaaS] ISO 27001 / SOC 2 Type II certification in scope — evidence pack ready for DPA negotiations.
SDF Obligations
Significant Data Fiduciary self-assessment completed — DPO, DPIA and algorithmic audit obligations mapped.
DPIA completed for all high-risk processing activities — published or submitted to DPBI as required.
Algorithmic transparency report for AI/ML models processing personal data at scale.
Children's data controls validated — independent audit of age verification and profiling prohibition.
Cross-Border Controls
SCCs executed with all non-whitelisted country processors — legal review complete.
Transfer Impact Assessments (TIAs) completed for each cross-border data flow.
Cross-border transfer register published — updated within 30 days of any change.
6

Audit, DPO Office & Governance

Month 9–12  |  Annual audit, training and board reporting

0%
Audit & Assurance
First annual DPDPA compliance audit completed — internal or third-party auditor.
Audit findings and remediation plan presented to Board — signed by DPO and CISO.
All DPIAs reviewed and updated — new high-risk processing identified since Phase 1 captured.
Third-party processor compliance audit — evidence of DPDPA compliance from top 10 processors.
Training & Culture
100% mandatory DPDPA training completion for all data-handling staff — certificates issued.
Privacy champion network active in all business units — quarterly privacy steering committee.
Board-level data governance committee quarterly meeting — privacy KPIs on board dashboard.
Incident simulation refreshed annually — updated playbooks; lessons from any real incidents incorporated.
Continuous Improvement
Privacy roadmap for Year 2 approved — addresses audit gaps and new regulatory developments.
DPR reviewed and updated — reflects any new data categories, processors or processing activities.
MeitY whitelist and DPDPA rule updates monitored — change management process in place.
Compliance readiness score published internally — visible to all staff on privacy intranet portal.

Compliance Analytics Dashboard

Updates live as you check off tasks

0%

Overall Readiness

0

Items Completed

0

Items Remaining

Control Tasks

Policies Tracked

72h

Breach Reporting SLA

Implementation Timeline

Recommended phasing for all industries

Phase 1 — Data Discovery & Mapping Month 1–2

Complete enterprise-wide data inventory, DPR creation and third-party processor mapping across all business units.

✓ CompletedAll Industries

Phase 2 — Consent Framework Month 2–4

Deploy enterprise consent management platform — granular, purpose-specific, revocable consent with immutable audit logs.

⬤ In ProgressAll Industries

Phase 3 — Rights & Grievance Infrastructure Month 4–5

Build self-service rights portal — access, correction, erasure and DPO-led grievance escalation workflows.

UpcomingPriority: High

Phase 4 — Security Hardening Month 5–7

SIEM, DLP, MFA rollout, encryption enforcement and 72-hour breach detection pipeline commissioning.

UpcomingCritical

Phase 5 — Industry-Specific Controls Month 7–9

Sector-specific overlays — RBI/TRAI/NMC compliance alignment, children's data controls, cross-border transfer SCCs.

UpcomingSector-Specific

Phase 6 — Audit, DPO & Governance Month 9–12

Annual DPDPA audit, DPIA for high-risk processing, DPO appointment, employee training and board reporting.

UpcomingCompliance Gate

Industry Risk Heatmap

DPDPA penalty and enforcement exposure by sector
2Low Risk
Manufacturing, SaaS
3Medium Risk
E-Commerce, HRMS, Govt
2High Risk
EdTech, Telecom
2Critical Risk
Fintech, Healthcare

AI Compliance Assistant

AI-powered DPDPA compliance recommendations, risk prioritisation, DPIA generation, audit preparation and automated governance insights — tailored to your industry and real-time task completion status.

DPDPA Industry Controls Dashboard

Complete lifecycle-mapped compliance controls for 10 sectors. Every control — from data discovery through governance — organised by DPDPA implementation stage. Includes consent & notice controls and required policy tracker per industry.

0%

Overall Readiness

Control Tasks

Policies Tracked

₹250Cr

Max DPBI Penalty
DPDPA Compliance Lifecycle — Global Progress
1. Discovery
& Mapping
0%
2. Notice
& Transparency
0%
3. Consent
& Lawful Basis
0%
4. Processing
& Purpose
0%
5. Security
& Safeguards
0%
6. Sharing
& Transfer
0%
7. Rights
& Grievance
0%
8. Breach
& Incident
0%
9. Retention
& Deletion
0%
10. Governance
& Audit
0%

0%

Overall Readiness

0

Tasks Done

0

Tasks Remaining

0

Policies Approved

72h

Breach Report SLA

Universal DPDPA Framework

These controls are mandatory for every organisation that collects, processes or stores personal data of Indian citizens — regardless of sector. Complete all stages before applying any industry-specific layer.

AllIndustries
₹250CrMax Penalty
Controls0
Policies0
Total Done0
Readiness0%

Stage 1 — Data Discovery & Classification

Discovery 0%

Data Discovery & Inventory

Enterprise-wide personal data identification and classification.

Mandatory
Personal DataSensitive DataChildren's Data3rd-party Flows
Progress
0%
0 / 6 done
Identify every system, application, database and process that collects, stores or transmits personal data of Indian citizens.
Map all data flows — collection sources, internal processing, external sharing with processors and third parties.
Classify all data: general personal data, sensitive personal data, children's data (under-18) and employee data.
Create and populate the Data Processing Register (DPR / ROPA) — every processing activity documented with legal basis, retention and processor details.
Tag all data assets with retention schedules and cross-border transfer flags in the DPR.
Assign a named business owner to each DPR entry — accountable for accuracy and quarterly review.

Data Flow & Processor Mapping

End-to-end mapping of all processors, sub-processors and cross-border flows.

Mandatory
Processor RegisterSub-ProcessorsCross-BorderDPAs
Progress
0%
0 / 5 done
List every third-party processor and sub-processor that handles personal data — cloud providers, SaaS tools, analytics, marketing platforms.
Identify all cross-border data flows — countries where data is stored or processed; flag non-whitelisted countries.
Execute Data Processing Agreements (DPAs) with every processor before any data is shared.
Document data minimisation at each transfer point — processors receive only the minimum fields required for their purpose.
Maintain a published sub-processor register; update within 7 days of any change.

Stage 2 — Notice Design & Publication

Notice 0%

Privacy Notice Requirements (Sec. 5)

Plain-language, accessible notice before or at the point of consent.

Critical
Notice DesignPlain LanguageMultilingualAccessibility
Progress
0%
0 / 6 done
Notice provided before or at the time of consent — never retrospectively; written in plain language without legalese.
Notice specifies: what data, for what purpose, how it is shared, retention period, how to exercise rights and DPO contact.
Available in English and in all 22 Scheduled languages on request within 3 working days.
Accessible to persons with disabilities — audio, screen-reader and large-print alternatives available.
Version-controlled — all historical notices retained for 3 years; version number and effective date displayed to user.
Material changes trigger updated notice and re-consent — changes cannot be buried in updated T&Cs alone.

Notice Channel Controls

Multi-channel notice delivery — web, app, offline, IVR, physical.

Mandatory
Digital ChannelsMobile AppOffline / PhysicalIVR / Call Centre
Progress
0%
0 / 5 done
Online channels: privacy notice displayed on the same screen as the data collection form — not only in the footer.
Mobile apps: in-app notice before first data collection; not buried in Settings menus; updated on every app version that changes data collection.
Offline / physical: written notice provided at point of collection; copy given to the individual; signed acknowledgement filed.
IVR and call centres: verbal notice read at the start of the call; transcript logged with timestamp and agent ID.
Notice delivery confirmation captured — timestamp, channel, language, notice version and user/agent identifier recorded in consent log.

Stage 3 — Consent Collection & Lawful Basis (Sec. 6–7)

Consent 0%

Consent Collection Standards

Free, specific, informed and unambiguous consent architecture.

Critical
No Pre-ticked BoxesGranular ConsentConsent RecordsCMP
Progress
0%
0 / 6 done
No pre-ticked boxes — all consent is obtained through a deliberate, affirmative action by the data principal.
Purpose-specific consent — each processing purpose has its own separate consent artefact; bundling multiple purposes is prohibited.
Consent is not a condition for service, except where the data is strictly necessary to deliver the service.
Sensitive data (health, biometric, financial) — separate, granular consent artefact; cannot be bundled with general consent.
All consent events timestamped with IP, device identifier, channel, notice version and user agent — stored in immutable audit log.
Consent refresh mechanism — re-obtain when purpose, data type or recipient changes materially.

Consent Withdrawal & Revocation

Withdrawal as easy as consent; 24-hour SLA; downstream propagation.

Critical
Withdrawal Mechanism24h SLADownstream PropagationNo Prejudice
Progress
0%
0 / 5 done
Consent withdrawal mechanism as easy as consent — single click or equivalent effort; no multi-step journeys or call-centre dependency.
Withdrawal effective within 24 hours — automated trigger; no manual approval required.
Withdrawal propagated to all downstream processors and sub-processors within 48 hours via API or webhook.
No service degradation, penalty or additional charges applied post-withdrawal of non-essential consent.
Consent records retained 3 years minimum after withdrawal — the withdrawal itself is an immutable audit artefact.

Children's & Parental Consent (Sec. 9)

Verifiable parental consent and absolute profiling prohibition.

Critical
Age VerificationParental OTPNo ProfilingMinor Flag
Progress
0%
0 / 5 done
No processing of personal data of users below 18 without verifiable parental or guardian consent — self-declaration of age is insufficient.
Age verification deployed at every registration and data collection point; parental OTP sent to guardian, not the minor.
Absolute prohibition on behavioural profiling, targeted advertising or monitoring of under-18s — even with parental consent.
Minor flag set in all systems at identification — processing engines check the flag before any automated decision or data sharing.
Parental consent renewal workflow triggers automatically when a user turns 18; all ad-tech SDKs disabled in minor-accessible surfaces.

Lawful Processing Basis (Sec. 7)

Document deemed-consent grounds; no undocumented processing.

Critical
State FunctionLegal ObligationEmergencyContract
Progress
0%
0 / 5 done
Every DPR entry has a documented legal basis — either consent or a specific Section 7 deemed-consent ground; no processing without a basis.
State function basis: mapped to specific statutory power; legal opinion on file; reviewed annually.
Contractual necessity: only data strictly necessary for the contract collected; no surplus fields permitted.
Medical emergency: processing stops immediately when the emergency resolves; documented case-by-case by responsible officer.
Quarterly DPR review by DPO — identify and remediate any legal basis drift within 30 days; no commercial use of deemed-consent data.

Stage 4 — Processing & Purpose Limitation

Purpose 0%

Data Minimisation & Purpose Limitation

Collect only what is necessary; process only for stated purpose.

Mandatory
Purpose RegisterSurplus Field RemovalSecondary UseAnonymisation
Progress
0%
0 / 5 done
Every data field collected must have a documented justification in the DPR; surplus fields removed from all forms and APIs.
Secondary use of personal data beyond the original purpose requires fresh consent or a new documented lawful basis.
Quarterly DPO data-creep review — identify and remediate any processing that has drifted beyond its stated purpose.
Anonymise or pseudonymise data as soon as the primary purpose is fulfilled; verify anonymisation is irreversible.
Privacy by Design: default settings are most privacy-protective; new features with personal data require DPO sign-off before release.

Stage 5 — Security Safeguards

Security 0%

Technical Security Controls

Encryption, access control, SIEM, DLP and penetration testing.

Critical
AES-256TLS 1.3MFASIEMDLPPAM
Progress
0%
0 / 6 done
AES-256 encryption at rest and TLS 1.3 in transit enforced across all systems handling personal data.
RBAC, MFA and PAM deployed across all systems handling personal data — no exceptions for admin accounts.
SIEM deployed with real-time monitoring rules for personal data access anomalies and exfiltration patterns.
DLP solution deployed across email, cloud storage and endpoint devices; personal data egress rules active.
Annual penetration test across all personal data systems; critical findings remediated within 30 days.
No real personal data in development, staging or test environments — synthetic data mandatory; validated on every release.

Stage 6 — Data Sharing & Cross-Border Transfer

Sharing 0%

Processor & Vendor Controls

DPAs, sub-processor oversight and vendor security assessments.

Mandatory
DPAsAudit RightsBreach SLADeletion Clause
Progress
0%
0 / 5 done
Signed DPA with every processor before any data is shared — no exceptions; DPA includes breach notification SLA of max 6 hours.
Processor security assessment (VAPT evidence or SOC 2 Type II) before onboarding and annually thereafter.
Sub-processors must notify 30 days in advance of any change; organisation may object within that period.
Data return and deletion clause in every DPA — all data returned or deleted within 30 days of contract end.
Audit rights clause — right to appoint an independent auditor; exercise annually or after a security incident.

Cross-Border Transfer Controls (Sec. 16)

SCCs, whitelist monitoring and Transfer Impact Assessments.

Critical
MeitY WhitelistSCCsTIACloud Regions
Progress
0%
0 / 5 done
All cross-border transfers permitted only to MeitY-whitelisted countries or under approved safeguards (SCCs, binding corporate rules).
Standard Contractual Clauses executed with every processor in a non-whitelisted country before any transfer commences.
Transfer Impact Assessment (TIA) completed for each country where data is processed by a sub-processor.
MeitY whitelist monitored monthly; transfers to removed countries paused within 48 hours of removal.
Cross-border transfer register maintained; updated within 7 days of any new arrangement; disclosed in privacy notice.

Stage 7 — Data Principal Rights & Grievance (Sec. 11–14)

Rights 0%

Rights Fulfilment & DPO Office

Access, correction, erasure, portability, nomination and grievance SLAs.

Critical
Access 72hErasure 30dPortabilityGrievanceDPO
Progress
0%
0 / 6 done
Self-service rights portal live — data principals can file access, correction, erasure, portability and nomination requests online.
Access request: full data summary in machine-readable format delivered within 72 hours of verified identity.
Erasure request: automated deletion across all environments within 30 days; written confirmation sent to data principal.
Portability: structured, machine-readable data package (JSON/CSV) within 72 hours; includes principal-provided and derived data.
DPO appointed (mandatory for SDFs); published on website with contact; grievance redressal: acknowledgement 48h, resolution 30d.
DPBI escalation path communicated in every grievance acknowledgement; data principal's right to escalate is clearly stated.

Stage 8 — Breach Detection & Notification

Breach 0%

Breach Response Pipeline

72-hour DPBI notification; P1/P2/P3 severity matrix; post-incident report.

Critical
DPBI 72hP1/P2/P3Notification TemplatePost-Incident
Progress
0%
0 / 6 done
Automated breach detection: SIEM alert classifies breach within 1 hour — P1 (confirmed), P2 (probable), P3 (potential).
P1 escalation: Detection → CISO (1 hr) → DPO (2 hrs) → Legal review → DPBI portal submission within 72 hours.
Pre-approved DPBI notification templates ready with legal sign-off before any incident occurs; DPO and Legal co-sign before submission.
Affected data principals notified without undue delay — plain language; includes what happened, data affected, remediation steps, DPO contact.
Post-incident report to DPBI within 30 days — root cause, corrective actions and systemic remediation documented.
Annual tabletop breach simulation completed; playbook updated within 30 days of drill; all breach records retained 3 years.

Stage 9 — Retention, Deletion & Archival

Retention 0%

Retention & Deletion Controls

Scheduled deletion, statutory holds and deletion certificates.

Mandatory
Retention ScheduleAuto-DeleteErasure SLADeletion Cert
Progress
0%
0 / 5 done
Retention schedule defined for every data category in the DPR; default to shortest legally defensible period.
Automated deletion triggers on schedule expiry — production, backups, DR sites and cold storage all covered.
Erasure requests fulfilled within 30 days across all environments; written confirmation sent to data principal.
Statutory holds documented — where law requires longer retention, reason communicated in writing to the data principal.
Deletion certificates issued for high-risk categories (biometric, financial, health) on request; cryptographic proof provided.

Stage 10 — Governance, Audit & Accountability

Governance 0%

Governance & Accountability

DPIA, annual audit, training and board-level oversight.

Governance
DPIAAnnual AuditBoard ReportTraining
Progress
0%
0 / 6 done
DPIA completed for every high-risk processing activity before commencement; DPIA register maintained and reviewed annually.
Annual DPDPA compliance audit — internal (all organisations) or external (SDFs); findings classified and remediated.
Board-level data governance committee; privacy KPIs on Board dashboard; quarterly privacy steering committee meeting.
Mandatory DPDPA training for all data-handling staff within 30 days of joining and annually; 100% completion tracked.
SDF obligations — if designated: DPO appointed, DPBI registered, algorithmic transparency audit conducted annually.
Privacy champion programme — designated champion in each product and engineering team; accountable to DPO.

Required Policies — Universal (20)

0 / 20 Approved

Fintech & BFSI Controls

DPDPA compliance mapped to RBI, SEBI, IRDAI, and PCI-DSS requirements. Covers KYC data, credit decisioning, payment tokenisation, and cross-border SWIFT flows.

10Stages
RBIDual-mapped
PCI-DSSAligned
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery & Mapping

Discovery0%

KYC & Financial Data Inventory

Map all personal & sensitive financial data collected for KYC, credit and transactions.

Critical
PANAadhaarBank A/CCredit ScoreITR
Progress
0%
0/6 done
Catalogue all KYC data fields: PAN, Aadhaar (masked), address, income proof
Map credit bureau data flows (CIBIL, Experian, Equifax) and data retention
Identify all third-party data processors: payment gateways, fraud analytics, insurance
Document transaction data categories (UPI, NEFT, card) and cross-border flows
Tag all databases with data classification labels (public/internal/confidential/restricted)
Validate RBI data localisation requirements for payment data storage within India

AML / PMLA Data Mapping

Map personal data used for anti-money laundering and transaction monitoring.

High
Progress
0%
0/5 done
Identify personal data processed for STR/CTR reporting under PMLA
Map FIU-IND data submission flows and assess DPDPA applicability vs. legal obligation
Document watchlist screening data sources (sanctions, PEP lists) and refresh cycles
Assess behavioural analytics and ML model input data for DPDPA purpose limitation
Document data retention beyond 5-year PMLA mandate vs. DPDPA deletion rights

Stage 2 — Privacy Notice

Notice0%

KYC & Onboarding Notice

Clear, layered privacy notice at account opening covering all KYC purposes.

Critical
Progress
0%
0/5 done
Draft pre-KYC notice specifying data collected, purposes, and sharing with credit bureaus
Provide notice in all 22 scheduled languages for retail customers (RBI requirement)
Include specific disclosure for Aadhaar-based eKYC consent under UIDAI framework
Notice must state automated credit decisioning and right to explanation
Publish notice update mechanism and version history for regulatory audit trail

Stage 3 — Consent & Notice Controls

Consent0%

Account Aggregator Consent

AA framework (NBFC-AA) consent artefact standards for financial data sharing.

Critical
Progress
0%
0/6 done
Implement AA consent artefact with purpose, frequency, duration, and data-range fields
Enable granular consent per FIP (Financial Information Provider) data category
Implement real-time consent dashboard for customers to view and revoke AA consents
Log all consent grant/revoke events with cryptographic timestamps for audit
Handle consent expiry and auto-revoke for data flows beyond consent period
Map DPDPA consent requirements to RBI Master Directions on AA framework

Payment & Marketing Consent

Separate consent for payment processing vs. cross-sell/upsell marketing.

High
Progress
0%
0/5 done
Separate contract-basis payment processing consent from marketing opt-in consent
Implement double opt-in for promotional SMS/email using transaction data for targeting
Provide one-click unsubscribe that does not affect core banking service access
Block cross-sell pipelines on consent withdrawal within 24 hours
Audit existing pre-checked consent boxes in net banking and mobile app flows

Stage 4 — Purpose Limitation

Purpose0%

AI / ML Credit Decisioning

Govern personal data use in automated credit scoring and loan underwriting.

Critical
Progress
0%
0/5 done
Document all input features used in credit ML models and map to disclosed purposes
Implement right to explanation for automated credit rejection under DPDPA + RBI FPC
Prohibit model feature use beyond disclosed lending purpose (e.g., no social scoring)
Conduct model bias audit for discriminatory patterns in protected characteristic proxies
Log model version, training data vintage, and decision rationale for each credit decision

Stage 5 — Security Controls

Security0%

PCI-DSS & Tokenisation

Card data security, tokenisation, and network-level encryption controls.

Critical
Progress
0%
0/6 done
Implement RBI card-on-file tokenisation for all stored card data (CoFT mandate)
Achieve PCI-DSS v4.0 QSA audit certification and map to DPDPA technical safeguards
Enforce TLS 1.3 for all payment API endpoints and disable legacy cipher suites
Implement HSM-based key management for encryption of financial personal data at rest
Conduct quarterly penetration testing of payment APIs and mobile banking apps
Deploy real-time transaction fraud detection with human review escalation path

RBI Data Localisation

Ensure payment system data is stored only in India as per RBI circular.

Critical
Progress
0%
0/4 done
Confirm all payment system data resides in India-based data centres (RBI 2018 circular)
For cross-border payments: ensure end-to-end transaction data copy maintained in India
Conduct annual data residency audit with RBI-compliant evidence documentation
Map DPDPA restricted transfer rules alongside RBI localisation for dual compliance

Stage 6 — Data Sharing & Transfers

Sharing0%

SWIFT & Cross-Border Transfers

Govern personal data in cross-border wire transfers under DPDPA and FEMA.

High
Progress
0%
0/5 done
Map all personal data included in SWIFT MT/MX messages (name, address, account)
Assess adequacy of recipient country for DPDPA cross-border transfer (Schedule IX)
Implement standard contractual clauses or binding corporate rules with correspondent banks
Notify data principals of international transfers in privacy notice (country and purpose)
Maintain transfer impact assessment log updated quarterly for high-risk corridors

Stage 7 — Data Principal Rights

Rights0%

Customer Rights Portal (BFSI)

Statutory rights fulfilment within DPDPA timelines for banking customers.

Critical
Progress
0%
0/5 done
Implement data access request portal in net banking — machine-readable download within 30 days
Handle correction requests for KYC data with RBI KYC Direction re-verification workflow
Erasure requests: define financial record retention minimums (IT Act 7-yr) vs. DPDPA rights
Integrate Grievance Redressal Officer (GRO) with DPB escalation path for complaints
Publish SLA dashboard for rights request resolution (acknowledgement 48 h, close 30 d)

Stage 8 — Breach Response

Breach0%

Dual Breach Reporting (DPDPA + RBI)

Coordinate breach notification to DPB and RBI CIRT within parallel timelines.

Critical
Progress
0%
0/5 done
Establish 6-hour RBI CIRT notification SLA aligned with DPDPA DPB reporting window
Create joint notification template covering both DPDPA Art. 8 and RBI IS Framework
Designate Incident Commander with authority to trigger customer breach notification
Conduct bi-annual breach simulation tabletop exercise with compliance and IT teams
Maintain breach register with severity, affected principals count, and regulator response log

Stage 9 — Retention & Deletion

Retention0%

Financial Records Retention Matrix

Balance PMLA 5-yr, IT Act 7-yr, RBI 10-yr mandates against DPDPA deletion rights.

High
Progress
0%
0/5 done
Build retention schedule table mapping data type → minimum hold period → deletion trigger
Anonymise KYC data after legal hold period expires (vs. full deletion for regulatory data)
Automate archive-to-delete pipeline for inactive account data beyond DPDPA necessity
Validate backup deletion including offsite DR copies within retention schedule
Document legal basis for retention beyond consent withdrawal (RBI / PMLA legal obligation)

Stage 10 — Governance & Accountability

Governance0%

Regulatory Reporting & DPO

Structured compliance reporting to RBI, SEBI, IRDAI and DPB accountability.

High
Progress
0%
0/5 done
Appoint DPO with financial services domain expertise and CISO-level board access
Submit annual DPDPA compliance report alongside RBI IS Audit and SEBI Cyber Audit
Implement DPIA process for new fintech product launches (buy-now-pay-later, CBDC wallet)
Train all customer-facing staff on DPDPA rights requests and escalation procedures
Conduct vendor due diligence on all fintech APIs and data processors quarterly

Required Policies — Fintech & BFSI (20)

0 / 20 Approved

Healthcare Controls

DPDPA compliance for hospitals, clinics, telemedicine, diagnostics, and pharma. Sensitive personal data obligations for health records, genetic data, and mental health information under Section 2(t).

SPDHealth Data
NMCDual-mapped
DISHAAligned
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

Patient Data & EHR Inventory

Catalogue all sensitive personal data in EMR/EHR systems and lab integrations.

Critical
DiagnosisPrescriptionLab ReportsGenetic DataMental Health
Progress
0%
0/6 done
Classify all health data as Sensitive Personal Data (SPD) under DPDPA Section 2(t)
Map data flows from OPD/IPD → EMR → lab systems → pharmacy → insurance TPA
Identify genetic data and mental health records requiring additional safeguards
Audit telemedicine platform data flows and third-party video/chat integrations
Document research/CRO data access and de-identification or pseudonymisation methods
Inventory wearable device and remote monitoring data ingestion pipelines

Stage 2 — Privacy Notice

Notice0%

Patient Registration Notice

Plain-language health data notice at point of care registration.

Critical
Progress
0%
0/5 done
Provide patient privacy notice at registration in regional language covering all purposes
Separately disclose data sharing with insurance TPA, government health schemes (PMJAY)
Notify patients of any medical research use and right to opt out of research datasets
Telemedicine: display privacy notice before first video/chat consultation initiates
Update notice whenever new data-sharing partner (lab, pharmacy chain) is onboarded

Stage 3 — Consent Controls

Consent0%

Explicit Patient Consent

Explicit consent for health SPD before collection, processing, and sharing.

Critical
Progress
0%
0/6 done
Obtain explicit, purpose-specific consent for sensitive health data before collection
Implement granular consent: treatment vs. research vs. insurance vs. marketing
Enable consent withdrawal without affecting ongoing care or medical access
Handle incapacitated patients: surrogate/guardian consent with documentation
Minor patient consent: require parental/guardian consent, age-verify before data collection
Maintain audit trail of consent per visit/consultation linked to medical record number

Stage 4 — Purpose Limitation

Purpose0%

Genetic & Mental Health Data Controls

Heightened purpose restriction for highest-sensitivity health data categories.

Critical
Progress
0%
0/5 done
Restrict genetic data processing to clinical diagnosis only — no pharma R&D without explicit consent
Block mental health diagnosis from employer sharing or insurance underwriting uses
Implement access control: mental health records accessible only to treating psychiatrist + patient
Conduct DPIA before any secondary use of de-identified health datasets for research/AI
Review AI diagnostic tool training datasets for re-identification risks

Stage 5 — Security Controls

Security0%

EHR & Clinical Systems Security

Technical safeguards for electronic health records and clinical network.

Critical
Progress
0%
0/6 done
Encrypt EHR at rest (AES-256) and in transit (TLS 1.3) including HL7/FHIR API calls
Implement role-based access for clinical staff — doctor sees full record, admin sees billing only
Enable comprehensive audit logging for all EHR access with user, timestamp, IP
Segment clinical network from administrative/guest networks (VLAN + firewall)
Medical device cybersecurity: patch management for connected imaging and monitoring equipment
Regular vulnerability assessment of patient-facing apps and telemedicine platforms

Stage 6 — Data Sharing

Sharing0%

TPA & Insurer Sharing Controls

Govern health data shared with third-party administrators and insurance companies.

High
Progress
0%
0/5 done
Execute Data Processing Agreements with all TPA and insurance partners before sharing
Limit TPA data access to minimum necessary for claim adjudication purpose only
Prohibit insurer use of shared health data for underwriting beyond disclosed purpose
Implement API-level data minimisation — return only fields required for the claim type
Audit lab and pathology partner data flows quarterly for scope creep

Stage 7 — Patient Rights

Rights0%

Health Records Access & Portability

Patient rights to access, correct, and port health records under DPDPA + DISHA.

Critical
Progress
0%
0/5 done
Provide patient portal for on-demand access to health records in standard format (FHIR R4)
Process correction requests for diagnostic errors within 15 days with clinician sign-off
Define erasure policy: retain for NMC-mandated periods, delete non-essential profile data
Implement ABDM Health ID integration for inter-hospital record portability
Appoint Grievance Officer with healthcare background for clinical data dispute resolution

Stage 8 — Breach Response

Breach0%

Health Data Breach Response

Rapid response for health SPD breaches with clinical and regulatory notifications.

Critical
Progress
0%
0/4 done
Classify health data breaches as high-severity requiring immediate DPB notification
Patient notification within 72 hours for breaches affecting clinical safety or privacy
Coordinate with MoH and NMC for breach reporting involving public health records
Forensic evidence preservation without disrupting patient care continuity

Stage 9 — Retention

Retention0%

Clinical Record Retention Schedule

Balance NMC/MCI mandates with DPDPA necessity and deletion obligations.

High
Progress
0%
0/4 done
Retain inpatient records 3 years (NMC), outpatient 1 year minimum; extend for minors to age 21
Delete non-essential profile data (appointment preferences, cookies) on purpose expiry
Implement automated archival-to-deletion pipeline for de-registered patients
Secure media destruction certificate for physical records disposal

Stage 10 — Governance

Governance0%

Healthcare DPO & Compliance

Governance structure for health data fiduciary obligations and DPIA process.

High
Progress
0%
0/4 done
Appoint DPO with clinical data governance experience, report to hospital board
Conduct DPIA for all new digital health products (AI diagnosis, wearable integration)
Train all clinical and administrative staff on patient data rights and breach reporting
Annual internal DPDPA compliance audit aligned with NABH accreditation cycle

Required Policies — Healthcare (20)

0 / 20 Approved

E-Commerce Controls

DPDPA compliance for marketplaces, D2C brands, payment aggregators, and quick-commerce. Focus on behavioural profiling, dark patterns, children's data, and payment data minimisation.

DarkPatterns
ChildrenZero Tolerance
PCI-DSSAligned
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

Behavioural & Profile Data Inventory

Map all customer behavioural data: browsing, purchase history, wish lists, recommendations.

Critical
Browse HistoryCart DataLocationDevice IDPayment Method
Progress
0%
0/6 done
Audit all tracking pixels, cookies, and SDKs deployed on web and mobile for data collected
Map customer data flows across seller dashboards, delivery partners, and payment gateways
Identify children's data risk — age-gate enforcement for under-18 accounts
Document location data collection (delivery, store pick-up) and retention periods
Inventory recommendation engine inputs and profile enrichment from third-party data brokers
Map social login data (Google/Facebook OAuth) and third-party scope claims

Stage 2 — Privacy Notice

Notice0%

Checkout & Account Notice

Layered notice at checkout covering payment, profiling, and delivery data uses.

Critical
Progress
0%
0/5 done
Display layered privacy notice at account creation and first checkout with purpose breakdown
Disclose all third-party sellers and delivery partners who receive customer address data
Cookie consent banner — categorised (essential/analytics/marketing) with granular toggle
Notify customers of price personalisation and behavioural targeting in clear terms
Send email notice on material privacy policy changes with 30-day advance notice

Stage 3 — Consent & Dark Patterns

Consent0%

Anti-Dark-Pattern Consent Audit

Eliminate consent dark patterns and ensure free, unambiguous marketing opt-in.

Critical
Progress
0%
0/6 done
Audit all pre-checked boxes, confirmshaming, and hidden opt-outs in checkout flows
Marketing consent must be unchecked by default and not bundled with purchase consent
Implement children's data zero-tolerance: verified parental consent before any data collection for under-18
Subscription cancellation path must be equally easy to find as subscription sign-up
Personalisation opt-out must not degrade core shopping experience or hide products
Log consent version, timestamp, and IP for every marketing consent record

Stage 4 — Purpose Limitation

Purpose0%

Marketplace & Seller Data Controls

Limit customer data flowing to third-party sellers to fulfilment purposes only.

High
Progress
0%
0/5 done
Limit seller access to customer data strictly to order fulfilment (name, address, order)
Prohibit sellers from using customer contact data for independent marketing
Review recommendation engine: block use of sensitive inferred categories (health, religion)
Conduct algorithmic audit for price discrimination and discriminatory targeting
Implement purpose-binding controls in seller API — expose only fields matching disclosed purpose

Stage 5 — Security Controls

Security0%

Payment Data Security

PCI-DSS compliance and payment tokenisation for e-commerce checkout.

Critical
Progress
0%
0/5 done
Replace stored card data with RBI-mandated card-on-file tokens (Mastercard/Visa/Rupay)
Achieve SAQ-A or SAQ-D PCI-DSS certification based on payment scope
Implement bot detection and rate limiting on payment API endpoints
Encrypt all customer PII in transit and at rest with key rotation policy
Deploy WAF with OWASP Top 10 rule set on customer-facing APIs

Stage 6 — Sharing

Sharing0%

Logistics & Delivery Partner Sharing

Control customer data shared with last-mile delivery and returns partners.

High
Progress
0%
0/4 done
Execute DPA with every logistics partner before sharing customer delivery data
Mask customer phone numbers in delivery manifests using virtual number proxies
Delete customer data from logistics systems within 30 days of delivery completion
Cross-border shipping: assess adequacy for customer data transferred to international couriers

Stage 7 — Customer Rights

Rights0%

Account Rights & Data Portability

In-app rights portal for access, correction, deletion, and data export.

Critical
Progress
0%
0/4 done
In-app "Download My Data" feature covering orders, wishlist, browsing history, reviews
Account deletion flow that erases profile data and removes recommendation history
Correction portal for shipping address, name, and contact details with 3-day SLA
Retain order records for GST purposes (7 years) but mask personal data after account deletion

Stage 8 — Breach Response

Breach0%

Customer Data Breach Protocol

Rapid notification for payment or account credential breaches.

Critical
Progress
0%
0/4 done
DPB notification within 72 hours; customer notification within 96 hours of confirmed breach
Force password reset and invalidate sessions on account credential breach
Coordinate with payment gateway for card compromise notification to issuer banks
Dedicated breach hotline and FAQ page for affected customers within 24 hours

Stage 9 — Retention

Retention0%

E-Commerce Data Retention

Balance GST/tax records with DPDPA necessity and customer deletion requests.

High
Progress
0%
0/4 done
Retain invoices and order records 7 years (GST) — pseudonymise customer PII after 2 years
Delete browsing history, wish lists, and profile data within 90 days of account deletion
Purge recommendation model training data derived from inactive users annually
Log-level data: anonymise access logs containing customer IPs after 90 days

Stage 10 — Governance

Governance0%

Platform Governance & DPO

DPDPA governance for marketplace operators and their seller ecosystem.

High
Progress
0%
0/4 done
Appoint DPO responsible for both platform and seller-ecosystem data compliance
Conduct DPIA for new personalisation features, loyalty programmes, and AI recommendations
Seller onboarding: require DPA acceptance and baseline DPDPA compliance attestation
Quarterly privacy audit of dark pattern controls across web, app, and push notification flows

Required Policies — E-Commerce (20)

0 / 20 Approved

EdTech Controls

DPDPA compliance for online learning platforms, competitive exam prep, LMS providers, and schools. Strong focus on children's data, parental consent, anti-profiling, and proctoring data governance.

ChildrenPrimary Risk
AntiProfiling
ParentalConsent
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

Student & Learner Data Inventory

Catalogue all student personal data across LMS, assessments, and payment systems.

Critical
Student PIILearning AnalyticsAssessment DataDevice & Behaviour
Progress
0%
0/5 done
Classify all student data by age group — under-18 triggers additional DPDPA safeguards
Map learning analytics: time-on-task, quiz attempts, video watch time, engagement scores
Audit third-party integrations: video conferencing, LTI tools, proctoring software
Identify all student financial data collected (scholarship, loan, EMI payments)
Map teacher/tutor personal data collected on platform (credentials, bank details for payout)

Stage 2 — Privacy Notice

Notice0%

Student & Parent Notice

Age-appropriate notice to students and parallel notice to parents for under-18 learners.

Critical
Progress
0%
0/5 done
Send parallel notices to both student and parent/guardian for learners under 18
Notice must explain proctoring data use: video, audio, screen recording, keystroke analysis
Disclose learning analytics use for adaptive learning, grading, and course recommendations
Notify schools/institutions that data is collected from students enrolled via B2B contracts
Provide notice before any assessment recording or biometric proctoring session begins

Stage 3 — Parental & Student Consent

Consent0%

Verified Parental Consent System

Robust parental consent mechanism for children under 18 before data collection.

Critical
Progress
0%
0/6 done
Implement age verification at registration — block under-18 from adult-only content sections
Verified parental consent flow: parent email/phone verification before student account activation
Parent dashboard to view, modify, and withdraw consent for specific data uses
Proctoring consent: separate explicit consent per exam session, not blanket annual consent
Block targeted advertising entirely for learners under 18 — no marketing profiling
Teacher consent: separate consent for platform usage data used in performance analytics

Stage 4 — Purpose Limitation

Purpose0%

Anti-Profiling Controls

Prohibit behavioural profiling of students for commercial targeting and external sale.

Critical
Progress
0%
0/5 done
Ban sale or licence of student learning data to third-party data brokers or advertisers
Learning analytics must be used only for improving student outcomes — not commercial profiling
Proctoring data restricted to exam integrity only — delete within 90 days post-result declaration
Adaptive learning algorithm: document inputs, do not use sensitive categories as model features
Employer or university data sharing: only with student's explicit written consent per institution

Stage 5 — Security

Security0%

Proctoring & LMS Security

Secure handling of biometric and behavioural proctoring data during assessments.

Critical
Progress
0%
0/5 done
Encrypt proctoring video recordings end-to-end; restrict access to exam authority reviewers only
Isolate proctoring data in separate storage from LMS course data with distinct access controls
Conduct penetration testing on student-facing web/app before each major exam season
Implement MFA for teacher and admin accounts accessing student performance data
Data loss prevention (DLP) controls on LMS APIs to prevent bulk student data export

Stage 6 — Sharing

Sharing0%

Institution & Partner Sharing

Govern student data shared with schools, universities, and employer partners.

High
Progress
0%
0/4 done
B2B institution contracts must include DPA clauses binding school/university as data processor
Student consent required before sharing performance data with employers for placement
Government educational scheme data (PM e-Vidya) — map DPDPA exemptions for state schemes
International students: assess cross-border transfer adequacy for offshore learning platforms

Stage 7 — Student Rights

Rights0%

Student Data Rights Portal

Rights fulfilment for students and parents covering access, correction, and deletion.

Critical
Progress
0%
0/4 done
Student portal: downloadable transcript, certificate, learning history, and profile data
Parent rights: access child's data, withdraw consent, request deletion of non-essential profile
Account deletion: purge profile and learning data; retain certificates and completion records
Nomination: allow student to designate parent as rights representative during minority

Stage 8 — Breach Response

Breach0%

Student Data Breach Response

Heightened response for breaches involving minors' data.

Critical
Progress
0%
0/4 done
Classify children's data breach as critical-priority; notify DPB and school/parent simultaneously
Notify NCPCR for breaches involving minor student data (children's commission mandate)
Proctoring recording breach: immediate access revocation and law enforcement engagement
Annual breach simulation including student data scenarios and parent notification workflow

Stage 9 — Retention

Retention0%

Student Data Retention

Academic record retention vs. DPDPA deletion rights for inactive students.

High
Progress
0%
0/4 done
Retain completion certificates and grades permanently (legal record); delete behavioural data after 2 years
Proctoring recordings: delete within 90 days of result; extend only if under dispute
Inactive account data: delete profile and learning history after 2 years of inactivity
Minor data: extend retention only until 18 then apply DPDPA deletion rights automatically

Stage 10 — Governance

Governance0%

EdTech DPO & Child Safety

Governance structure with child safety officer and DPDPA compliance programme.

High
Progress
0%
0/4 done
Appoint DPO with child data protection specialisation and direct line to CEO
DPIA mandatory for all new features touching student data or introducing AI/ML personalisation
Annual privacy training for all instructors and support staff on student data rights
Publish annual transparency report covering data requests, breach incidents, and rights fulfilment

Required Policies — EdTech (20)

0 / 20 Approved

Telecom Controls

DPDPA compliance for TSPs, ISPs, and VAS providers. Covers CDR/subscriber data, SIM KYC, 5G/Edge data flows, lawful interception boundaries, and dual DPDPA + TRAI breach reporting.

TRAIDual-mapped
CDRSensitive
DoTAligned
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

CDR & Subscriber Data Inventory

Catalogue all call detail records, location data, and subscriber profile data.

Critical
CDRLocationIMEISIM KYCBilling
Progress
0%
0/6 done
Map all CDR data (caller ID, recipient, duration, timestamp, cell tower) and storage locations
Identify location data streams: cell-tower, GPS, network-based — classify as sensitive personal data
Audit SIM KYC data flows: document sharing with Aadhaar/UIDAI for SIM activation
Map VAS partner data sharing: ring-tone providers, mobile banking, content platforms
Document 5G network slice data and edge compute data residency
Identify lawful interception data boundaries separating DPDPA scope from national security

Stage 2 — Notice

Notice0%

Subscriber Privacy Notice

TRAI-compliant privacy notice for mobile and broadband subscribers.

Critical
Progress
0%
0/4 done
Provide subscriber notice covering CDR use, location data, and VAS data sharing at SIM activation
Disclose network analytics and DPI (deep packet inspection) use for traffic management
Notice update via SMS/app for each new data sharing arrangement with VAS partners
Provide notice in regional language for rural prepaid subscriber segments

Stage 3 — Consent Controls

Consent0%

Subscriber Consent & DCP Portal

Subscriber-facing consent management for location, marketing, and VAS data uses.

Critical
Progress
0%
0/5 done
Implement subscriber consent portal (app/IVR/web) for location sharing, marketing, and VAS
Location data: opt-in per use case (emergency services, navigation, advertising) — not blanket
DND/marketing consent integrated with TRAI TCCCPR registry for commercial communications
VAS activation consent: explicit per-service consent before any VAS charges or data sharing
Consent withdrawal via SMS shortcode (e.g., STOP) effective within 24 hours

Stage 4 — Purpose Limitation

Purpose0%

Location & CDR Purpose Controls

Restrict CDR and location data use to network operations and disclosed purposes.

Critical
Progress
0%
0/4 done
Block CDR data use for advertising profiling without explicit subscriber consent
Location data: permitted for emergency, network optimisation — commercial use needs separate consent
Prohibit sale of anonymised location data sets without rigorous re-identification risk assessment
DPI data: restrict to traffic management and QoS — no content-based advertising profiling

Stage 5 — Security

Security0%

Network & Subscriber Data Security

Telecom-grade security for CDR, subscriber systems, and 5G network elements.

Critical
Progress
0%
0/5 done
Encrypt subscriber records and CDR in BSS/OSS systems at rest and in transit
Implement SS7/Diameter protocol security controls to prevent location tracking attacks
5G network: implement SUPI/SUCI privacy for subscriber concealment per 3GPP standards
VAPT of customer-facing portals and subscriber management APIs annually
SIM swap fraud controls: multi-channel verification before SIM replacement

Stage 6 — Sharing

Sharing0%

VAS & Roaming Partner Sharing

Control personal data shared with VAS providers and international roaming partners.

High
Progress
0%
0/4 done
Execute DPAs with all VAS partners before sharing subscriber data for service activation
International roaming: map personal data shared with foreign operators under bilateral agreements
IR.21 and Transferred Account Procedure data — assess DPDPA cross-border transfer compliance
Lawful interception data: establish clear separation from commercial sharing — no co-mingling

Stage 7 — Subscriber Rights

Rights0%

Subscriber Rights Portal

Access, correction, and erasure rights for telecom subscribers.

Critical
Progress
0%
0/4 done
App/web portal for CDR access request (itemised billing data) within 30 days
Correction mechanism for subscriber profile errors (address, contact, KYC details)
Erasure: retain CDR for DoT-mandated period; delete non-essential profile after porting/deactivation
Grievance Officer accessible via call centre, email, and app with 30-day resolution SLA

Stage 8 — Breach Response

Breach0%

Dual DPDPA + TRAI Breach Reporting

Coordinate CDR and subscriber data breach notifications to DPB and TRAI/DoT.

Critical
Progress
0%
0/4 done
Establish 6-hour notification to DoT/TRAI and concurrent DPB notification for subscriber breaches
Subscriber notification via SMS for SIM swap, CDR, or billing data breach within 72 hours
Differentiate lawful interception breach (national security track) from commercial data breach
Bi-annual cyber drill including CDR exfiltration scenario and regulator notification rehearsal

Stage 9 — Retention

Retention0%

CDR & Subscriber Retention

Balance DoT 2-year CDR mandate with DPDPA purpose limitation and deletion.

High
Progress
0%
0/4 done
Retain CDR minimum 2 years per DoT licence conditions; delete after 2 years unless under legal hold
Deactivated SIM: delete subscriber profile data within 90 days of port-out or deactivation
Anonymise location data after 12 months unless retained under specific legal obligation
Billing records: retain 3 years for dispute resolution; pseudonymise subscriber PII in archived bills

Stage 10 — Governance

Governance0%

Telecom DPO & Compliance

Governance for TSPs with dual compliance to TRAI regulations and DPDPA.

High
Progress
0%
0/4 done
Appoint DPO with telecom regulatory background — must coordinate with TRAI and DoT liaison
DPIA for 5G rollout, edge computing deployment, and AI-based network analytics
Annual DPDPA compliance report submitted alongside TRAI Quality of Service audit
Train retail channel partners (dealer network) on subscriber consent and KYC data handling

Required Policies — Telecom (20)

0 / 20 Approved

Government & Public Sector Controls

DPDPA compliance for central and state government bodies, public sector undertakings, and e-governance platforms. Covers Section 17 exemptions, Aadhaar-linked services, citizen data sovereignty, and e-Gov vendor controls.

Sec 17Exemptions
UIDAIDual-mapped
DigiLockerAligned
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

Citizen Data & System Inventory

Map all citizen personal data in government databases, beneficiary systems, and portals.

Critical
AadhaarPANVoter IDLand RecordsHealth (AB-PMJAY)
Progress
0%
0/6 done
Catalogue all citizen-facing systems with personal data: beneficiary DBs, citizen portals, G2C apps
Identify data that qualifies under DPDPA vs. data exempted under Section 17 (national security)
Map all Aadhaar-integrated services (UIDAI authentication flows) and data retention at seeding
Audit inter-ministry data sharing arrangements (MoU-based and API integrations)
Identify outsourced e-Gov platforms where private vendors act as data processors
Document census, survey, and statistical data flows and anonymisation status

Stage 2 — Notice

Notice0%

Citizen Notice & Transparency

Plain-language notice to citizens about government data collection and processing.

Critical
Progress
0%
0/4 done
Display citizen privacy notice on all G2C portals (UMANG, DigiLocker, CSC) at point of data collection
Notice must clarify which processing is under legal mandate (no consent needed) vs. voluntary
Provide notice in 22 scheduled languages for federal portals serving multilingual populations
Gazette notification for any new government data sharing arrangement affecting citizens

Stage 3 — Consent & Legal Basis

Consent0%

Government Legal Basis Mapping

Document lawful basis for each processing activity: law, consent, or legitimate state function.

Critical
Progress
0%
0/5 done
Map every processing activity to DPDPA legal basis: consent, legal obligation, or Section 4 legitimate use
Where consent is basis: implement free and voluntary consent — not conditional on service access
Aadhaar authentication: use OTP/biometric consent properly under UIDAI framework
Welfare scheme enrolment: consent cannot be the basis for mandatory government benefits
Document Section 17 exemption claims with specific provision cited and scope limitation

Stage 4 — Purpose Limitation

Purpose0%

Inter-Agency Data Sharing Controls

Limit citizen data sharing between agencies to declared lawful purposes only.

Critical
Progress
0%
0/4 done
Formalise all inter-ministry data sharing with signed MoU stating purpose, scope, and controls
Prohibit use of welfare scheme data for surveillance or law enforcement without legal authority
API gateway controls: enforce purpose-binding per API consumer — restrict fields by declared use
Conduct DPIA before launching new citizen-linked data analytics or AI profiling programmes

Stage 5 — Security

Security0%

Government Systems Security

CERT-In compliant security for citizen data and e-governance infrastructure.

Critical
Progress
0%
0/5 done
Classify and encrypt all citizen PII in government databases as per MeitY data classification policy
Government cloud (MeghRaj/CSC) data residency: all citizen data stored in India-based NIC/NICSI DCs
VAPT of all citizen-facing e-Gov portals aligned with CERT-In Empanelled Auditor schedule
Implement RBAC for all government employees accessing citizen records (need-to-know basis)
Mandatory security training for all government officials handling citizen personal data

Stage 6 — Sharing

Sharing0%

e-Gov Vendor Controls

Govern private vendors who operate or maintain government citizen data systems.

High
Progress
0%
0/4 done
All government IT contracts must include DPDPA data processing clauses binding vendor as processor
Prohibit vendor sub-processing of citizen data without written government approval
Conduct annual security audit of all private vendors with access to citizen-linked databases
Data sovereignty: no citizen data on foreign cloud — enforce NIC/MeghRaj hosting mandate

Stage 7 — Citizen Rights

Rights0%

Citizen Rights Mechanism

Government data access, correction, and grievance mechanisms for citizens.

Critical
Progress
0%
0/4 done
Integrated citizen rights portal (myGov/UMANG) for access and correction requests across ministries
Correction mechanism for errors in beneficiary databases (Aadhaar, ration card, voter roll)
Erasure: where processing is consent-based, implement deletion on withdrawal without denying benefits
CPGRAMS integration for DPDPA complaints with defined escalation to DPB

Stage 8 — Breach Response

Breach0%

CERT-In + DPB Breach Protocol

Coordinate citizen data breach between CERT-In, DPB, and ministry notification chains.

Critical
Progress
0%
0/4 done
6-hour CERT-In breach notification concurrent with DPB notification for citizen data breaches
Cabinet/ministry notification chain for breaches affecting national identity databases
Citizen notification via UMANG/SMS for breaches affecting welfare benefits or personal data
Annual cyber crisis simulation for e-Gov systems involving NCIIPC and CERT-In

Stage 9 — Retention

Retention0%

Government Records Retention

Balance Public Records Act, Right to Information, and DPDPA deletion obligations.

High
Progress
0%
0/4 done
Build retention schedule per data type mapping Public Records Act periods vs. DPDPA necessity
Anonymise census and survey data upon purpose completion — do not retain identifiable data beyond mandate
Digital records: implement automated archival workflow for records beyond active use period
Secure deletion certificate for physical and digital records destroyed under schedule

Stage 10 — Governance

Governance0%

Government DPO & Data Board

Institutional governance framework for DPDPA compliance across government bodies.

High
Progress
0%
0/4 done
Appoint Ministry-level DPO coordinating with MeitY for DPDPA implementation oversight
Establish inter-ministry Data Governance Board for cross-agency data sharing policy
DPIA mandatory for all new e-Gov projects processing citizen data at scale
Annual DPDPA compliance review submitted to Parliament/State Legislature as part of annual report

Required Policies — Government (20)

0 / 20 Approved

SaaS & IT Services Controls

DPDPA compliance for cloud SaaS providers, IT outsourcing, and managed service providers. Focus on multi-tenant data isolation, processor agreements, DevSecOps, and customer offboarding data deletion.

ProcessorObligations
ISO 27001Aligned
SOC2Mapped
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

Cloud & Multi-Tenant Data Inventory

Catalogue all personal data stored across tenants, environments, and cloud regions.

Critical
Customer PIIEnd-user DataAudit LogsBackup DataTelemetry
Progress
0%
0/5 done
Maintain data inventory per tenant: what personal data each customer's end-users upload or generate
Map all data regions — identify personal data on non-Indian servers and assess transfer adequacy
Audit telemetry and usage analytics collected from SaaS platform for personal data content
Identify all sub-processors (CDN, analytics, email, payment) used in the SaaS stack
Map personal data in CI/CD pipelines, staging environments, and developer sandboxes

Stage 2 — Notice

Notice0%

B2B & End-User Notice

Layered notice to enterprise customers (B2B) and their end-users processed through the SaaS.

High
Progress
0%
0/4 done
Publish sub-processor list and update it within 30 days of adding new sub-processors
Enterprise customer DPA must flow-down notice obligations to their end-users
In-product privacy notice for end-users of B2B SaaS covering data the vendor processes
Security incident notifications to enterprise customers within 24 hours of confirmed breach

Stage 3 — Consent & Processor Controls

Consent0%

Data Processor Agreement Controls

Robust DPAs with enterprise customers covering DPDPA processor obligations.

Critical
Progress
0%
0/5 done
Standardise DPDPA-compliant DPA template covering instructions, security, breach, deletion, audit rights
Clearly define customer as data fiduciary; SaaS as data processor — scope of processing per contract
Sub-processor approval: customer written consent before engaging new sub-processors
Processing only on documented customer instructions — no use of customer data for product improvement without consent
AI/ML features: explicit customer consent before using their data to train shared models

Stage 4 — Purpose Limitation

Purpose0%

DevSecOps & Privacy Engineering

Embed privacy by design in development lifecycle to prevent purpose creep.

High
Progress
0%
0/5 done
Privacy review gate in CI/CD pipeline — block deployment of features collecting new personal data without DPO sign-off
Data minimisation by design: code review checklist to reject unnecessary personal data collection
Anonymise personal data in dev/test environments — no production PII in staging or sandbox
SAST/DAST scans for data leakage in API responses and logging statements
Conduct DPIA for every new AI/ML product feature that processes customer end-user data

Stage 5 — Security

Security0%

SaaS Multi-Tenant Security

Tenant isolation, encryption, and access controls for shared SaaS infrastructure.

Critical
Progress
0%
0/5 done
Enforce hard tenant isolation — no data leakage between customer tenants in shared DB/storage
Tenant-specific encryption keys (BYOK) for enterprise customers with sensitive data
Zero-trust network architecture for internal service-to-service access
SOC 2 Type II audit aligned with ISO 27001 certification for DPDPA security safeguards evidence
Quarterly third-party penetration testing; results disclosed to enterprise customers on request

Stage 6 — Sharing

Sharing0%

Sub-Processor & API Security

Control personal data sharing with sub-processors and third-party integrations.

High
Progress
0%
0/4 done
Execute DPA with every sub-processor before passing customer personal data
Cross-border: assess adequacy for customer data sent to US/EU sub-processors (Anthropic, AWS)
API security: OAuth 2.0 + scoped tokens; no broad personal data access to third-party integrations
Annual sub-processor security review including SOC2 or ISO 27001 evidence collection

Stage 7 — Rights & Offboarding

Rights0%

Customer Offboarding & Data Deletion

Complete customer data deletion and export on contract termination.

Critical
Progress
0%
0/5 done
Provide customer data export in standard format (JSON/CSV) within 30 days of termination request
Complete data deletion from all systems including backups within 60 days of offboarding
Issue deletion certificate to enterprise customer confirming purge from all storage and backups
Cascade deletion request to all sub-processors within 5 business days
End-user rights: pass-through access/deletion requests from customer's end-users to customer within 48 hours

Stage 8 — Breach Response

Breach0%

SaaS Incident Classification & Response

Tiered breach response covering processor notification and customer communication.

Critical
Progress
0%
0/4 done
Classify incidents: Tier-1 (personal data breach) → DPB+customer 24h, Tier-2 (security incident) → customer 48h
Notify affected enterprise customers with breach details enabling their DPB notification
Maintain 24/7 security incident response team with defined escalation runbooks
Annual purple-team exercise simulating multi-tenant data breach with customer notification drill

Stage 9 — Retention

Retention0%

SaaS Data Retention Controls

Contractual retention periods, backup lifecycle, and automated deletion pipelines.

High
Progress
0%
0/4 done
DPA must specify retention period per data category — default to customer's instructions
Automated backup expiry: backup retention aligned with primary data retention schedule
Audit log retention: 3 years for DPDPA accountability; anonymise user IDs in logs after 1 year
Inactive tenant data: notify customer 90 days before deletion; auto-delete after agreed period

Stage 10 — Governance

Governance0%

SaaS DPO & Privacy Programme

Privacy-as-a-product governance framework for SaaS and IT service organisations.

High
Progress
0%
0/4 done
Appoint DPO with SaaS/cloud architecture background — embedded in product and engineering teams
Publish trust centre with current DPAs, sub-processor list, security certifications, and audit reports
DPIA for all AI features, new data types, and cross-border architecture changes
Annual privacy training for all engineers, support, and sales staff handling customer data

Required Policies — SaaS & IT (20)

0 / 20 Approved

Manufacturing Controls

DPDPA compliance for factories, industrial enterprises, and smart-product manufacturers. Covers employee biometrics, IoT/OT data, workforce surveillance, product telemetry, and supply chain data sharing.

BiometricsSPD Risk
IoT/OTData Flows
SupplyChain
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

Workforce & IoT Data Inventory

Catalogue employee biometric, attendance, IoT sensor, and product telemetry data.

Critical
FingerprintFace IDCCTVGPS TrackerIoT Sensors
Progress
0%
0/6 done
Classify all biometric data (fingerprint, face recognition, iris) as Sensitive Personal Data under DPDPA
Map all CCTV coverage in factory — identify zones capturing workers vs. equipment-only areas
Inventory IoT/OT sensors that capture worker-linked data (wearables, smart PPE, vehicle GPS)
Document smart product telemetry data flows: connected devices, warranty portals, service apps
Identify contract worker and gig worker personal data in separate HR and vendor systems
Map supply chain partner data sharing — vendor/dealer personal data in procurement and ERP systems

Stage 2 — Notice

Notice0%

Worker & Consumer Notice

Notice to factory workers and smart-product consumers about personal data collection.

Critical
Progress
0%
0/4 done
Display biometric collection notice at factory entry gates in local language before enrolment
CCTV surveillance notice: signage at all camera locations with purpose, retention period, contact
Smart product: in-box and app privacy notice covering telemetry, warranty data, service data
Supply chain partner: notice in vendor onboarding forms about personal data processed in ERP

Stage 3 — Consent Controls

Consent0%

Biometric & Surveillance Consent

Explicit, free consent for biometric enrolment and workforce surveillance systems.

Critical
Progress
0%
0/5 done
Obtain explicit written consent for biometric enrolment — consent must be free, not condition of employment
Offer alternative attendance method for workers who refuse biometric consent
Wearable/GPS tracker: separate consent per device, refresh annually, voluntary withdrawal possible
Smart product telemetry: opt-in consent for usage analytics; essential diagnostics on contractual basis
Union/works council consultation before deploying new monitoring technologies on factory floor

Stage 4 — Purpose Limitation

Purpose0%

Surveillance Purpose Limitation

Restrict CCTV and monitoring data to safety and security — not productivity surveillance.

High
Progress
0%
0/4 done
CCTV data restricted to physical security and accident investigation — not individual productivity tracking
Biometric data limited to attendance and access control — no secondary use for HR performance scoring
IoT/wearable data: restrict to worker safety monitoring — not location tracking beyond plant boundary
Smart product telemetry: restrict to device health and warranty service — not behavioural profiling of owners

Stage 5 — Security

Security0%

OT/IoT & Biometric Security

Cybersecurity for operational technology and biometric systems storing personal data.

Critical
Progress
0%
0/5 done
Segment OT/SCADA network from IT network — biometric servers in isolated secure zone
Encrypt biometric templates at rest and in transit — store hash, not raw biometric data
IoT device firmware patch management — establish 72-hour critical patch SLA for connected devices
CCTV access control: footage accessible only to security team and designated investigators
Annual OT/ICS security assessment per IEC 62443 framework

Stage 6 — Sharing

Sharing0%

Supply Chain & Warranty Sharing

Control personal data shared with dealers, distributors, and service partners.

High
Progress
0%
0/4 done
DPA with all authorised service centres handling customer warranty and repair data
Dealer network: limit customer registration data to warranty service — block marketing use without consent
International supply chain: DPA with foreign component suppliers processing worker or customer data
Contract worker agencies: DPA covering payroll and attendance data processed by staffing vendors

Stage 7 — Worker & Consumer Rights

Rights0%

Dual Rights — Workers & Customers

Rights fulfilment for factory workers (biometrics) and product consumers (telemetry).

Critical
Progress
0%
0/4 done
Worker rights portal: access own biometric enrolment record, attendance history, request correction
On resignation: delete biometric data within 30 days; retain payroll records per labour law
Consumer: access product usage history and request deletion of telemetry data via warranty portal
Appoint Grievance Officer accessible to both workers and consumers with 30-day resolution SLA

Stage 8 — Breach Response

Breach0%

OT & Biometric Breach Response

Response protocol for biometric system compromise and OT/IoT cyber incidents.

Critical
Progress
0%
0/4 done
Biometric system breach: immediate DPB notification, re-enrolment programme for affected workers
OT breach containment: isolate affected segment without disrupting production safety systems
Consumer product breach (telemetry exfiltration): DPB notification + customer notification via app
Annual cyber-physical tabletop exercise covering biometric compromise and OT ransomware scenarios

Stage 9 — Retention

Retention0%

Manufacturing Data Retention

Retention schedule for biometric, CCTV, product telemetry, and HR data.

High
Progress
0%
0/4 done
CCTV footage: delete within 30 days unless flagged for incident investigation or legal hold
Biometric data: delete within 30 days of employee exit; retain only in anonymised attendance records
Product telemetry: retain for warranty period (1-3 years); delete on product deregistration
Payroll and ESI/PF data: retain per Factories Act and labour law minimums (3-7 years)

Stage 10 — Governance

Governance0%

Manufacturing DPO & Compliance

DPDPA governance for industrial organisations with worker and consumer data obligations.

High
Progress
0%
0/4 done
Appoint DPO with OT/industrial systems knowledge — coordinate with CISO and HR heads
DPIA for new biometric systems, surveillance technology, and connected product launches
Annual workforce privacy training for shop-floor supervisors and HR teams
Supplier code of conduct: require DPDPA compliance attestation from all Tier-1 supply chain partners

Required Policies — Manufacturing (20)

0 / 20 Approved

HRMS & Workforce Controls

DPDPA compliance for HR management systems, payroll processors, and workforce platforms. Covers full employee lifecycle — recruitment through alumni — including health/EAP data, gig workers, and third-party HR vendors.

FullLifecycle
HealthEAP Data
GigWorkers
Controls Done0/0
Policies0/0
Total Done0
Readiness0%

Stage 1 — Data Discovery

Discovery0%

Employee Lifecycle Data Inventory

Catalogue all personal data across hire-to-retire and contractor lifecycle stages.

Critical
Resume DataPAN/AadhaarBank DetailsHealth RecordsPerformance
Progress
0%
0/6 done
Map all personal data fields in HRMS from onboarding to separation (100+ data points typical)
Identify all sensitive personal data: health/medical, disability, religion (for leave), biometrics
Map recruitment data flows: job portals (Naukri, LinkedIn), ATS, background verification agencies
Identify EAP (Employee Assistance Programme) health and counselling data — classify as SPD
Gig/contract worker data in separate platforms — map flows to agency, payroll, and compliance systems
Audit all third-party HR tools: payroll, LMS, performance management, benefits portals

Stage 2 — Notice

Notice0%

Employee Privacy Notice

Comprehensive workforce privacy notice covering all HR processing activities.

Critical
Progress
0%
0/5 done
Provide candidate privacy notice at job application stage before any data collection
Employee notice at onboarding: full list of processing purposes, HR tools, and data sharing with PF/ESI/TDS authorities
EAP notice: explicit disclosure of counselling data confidentiality boundaries and exceptions
Workplace monitoring notice: email monitoring, device tracking, internet usage policies
Update notice whenever new HR tools or monitoring practices are introduced

Stage 3 — Consent & Legal Basis

Consent0%

HR Processing Legal Basis Matrix

Map each HR processing activity to correct DPDPA legal basis — contract, legal obligation, or consent.

Critical
Progress
0%
0/6 done
Payroll and statutory compliance (PF, ESI, TDS): legal obligation basis — no consent needed
Background verification: explicit written consent before engaging screening agencies
Health/medical data for group insurance: explicit consent — not bundled in employment agreement
EAP counselling records: explicit session-by-session consent; employer must NOT access individual records
Social media monitoring of employees: explicit consent or lawful basis documented before deployment
Alumni newsletter / referral: consent at exit interview; opt-in only, not pre-selected

Stage 4 — Purpose Limitation

Purpose0%

Health & EAP Data Controls

Strict purpose limitation for employee health, insurance, and assistance programme data.

Critical
Progress
0%
0/5 done
Health data collected for insurance: restrict to insurer only — HR cannot access individual diagnosis
EAP records: strictly confidential — aggregate utilisation data only reportable to employer
Performance data: restrict to performance management and promotion decisions — not shared externally
Recruitment AI: audit automated screening tools for bias on age, gender, religion proxy variables
Travel and expense data: restrict to finance and compliance — no surveillance use of location data

Stage 5 — Security

Security0%

HRMS & Payroll Security

Access controls, encryption, and audit logging for HR system security.

Critical
Progress
0%
0/5 done
HRMS role-based access: manager sees own team only; HR sees all but health/EAP records
Encrypt payroll and bank data at rest and in transit — MFA for all HRMS administrative access
Audit log every access to sensitive HR fields (salary, health, PAN) with user, timestamp, purpose
Background verification agency API: token-scoped access, no bulk employee data download allowed
Annual VAPT of HRMS, payroll portal, and employee self-service applications

Stage 6 — Sharing

Sharing0%

Third-Party HR Vendor Controls

DPAs with payroll, benefits, background check, and learning platform vendors.

High
Progress
0%
0/4 done
Execute DPDPA-compliant DPA with all third-party HR vendors before sharing employee data
Background verification: share minimum necessary data; prohibit agency retention post-verification
Cross-border employee data: assess adequacy for SaaS HRMS (SAP, Workday, BambooHR) global hosting
Annual vendor audit: require SOC2/ISO 27001 evidence from all HR SaaS and payroll vendors

Stage 7 — Employee Rights

Rights0%

Employee Self-Service Rights Portal

Rights fulfilment for current employees, ex-employees, and gig workers.

Critical
Progress
0%
0/5 done
Employee self-service: download own HR file (payslips, leave records, appraisal data) on demand
Correction request for personal details, address, emergency contacts with 5-day SLA
Post-exit: ex-employees can request access to own employment records for 3 years after separation
Gig workers: same rights as employees for data collected during engagement period
Nomination facility: allow employee to nominate family member for data access in case of incapacitation

Stage 8 — Breach Response

Breach0%

HR Data Breach Response

Employee notification and regulator reporting for HR and payroll data breaches.

Critical
Progress
0%
0/4 done
HR data breach (salary/bank data exposed): DPB notification + individual employee notification within 72 hours
Payroll breach: coordinate with banks for account monitoring and fraud alert for affected employees
EAP vendor breach: immediate system access revocation, employee notification with counselling support
Annual HR data breach tabletop: payroll exfiltration scenario with employee communication drill

Stage 9 — Retention

Retention0%

Employee Data Retention Schedule

Balance labour law mandates, PF/ESI requirements, and DPDPA deletion rights.

High
Progress
0%
0/5 done
Payroll and PF/ESI records: retain 5 years post-exit per statutory mandate; anonymise thereafter
Recruitment data for unsuccessful candidates: delete within 6 months of rejection unless candidate consents to talent pool
Performance appraisals: retain 3 years post-exit for reference/legal claims; delete thereafter
Health/insurance claims data: retain for claim settlement period + 2 years; then delete
Background verification reports: delete within 12 months of completion; retain only pass/fail outcome

Stage 10 — Governance

Governance0%

HR Privacy Governance & DPO

DPDPA governance framework for HR data fiduciary with union and works council alignment.

High
Progress
0%
0/5 done
Appoint DPO with HR and labour law background — embedded in CHRO function
DPIA for all new HR tech, AI hiring tools, employee monitoring systems before deployment
Consult union / workers' council before introducing new monitoring or profiling tools
Annual employee privacy awareness training covering rights, consent mechanisms, and DPDPA overview
Publish annual privacy report covering rights requests, HR data breaches, and vendor audit results

Required Policies — HRMS (20)

0 / 20 Approved

DPDPA Complete Policy Register

188 mandatory policies across 10 sectors · Each policy includes Purpose, Scope, Key Requirements and a Sample Clause · Click any policy to expand

188Total Policies
62Critical
101High
25Medium
10Sectors

Universal — Mandatory for All Sectors

All Industries20 Policies · 10 Critical · 8 High · 2 Medium
1
Privacy Policy (External / Public-facing)
CriticalGovernanceLegal / DPO
PurposeProvide transparent notice to all data principals about what personal data is collected, why, how it is used, who it is shared with, retention periods and how rights may be exercised under DPDPA 2023.
ScopeAll customer-facing websites, mobile apps, physical touchpoints and partner platforms where personal data is collected.
Key Requirements
  • Written in plain language; free of legal jargon; comprehensible by an average person without legal expertise.
  • Available in English and in any of the 22 Scheduled languages on request within 3 working days.
  • Specifies: data categories, processing purposes, recipients, retention periods, cross-border transfers and rights exercise mechanism.
  • Published prominently on homepage, app Settings/Privacy screen and all data collection forms — not buried in footer.
  • Version-controlled with effective date; all historical versions retained for minimum 3 years.
  • Updated within 30 days of any material change; affected data principals notified; re-consent obtained where required.
Sample Clause

"We collect your name, email address, mobile number and usage data solely to provide and continuously improve our services. We do not sell your personal data to third parties. You may withdraw consent, request access to your data or ask for its deletion at any time by writing to our Data Protection Officer at dpo@company.com. This Privacy Notice is effective from [DATE] and supersedes all prior versions."

2
Data Processing Register (ROPA / DPR)
CriticalGovernanceDPO / IT
PurposeMaintain a comprehensive, continuously updated record of all personal data processing activities as mandated under DPDPA 2023 and required for DPBI audit readiness.
ScopeEvery department, system and third-party integration that collects, stores, uses, transfers or destroys personal data of Indian data principals.
Key Requirements
  • Each entry records: data category, purpose, legal basis, processor/sub-processor details, retention schedule and cross-border transfer details.
  • DPR updated within 14 days of any change to processing activities; DPO certifies accuracy quarterly.
  • Maintained in a format exportable to DPBI within 72 hours of request.
  • Each entry has a named business owner accountable for accuracy.
  • DPR reviewed and updated at minimum quarterly; material changes reported to Board.
Sample Clause

"The Data Processing Register shall be maintained by the DPO and updated within 14 days of any new or changed processing activity. Each record shall include: (a) nature and category of personal data; (b) the legal basis; (c) processor and sub-processor details; (d) the retention schedule; (e) cross-border transfer safeguards. The DPR shall be made available to the DPBI within 72 hours of any request."

3
Consent Management Policy
CriticalConsentProduct / Legal
PurposeEstablish a standardised, auditable framework for obtaining, recording, managing and withdrawing consent across all data collection points.
ScopeAll digital and physical channels where personal data is collected from Indian data principals, including websites, apps, call centres, stores and partner platforms.
Key Requirements
  • All consent must be free, specific, informed and unambiguous; no pre-ticked boxes under any circumstance.
  • Each processing purpose requires a separate consent artefact; bundling is prohibited.
  • Consent withdrawal as easy as consent collection; effective within 24 hours.
  • All consent events timestamped with IP address, device identifier, channel, notice version and user agent.
  • Consent propagated to all downstream processors and sub-processors within 48 hours.
  • Consent records retained for minimum 3 years even after withdrawal; immutable, tamper-evident storage.
Sample Clause

"Consent shall be obtained for each distinct processing purpose separately. No single consent form shall cover multiple processing purposes. A data principal who wishes to withdraw consent may do so at any time through the designated privacy dashboard or by email to the DPO. Withdrawal shall take effect within 24 hours of the request and shall not affect the lawfulness of processing carried out before withdrawal."

4
Data Retention & Deletion Policy
CriticalLifecycleIT / Legal
PurposeDefine mandatory retention schedules for every personal data category and ensure systematic, verifiable deletion upon expiry or on a valid erasure request.
ScopeAll production databases, backups, archives, DR sites, cold storage and third-party processor stores holding personal data.
Key Requirements
  • Retention schedule defined for every data category in the DPR; default to shortest legally defensible period.
  • Automated deletion triggers on schedule expiry; no manual approval required for routine deletions.
  • Erasure requests fulfilled within 30 days across all environments; written confirmation to data principal.
  • Statutory holds documented; reason communicated in writing to the data principal.
  • Deletion certificates issued for biometric, financial and health data categories on request.
Sample Clause

"Personal data shall be retained only for as long as necessary to fulfil the purpose for which it was collected, or for such longer period as may be required by applicable law. Upon expiry of the retention period, personal data shall be securely deleted or irreversibly anonymised within 30 days. Where a data principal requests erasure and no legal hold applies, deletion shall be completed within 30 days and confirmed in writing."

5
Data Breach Response & Notification Policy
CriticalIncidentCISO / DPO
PurposeDefine the process for detecting, classifying, escalating and reporting personal data breaches to the DPBI and affected data principals within statutory timelines.
ScopeAll systems, networks, applications and third-party integrations processing personal data; all employees and contractors with data access.
Key Requirements
  • P1 (confirmed breach): DPBI notification within 72 hours; data principals notified without undue delay.
  • DPBI notification includes: nature, categories affected, estimated principals affected, consequences and remediation measures.
  • Post-incident report to DPBI within 30 days — root cause, corrective actions and systemic remediation.
  • Annual tabletop breach simulation; playbook updated within 30 days of drill.
  • All breach records retained 3 years; DPBI-accessible within 72 hours.
Sample Clause

"Upon confirmation of a P1 breach, the DPO shall notify the Data Protection Board of India within 72 hours. The notification shall state: (i) nature of the breach; (ii) categories and approximate number of data principals affected; (iii) likely consequences; (iv) measures taken or proposed. Affected data principals shall be notified without undue delay in plain language."

6
Data Principal Rights Fulfilment Policy
CriticalRightsLegal / DPO
PurposeEstablish a consistent, verifiable process for responding to all data principal rights requests under DPDPA 2023 within statutory SLAs.
ScopeAll systems processing personal data of Indian data principals; customer-facing teams, HR, IT and Legal.
Key Requirements
  • Access request: full data summary delivered within 72 hours of verified identity.
  • Correction request: update propagated across all systems within 7 days.
  • Erasure request: automated deletion across all environments within 30 days; written confirmation sent.
  • Nomination: registration with verified identity; activation on proof of death or incapacity.
  • All requests logged; DPO monitors SLA weekly; DPBI escalation path communicated to data principal.
Sample Clause

"Any data principal may submit rights requests through the privacy portal or by writing to the DPO. The organisation shall respond to access requests within 72 hours, correction requests within 7 working days and erasure requests within 30 days of verified identity. Unresolved grievances may be escalated to the Data Protection Board of India at dpbi.gov.in."

7
Significant Data Fiduciary (SDF) Compliance Policy
CriticalGovernanceDPO / Board
PurposeDefine obligations, governance structure and annual compliance programme following designation as a Significant Data Fiduciary by the Central Government under DPDPA Section 10.
ScopeAll operations, systems and personnel from the effective date of SDF designation.
Key Requirements
  • DPO appointed within 90 days of designation; name, qualifications and contact published on website.
  • DPIA completed for every high-risk processing activity before commencement.
  • Annual algorithmic transparency audit for all AI/ML systems at scale; findings filed with DPBI.
  • Annual SDF compliance report to Board and DPBI in notified format and timeline.
  • SDF registration on DPBI portal within the notified period after designation.
Sample Clause

"As a Significant Data Fiduciary designated under Section 10 of DPDPA 2023, the organisation shall appoint a qualified Data Protection Officer who shall report directly to the Board. The DPO shall conduct Data Protection Impact Assessments for all high-risk processing activities and shall submit an annual compliance report to the Data Protection Board of India. The DPO's identity and contact shall be prominently published on the organisation's website."

8
Children's Data & Parental Consent Policy
CriticalDataDPO / Legal
PurposeEstablish absolute controls for processing personal data of children under 18, including verifiable parental consent mechanisms and profiling prohibitions.
ScopeAll products, services, systems and touchpoints that may be accessed by users under 18 years of age.
Key Requirements
  • No processing of personal data of under-18s without verifiable parental or guardian consent; self-declaration is insufficient.
  • Age verification deployed at every registration and data collection point.
  • Absolute prohibition on behavioural profiling or targeted advertising of children — even with parental consent.
  • Children's data in segregated, enhanced-protection tier; separate encryption keys; every access triggers DPO alert.
  • All ad-tech SDKs disabled in minor-accessible product surfaces without exception.
Sample Clause

"No personal data of any person below the age of 18 shall be processed without verifiable parental or guardian consent. Irrespective of parental consent, the organisation shall not engage in behavioural profiling, targeted advertising, tracking or monitoring of any user who is or is reasonably believed to be below 18 years of age."

9
Lawful Processing Basis Documentation Policy
CriticalLegal BasisDPO / Legal
PurposeEnsure every personal data processing activity has a valid, documented legal basis under DPDPA 2023 and that the basis is reviewed and maintained in the DPR.
ScopeAll personal data processing activities conducted by the organisation across all business units and geographies.
Key Requirements
  • Every DPR entry must have a documented legal basis — consent or a specific Section 7 deemed-consent ground.
  • State function basis: map to the specific statutory power; legal opinion on file.
  • Contractual necessity: only minimum data strictly necessary for the contract is collected.
  • Medical emergency basis: processing stops when the emergency resolves; documented case-by-case.
  • Quarterly DPR review by DPO to identify and correct any legal basis drift.
Sample Clause

"The organisation shall not process any personal data without identifying and documenting the applicable legal basis under DPDPA 2023. Where processing relies on a legal obligation, the specific provision of law shall be cited in the DPR entry. Processing activities without a documented legal basis shall be suspended immediately pending DPO review."

10
Breach Notification Workflow & Playbook
CriticalIncidentCISO / DPO
PurposeProvide a step-by-step operational playbook for executing breach notification obligations from detection through to post-incident reporting.
ScopeInformation Security, Legal, DPO and all business units that may discover or be affected by a personal data breach.
Key Requirements
  • Playbook tested annually via tabletop simulation; updated within 30 days of drill completion.
  • Pre-approved DPBI notification templates ready with legal sign-off before any incident occurs.
  • Escalation: Detection → CISO (1 hr) → DPO (2 hrs) → CEO (4 hrs P1) → DPBI portal submission (72 hrs P1).
  • All breach records retained 3 years; accessible to DPBI within 72 hours of request.
  • All notifications reviewed by Legal before submission to any regulator or data principal.
Sample Clause

"On confirmation of a P1 breach: (1) CISO notifies DPO within 2 hours; (2) DPO and Legal prepare DPBI notification within 48 hours; (3) DPO submits notification to DPBI portal within 72 hours of breach confirmation; (4) Affected data principals notified without undue delay using the pre-approved communication template; (5) Post-incident report submitted to DPBI within 30 days."

11
DPIA Policy & Assessment Template
HighRiskDPO
PurposeEstablish a mandatory Data Protection Impact Assessment process for all new or changed high-risk processing activities before commencement.
ScopeAll proposed new processing activities and material changes to existing processing that may result in high risk to data principals.
Key Requirements
  • DPIA mandatory for: systematic large-scale profiling, sensitive data processing, automated decisions with legal effect, children's data at scale.
  • DPO must sign off before processing commences; Board notified of high-risk findings.
  • DPIA register maintained; reviewed and updated annually or on any material change.
  • Residual risks above the acceptable threshold must be referred to DPBI for prior consultation.
Sample Clause

"Before commencing any high-risk processing activity, the business unit shall complete a DPIA using the approved template and submit it to the DPO. The DPO shall provide written opinion within 15 working days. Processing shall not commence until the DPO confirms in writing that the residual risks are acceptable."

12
Third-Party Processor Management Policy
HighVendorProcurement / Legal
PurposeEnsure all third-party processors are contractually bound and operationally capable of meeting DPDPA obligations before any personal data is transferred to them.
ScopeAll vendors, SaaS providers, cloud services and partners that access, store or process personal data on behalf of the organisation.
Key Requirements
  • No personal data transferred to any processor without a signed Data Processing Agreement.
  • DPA must include: processing scope, security measures, breach notification SLA (max 6 hours), audit rights and deletion obligations.
  • Annual vendor security assessment (VAPT evidence or SOC 2 Type II) before onboarding and annually.
  • Sub-processors must notify 30 days in advance of any change; organisation may object within that period.
Sample Clause

"No personal data shall be shared with any third-party processor without a signed DPA that complies with DPDPA 2023. Processors shall notify the organisation of any personal data breach within 6 hours of discovery. The processor register shall be updated within 7 days of any change."

13
Cross-Border Transfer & SCC Policy
HighTransferLegal
PurposeGovern all cross-border transfers of personal data to ensure compliance with DPDPA Section 16 and MeitY whitelist requirements.
ScopeAll personal data transfers to processors, affiliates or recipients outside India.
Key Requirements
  • Transfers permitted only to MeitY-whitelisted countries or under SCCs/binding corporate rules for others.
  • Transfer Impact Assessment completed for each country where data is processed.
  • Transfer register updated within 7 days of any new arrangement.
  • MeitY whitelist monitored monthly; transfers to removed countries paused within 48 hours.
Sample Clause

"Personal data of Indian data principals shall be transferred outside India only to countries on the MeitY-approved whitelist, or under Standard Contractual Clauses approved by the DPO and Legal, or under such other safeguards as may be prescribed. A Transfer Impact Assessment shall be completed for every country where data is processed by a sub-processor."

14
Privacy by Design & Default Policy
HighEngineeringCTO / DPO
PurposeEmbed privacy protections into all products, systems and processes from inception and ensure the most privacy-protective settings are default.
ScopeAll product development, engineering and data science teams designing or modifying systems that process personal data.
Key Requirements
  • Privacy review gate in SDLC — no personal-data feature ships without DPO or privacy champion sign-off.
  • Default settings must be the most privacy-protective; users must actively opt into less restrictive options.
  • No real personal data in development, staging or test environments; synthetic data mandated.
  • Data flow diagrams maintained and updated quarterly.
Sample Clause

"All new products processing personal data shall undergo a Privacy Impact Assessment before development commences. Default settings shall collect and process the minimum personal data necessary. No personal data from production environments shall be used in development or testing without prior DPO approval and mandatory anonymisation."

15
Employee DPDPA Awareness & Training Policy
HighTrainingHR / DPO
PurposeEnsure all employees and contractors handling personal data understand and apply DPDPA obligations in their day-to-day work.
ScopeAll employees, contractors, interns and third-party personnel with access to personal data systems.
Key Requirements
  • Mandatory DPDPA foundation training within 30 days of joining and annually thereafter.
  • Role-specific training for high-risk roles within 60 days of appointment.
  • Training completion records maintained; non-completion escalated after 14 days.
  • Quarterly simulated data handling exercises; results reviewed by DPO.
Sample Clause

"All employees with access to personal data shall complete mandatory DPDPA awareness training within 30 days of joining and annually thereafter. Completion shall be recorded in the LMS. Non-completion within the stipulated period shall be escalated to the relevant department head."

16
Data Minimisation & Purpose Limitation Policy
HighGovernanceDPO
PurposeEnsure the organisation collects only the personal data strictly necessary for the stated purpose and uses it only for that purpose.
ScopeAll data collection forms, APIs, registration flows and internal data pipelines.
Key Requirements
  • Every field collected must have a documented justification in the DPR; surplus fields removed.
  • Secondary use requires fresh consent or a new lawful basis.
  • Quarterly DPO data-creep review; purpose drift remediated within 30 days.
  • Anonymise or pseudonymise data as soon as primary purpose is fulfilled.
Sample Clause

"The organisation shall collect only personal data strictly necessary for the stated purpose. No personal data shall be used beyond the purpose for which it was collected without fresh consent or a new lawful basis. Processing that exceeds its stated purpose shall be immediately suspended pending DPO review."

17
Data Portability & Nomination Rights Policy
HighRightsDPO / Product
PurposeEnable data principals to receive their personal data in a portable format and to nominate a person to exercise rights posthumously.
ScopeAll systems storing personal data of individual data principals.
Key Requirements
  • Portability: structured, machine-readable package (JSON/CSV) delivered within 72 hours via secure download link.
  • Covers data provided by the principal, derived data and inferred profiles.
  • Nomination: verified registration; activation requires proof of death or incapacity.
  • Portability mechanism tested quarterly; format follows MeitY notified standards.
Sample Clause

"Any data principal may request a portable copy of their personal data through the privacy portal. The organisation shall provide a machine-readable copy within 72 hours of the verified request. Data principals may register a nominee to exercise all data protection rights on their behalf upon verified proof of death or incapacity."

18
Vendor Due Diligence & Security Assessment Policy
HighVendorProcurement / CISO
PurposeEstablish a risk-based security and privacy assessment framework for all vendors before granting access to personal data.
ScopeAll vendors, SaaS providers, cloud services, consultants and partners with access to personal data.
Key Requirements
  • Tier 1 (sensitive/large-scale): full VAPT + questionnaire + audit right. Tier 2: SOC 2/ISO 27001 evidence. Tier 3: questionnaire only.
  • Assessment completed before contract execution; re-assessed annually.
  • Critical deficiencies remediated within 60 days or engagement terminated.
  • All assessments documented; accessible for DPBI audit.
Sample Clause

"Prior to granting any vendor access to personal data, the Information Security team shall conduct a security assessment proportionate to the vendor's risk level. Vendors accessing sensitive personal data of more than 10,000 principals shall provide SOC 2 Type II or ISO 27001 evidence. Assessments shall be repeated annually."

19
Annual DPDPA Internal Audit Policy
HighAuditDPO / Internal Audit
PurposeEstablish a systematic annual process for assessing DPDPA compliance, identifying gaps and tracking remediation across all business units.
ScopeAll business units, systems and third-party relationships involving personal data processing.
Key Requirements
  • Annual DPDPA audit by DPO with Internal Audit; external auditor mandatory for SDFs.
  • Audit scope: consent flows, DPR accuracy, rights SLAs, security controls, processor DPAs, training completion.
  • Findings: Critical (30-day remediation), High (60 days), Medium (90 days).
  • Audit report to Board within 30 days; summary filed with DPBI for SDFs. Records maintained 5 years.
Sample Clause

"The organisation shall conduct a comprehensive DPDPA compliance audit at least once every calendar year. The audit report shall be presented to the Board within 30 days of conclusion. All critical findings shall be remediated within 30 days. Audit records shall be maintained for a minimum of 5 years."

20
Privacy Notice & Communication Standards Policy
MediumConsentLegal / Marketing
PurposeDefine the format, language and channel standards for all privacy-related communications issued to data principals.
ScopeAll privacy notices, consent forms, breach notifications, rights responses and marketing opt-in communications.
Key Requirements
  • All notices written at maximum 8th-grade reading level; tested with a readability tool before publication.
  • No legalese, double negatives or undefined technical terms.
  • Visual icons and infographics used to supplement text where practical.
  • All notices reviewed by Legal and DPO before publication; annual review cycle.
Sample Clause

"All privacy notices shall be written in clear, plain language comprehensible by the average user without legal expertise. Privacy communications shall avoid technical legal terminology and passive voice constructions. All notices shall be reviewed jointly by the Legal and Data Protection teams before publication."

Fintech & BFSI

Fintech / Banking / Insurance20 Policies · 8 Critical · 10 High · 2 Medium
1
KYC & Financial Data Governance Policy
CriticalDataCompliance / DPO
PurposeGovern collection, storage, masking and sharing of KYC data (PAN, Aadhaar, bank accounts, credit information) in compliance with DPDPA, UIDAI Act and RBI guidelines.
ScopeAll systems and processes handling customer KYC data across onboarding, lending, payments and investment operations.
Key Requirements
  • PAN and Aadhaar masked in all non-verification contexts; no full Aadhaar number stored per UIDAI circular.
  • KYC data purpose-limited to identity verification and regulatory reporting only.
  • Credit bureau data classified as sensitive personal data; access logged and audited.
  • All KYC vendor DPAs executed; data minimisation enforced at API response level.
  • KYC data retention aligned to PMLA (5 years) and UIDAI guidelines.
Sample Clause

"KYC data including PAN number, Aadhaar Virtual ID and bank account details shall be classified as sensitive personal data and processed only for identity verification and statutory regulatory compliance. No KYC data shall be used for marketing, profiling or cross-sell purposes without fresh explicit consent."

2
Aadhaar & PAN Data Handling Policy
CriticalDataCompliance / Legal
PurposeEnsure Aadhaar and PAN data handling complies simultaneously with UIDAI Act restrictions, Income Tax rules and DPDPA 2023.
ScopeAll systems, processes and third parties handling Aadhaar numbers, Virtual IDs, PAN numbers or any data derived from these identifiers.
Key Requirements
  • No full Aadhaar number stored; only Masked Aadhaar or Virtual ID retained per UIDAI directions.
  • Aadhaar-based authentication logs retained per UIDAI mandate and deleted on expiry.
  • PAN used only for tax reporting and identity verification; no secondary commercial use.
  • Both UIDAI Act and DPDPA obligations documented in DPR as dual-compliance entries.
Sample Clause

"The organisation shall not store the full 12-digit Aadhaar number of any individual. Only the Masked Aadhaar or UIDAI-generated Virtual ID shall be retained post-verification. PAN data shall be used exclusively for statutory tax reporting and identity verification purposes and shall not be used for any commercial profiling, marketing or analytics."

3
PCI-DSS Compliance & Tokenisation Policy
CriticalSecurityCISO / CTO
PurposeEnsure payment card data is never stored in raw form and all card processing complies with PCI-DSS and RBI tokenisation mandates, eliminating raw credential exposure.
ScopeAll payment processing systems, checkout flows, payment gateways, stored credential systems and POS integrations.
Key Requirements
  • Zero raw card credentials stored on servers; tokenisation mandatory per RBI mandate and PCI-DSS.
  • CVV never stored beyond the authorisation transaction.
  • Annual PCI-DSS QSA assessment; critical findings remediated within 30 days.
  • Explicit opt-in required to save payment methods; no default saving at checkout.
Sample Clause

"The organisation shall not store, process or transmit full payment card numbers in unencrypted form. All card data shall be tokenised in accordance with RBI Tokenisation Guidelines and PCI-DSS requirements. CVV shall not be stored after completion of the authorisation transaction under any circumstance."

4
RBI Data Localisation Compliance Policy
CriticalRegulatoryCompliance
PurposeEnsure all payment system data is stored exclusively in India per RBI circular, and that this obligation is reconciled with DPDPA cross-border transfer requirements.
ScopeAll payment system operators, card networks, UPI processors and digital payment service providers.
Key Requirements
  • All payment system data stored only within India; foreign processing mirrored back within 24 hours for end-to-end transaction data.
  • Audit trail of data localisation compliance maintained and available to RBI on request.
  • Offshore card network processing: data mirrored to India within mandated window.
  • DPDPA cross-border transfer rules applied in addition to, not instead of, RBI localisation.
Sample Clause

"In compliance with the Reserve Bank of India's data localisation mandate, all data related to payment systems shall be stored only within India. Where payment transactions require processing by overseas entities such as card networks, end-to-end transaction data shall be brought back to India within 24 hours and retained only in India thereafter."

5
AML / CFT & PMLA Data Governance Policy
CriticalRegulatoryMLRO / Compliance
PurposeEnsure dual compliance between PMLA 2002 obligations and DPDPA 2023 for customer due diligence, transaction monitoring and FIU-IND reporting data.
ScopeAll AML/CFT data including CDD/EDD records, STRs, CTRs and FIU-IND submissions.
Key Requirements
  • CDD and EDD data retained for 5 years per PMLA; DPDPA erasure requests documented but overridden by PMLA statutory hold.
  • STRs and CTRs in separate governance channel; no commercial team access permitted.
  • FIU-IND data transmission via encrypted channel; access restricted to MLRO only.
  • AML data prohibited from use in commercial profiling or marketing under any circumstance.
Sample Clause

"AML/CFT data processed for compliance with PMLA 2002 shall be retained for the period mandated by PMLA, notwithstanding any erasure request under DPDPA. Where a data principal requests erasure, the organisation shall communicate in writing the statutory basis for retaining the data and the expected retention end date."

6
Digital Lending & NBFC Data Controls Policy
CriticalRegulatoryCompliance / DPO
PurposeAlign digital lending data practices with RBI Digital Lending Guidelines 2022 and DPDPA 2023, prohibiting invasive device data harvesting.
ScopeAll digital lending apps, NBFC platforms, lending service providers and recovery operations.
Key Requirements
  • No access to borrower contacts, photos, call logs or device storage for any purpose.
  • Loan application data purpose-limited to credit assessment only; no cross-sell without fresh consent.
  • Quarterly app permission audit; all unnecessary permissions removed within 30 days.
  • Recovery agents receive only outstanding amount, EMI schedule and registered contact — nothing more.
Sample Clause

"The organisation's digital lending application shall not request access to the borrower's device contacts, photographs, call logs, location data or any other device data not strictly necessary for the credit assessment process. Loan data shall not be used for any commercial purpose other than loan processing and recovery."

7
Dual Regulatory Breach Reporting Playbook (DPBI + RBI)
CriticalIncidentCISO / DPO
PurposeReconcile simultaneous breach notification obligations to DPBI (72h), RBI (6h), SEBI (24h) and IRDAI into a single coordinated response playbook.
ScopeAll security incidents involving customer financial data, payment systems or regulated entities.
Key Requirements
  • RBI incident notification within 6 hours via RBI's prescribed mechanism.
  • SEBI breach notification within 24 hours for capital market entities.
  • DPBI notification within 72 hours per DPDPA.
  • All three notification timelines documented in a single reconciled playbook; named contacts maintained.
Sample Clause

"On confirmation of a breach affecting customer financial data: (1) RBI notified within 6 hours per RBI Cyber Security Framework; (2) DPBI notified within 72 hours per DPDPA; (3) SEBI notified within 24 hours for capital market entities; (4) Affected customers notified in plain language without undue delay. The DPO shall coordinate all notifications."

8
Loan Recovery & Debt Collection Data Policy
CriticalOperationsLegal / DPO
PurposeDefine the strict data minimisation standards for sharing borrower data with recovery agents and collection agencies in compliance with DPDPA and RBI Fair Practices Code.
ScopeAll debt collection operations, recovery agency engagements and third-party collection service providers.
Key Requirements
  • Recovery agents receive only: outstanding amount, EMI schedule, registered mobile and registered email — no additional personal data.
  • DPAs with all recovery agencies; data deleted after engagement concludes.
  • No sharing of borrower KYC documents, family contacts or location history with recovery agents.
  • Recovery data access logged; misuse triggers immediate contract termination.
Sample Clause

"Data shared with recovery agents shall be strictly limited to: the borrower's name, outstanding loan amount, EMI schedule, the date of last payment and the borrower's registered contact number. KYC documents, Aadhaar, PAN, bank account details and family contacts shall not be disclosed to recovery agents under any circumstance."

9
Credit & Scoring Data Usage Policy
HighDataRisk / DPO
PurposeGovern the use of CIBIL, Experian and internally-generated credit scores and ensure they are not used for discriminatory or unauthorised purposes.
ScopeAll systems using credit bureau data, internal credit scoring models and risk assessment pipelines.
Key Requirements
  • Credit score data classified as sensitive personal data; access restricted to credit and risk functions.
  • No use of credit scores for marketing segmentation without explicit consent.
  • Borrower notified of adverse credit decision; right to challenge and seek explanation.
  • Credit bureau data retained only for the period needed for credit assessment; deleted thereafter.
Sample Clause

"Credit score data and credit bureau reports shall be used solely for the purposes of credit assessment and risk management. Where a lending decision adverse to the applicant is made based wholly or partly on credit score data, the applicant shall be informed of this and provided the right to seek an explanation and request human review."

10
Account Aggregator (AA) Consent Policy
HighConsentProduct / Compliance
PurposeGovern all data sharing under the RBI Account Aggregator framework, ensuring FIP/FIU consents are properly obtained, stored and revocable.
ScopeAll AA-based data flows including FIP data sharing and FIU data consumption for lending, insurance and investment products.
Key Requirements
  • Separate consent artefacts for lending, insurance and investment products — bundling prohibited.
  • Consent revocation propagated to all FIU partners within 2 hours via AA framework.
  • Data received via AA used only for the consented purpose; no secondary use permitted.
  • AA consent records linked to DPDPA consent register for dual-compliance tracking.
Sample Clause

"Data received through the Account Aggregator framework shall be used solely for the specific financial product purpose for which consent was granted. Consent for different financial products shall be obtained separately. Consent revocation through the AA framework shall be implemented within 2 hours of the data principal's request."

11
AI / ML Model Governance & Explainability Policy
HighAIRisk / DPO
PurposeEnsure AI/ML models used for credit decisioning and fraud detection are transparent, auditable and non-discriminatory.
ScopeAll AI/ML models using personal financial data to produce credit scores, fraud flags or automated lending decisions.
Key Requirements
  • Disclose automated decision-making to data principal; provide right to human review of any adverse decision.
  • Explainability documentation for every model using personal financial data.
  • Annual bias audit for credit scoring models; non-discriminatory outcomes verified.
  • Model governance register maintained; DPO and Risk co-sign each model deployment.
Sample Clause

"Where a credit or lending decision is made wholly or partly through automated means, the data principal shall be informed of this and shall have the right to request review by a human officer. The organisation shall maintain documentation explaining the key factors that influenced any automated credit decision."

12
SEBI Investor & Securities Data Policy
HighRegulatoryCompliance
PurposeGovern investor personal data in compliance with SEBI regulations on investor data protection, KRA requirements and DPDPA 2023.
ScopeAll stockbrokers, mutual fund platforms, investment advisers and registered investment entities handling investor personal data.
Key Requirements
  • Investor data purpose-limited to investment services and statutory SEBI reporting.
  • No use of portfolio data for marketing financial products without explicit consent.
  • KYC data shared with KRAs only; no additional third-party sharing without investor consent.
  • SEBI circular compliance on investor data documented in DPR alongside DPDPA legal basis.
Sample Clause

"Investor personal data including portfolio holdings, transaction history and KYC information shall be used solely for providing investment services and for statutory reporting to SEBI and other regulatory bodies. Portfolio data shall not be used to market financial products to the investor without their explicit consent."

13
Insurance & IRDAI Data Governance Policy
HighRegulatoryCompliance
PurposeAlign policyholder data handling with IRDAI data governance guidelines and DPDPA 2023, preventing discriminatory underwriting use of health data.
ScopeAll insurance entities, TPAs and aggregators handling policyholder, claims and underwriting data.
Key Requirements
  • Policyholder data purpose-limited to policy issuance, renewal, claims and statutory IRDAI reporting.
  • Health underwriting data requires separate explicit consent; cannot be used for non-insurance purposes.
  • Claims data retained for statutory dispute window; deleted post-settlement.
  • Bima Sugam and aggregator data flows covered by DPAs prohibiting data monetisation.
Sample Clause

"Policyholder health data used for underwriting shall be collected under separate explicit consent and used solely for the purposes of insurance underwriting and claims management. This data shall not be shared with any non-insurance entity or used for marketing, profiling or any purpose beyond the insurance relationship."

14
Open Banking & API Partner Data Policy
HighTechnologyCTO / Legal
PurposeGovern financial data flows through API partnerships, ensuring data minimisation at gateway level and consent propagation to all fintech partners.
ScopeAll open banking APIs, fintech partner integrations, OAuth-based data sharing and API gateway deployments.
Key Requirements
  • API gateway enforces data minimisation; partner APIs return only fields within DPA scope.
  • OAuth 2.0 / FAPI-compliant token scopes mapped to DPDPA consent purposes.
  • Fintech partner security assessment and DPA execution before API key issuance.
  • Consent revocation propagates to all API partners within 2 hours via webhook.
Sample Clause

"API responses to fintech partner applications shall be restricted to the minimum data fields required for the specific purpose authorised under the Data Processing Agreement. Consent revocation by a data principal shall be propagated to all connected API partners within 2 hours through the consent revocation webhook."

15
Cross-Border Financial Data Transfer Policy
HighTransferLegal / Compliance
PurposeGovern cross-border transfers of financial personal data via SWIFT, card networks and offshore processors, reconciling RBI localisation with DPDPA Section 16.
ScopeAll offshore financial data processing including SWIFT, Visa/Mastercard networks, correspondent banking and offshore cloud services.
Key Requirements
  • SCCs executed with all overseas processors outside the DPDPA whitelist.
  • RBI localisation requirements take precedence; DPDPA compliance applied in addition.
  • Transfer register maintained; updated within 7 days of any new offshore processing arrangement.
  • Parallel breach reporting to DPBI + RBI/SEBI within respective timelines on any breach involving cross-border data.
Sample Clause

"Financial personal data transferred to overseas processors for payment processing or correspondent banking shall be covered by Standard Contractual Clauses unless the destination country is on the MeitY-approved whitelist. All such transfers shall comply with RBI data localisation requirements in addition to DPDPA Section 16."

16
Payment Gateway & Tokenisation Vendor Policy
HighVendorCTO / Legal
PurposeGovern onboarding and oversight of payment gateway vendors and tokenisation service providers to ensure DPDPA and PCI-DSS joint compliance.
ScopeAll payment gateway integrations, tokenisation service providers and acquirer bank relationships.
Key Requirements
  • All payment gateway DPAs include breach notification SLA of 4 hours; audit rights; data deletion on termination.
  • PCI-DSS QSA reports required annually from all gateway vendors.
  • No gateway vendor may store raw card credentials; tokenisation verified at onboarding.
  • Gateway API logs retained for minimum 1 year; accessible to organisation for fraud investigation.
Sample Clause

"Payment gateway vendors shall be required to provide an annual PCI-DSS QSA assessment report confirming their compliance status. Gateways shall not store raw card numbers and shall notify the organisation of any security incident affecting payment data within 4 hours of discovery."

17
Customer Financial Data Portability Policy
HighRightsDPO / Product
PurposeEnable customers to receive portable copies of their financial data and facilitate account switching in alignment with DPDPA portability rights and RBI account portability norms.
ScopeAll customer-facing banking, lending, investment and insurance systems holding transaction or account data.
Key Requirements
  • Portable financial data package: account summary, transaction history (3 years), loan statements, investment summary.
  • Delivered within 72 hours of verified request via secure, encrypted download link.
  • Format: machine-readable JSON or structured CSV; compatible with common financial import standards.
  • Portability mechanism tested quarterly; format follows MeitY and RBI notified standards.
Sample Clause

"Upon request, the organisation shall provide the customer with a portable copy of their financial data including account statements, transaction history for the preceding 3 years, and loan account summaries in a machine-readable format within 72 hours. The portable data shall be delivered through a secure, time-limited download link."

18
Crypto / VDA & Emerging Fintech Data Policy
MediumDataDPO / Compliance
PurposeGovern personal data collected by crypto, Web3 and emerging fintech platforms in compliance with DPDPA, applying financial data protections to VDA transaction data.
ScopeAll Virtual Digital Asset platforms, DeFi services and co-branded fintech products operating in India or serving Indian users.
Key Requirements
  • Crypto wallet and transaction data mapped as financial personal data; AES-256 encryption and access controls applied.
  • VDA tax reporting data retained only for statutory tax period; separate consent for any analytics use.
  • Web3 platforms serving Indian users: DPDPA applies; India representative appointed if offshore.
  • Co-branded product data: separate consent artefact per product.
Sample Clause

"Virtual Digital Asset transaction data, wallet addresses and associated personal data shall be classified as financial personal data under DPDPA 2023 and shall be subject to the same security and access controls as other financial data. VDA tax reporting data shall be retained only for the statutory period under the Income Tax Act."

19
BNPL & Credit Product Data Sharing Policy
MediumFinancialFinance / Legal
PurposeGovern personal and financial data flows for Buy Now Pay Later and consumer credit products, ensuring credit bureau sharing is consented and purpose-limited.
ScopeAll BNPL platforms, consumer EMI products, credit card co-brands and digital credit schemes.
Key Requirements
  • Explicit consent required before sharing repayment data with any credit bureau.
  • BNPL data purpose-limited to credit management; no marketing use without separate consent.
  • Late payment data shared only with bureaus; not with retailers, advertisers or data brokers.
  • Credit product terms must disclose all third-party data sharing in plain language before product acceptance.
Sample Clause

"Before sharing any customer repayment data with a credit bureau, the organisation shall obtain the customer's explicit consent. BNPL transaction and repayment data shall be used solely for credit risk management. Late payment information shall not be shared with merchants, advertisers or any third party other than licensed credit bureaus."

20
Fintech Vendor & Third-Party API Policy
HighVendorCTO / Legal
PurposeGovern all third-party API integrations used to enhance fintech products, ensuring DPAs, security assessments and consent flows are in place before any data sharing begins.
ScopeAll third-party API integrations including bureau APIs, insurance APIs, wealth management APIs and data enrichment services.
Key Requirements
  • DPA executed with every API vendor before integration goes live.
  • API vendor security assessment: penetration test evidence or SOC 2 certification required.
  • Data minimisation enforced at the API gateway layer; no excess fields returned.
  • All API integrations registered in the DPR with purpose and data categories documented.
Sample Clause

"No third-party API integration shall be authorised to access customer personal data without a signed Data Processing Agreement and a satisfactory security assessment. API responses shall be filtered at the gateway to return only the minimum data fields required for the stated purpose. All API integrations shall be registered in the Data Processing Register."

Healthcare & HealthTech

Hospitals / Labs / Telemedicine20 Policies · 7 Critical · 11 High · 2 Medium

The 6 priority Healthcare policies are shown expanded in the main dashboard Policy Register tab. All 20 are listed here — click to expand each for full content.

1
Patient Data Governance & Classification Policy
CriticalDataDPO / CMO
PurposeClassify all patient health data under the appropriate sensitivity tier and apply corresponding security and consent controls throughout the data lifecycle.
Key Requirements
  • Tier 1: genetic, biometric, mental health, HIV, addiction data — HSM key management, zero-trust access.
  • Tier 2: EHR, prescriptions, lab reports — AES-256 at rest; TLS 1.3 in transit.
  • Tier 3: administrative/billing data — standard encryption with RBAC.
  • Every Tier 1 access triggers automated DPO alert; weekly access report reviewed.
Sample Clause

"Health data shall be classified into three tiers based on sensitivity. Tier 1 data including genetic information, biometric identifiers, mental health records and HIV status shall be processed only with explicit consent and stored with the highest available encryption standard. Every access to Tier 1 data shall be logged and reported to the DPO."

2
Health Records Retention Policy (NMC / NABH)
CriticalLifecycleLegal / DPO
PurposeReconcile statutory medical record retention with DPDPA erasure rights, establishing a clear priority hierarchy and patient communication protocol.
Key Requirements
  • NMC: 3-year minimum retention for adult records; 3 years after majority for minors.
  • NABH accreditation: 5-7 years for clinical records.
  • Erasure requests within statutory window: communicate legal hold in writing within 14 days.
  • Non-statutory data deleted immediately on erasure request.
Sample Clause

"Where a patient requests erasure and records are subject to NMC or NABH statutory retention, the organisation shall communicate the specific legal basis for retaining the data, the expected retention end date, and confirm that all non-statutory data has been deleted immediately."

3
Patient Consent Architecture Policy
CriticalConsentCMO / Legal
Key Requirements
  • Treatment, research and insurance sharing consents are three separate artefacts — bundling prohibited.
  • Blanket admission-form waivers prohibited; each purpose requires individual consent.
  • Telemedicine: separate consent for session recording and AI transcription before session.
  • Emergency treatment: exempt from consent; exemption documented immediately after.
Sample Clause

"Consent for use of patient health data for research shall be obtained separately from treatment consent. A patient's refusal to consent to research shall not affect the quality of clinical care. Insurance sharing requires a separately signed consent form distinct from all other consents."

4
Medical Emergency Processing Exemption Policy
CriticalLegal BasisLegal / DPO
Key Requirements
  • Emergency processing ceases the moment the emergency resolves; documented case-by-case.
  • Treating clinician documents the emergency basis within 4 hours of commencing treatment.
  • Patient informed of data processed under emergency exemption at the earliest opportunity.
  • Emergency exemption cannot be used to share data with insurers or third parties commercially.
Sample Clause

"Where health data is processed for emergency medical treatment without prior consent, the treating clinician shall document the emergency within 4 hours. Processing under this exemption shall cease when the emergency resolves. The patient shall be informed of what data was processed at the earliest practicable opportunity."

5
Laboratory & Pathology Data Governance Policy
CriticalDataLab Head / DPO
Key Requirements
  • Lab reports and DICOM radiology images encrypted at rest; patient-controlled access via secure portal.
  • Reference lab DPAs include strict purpose limitation; no secondary analytics on patient samples.
  • NABL accreditation data uses anonymised patient samples only.
  • Home collection visit location deleted post-result delivery.
Sample Clause

"Laboratory test reports shall be accessible only to the ordering physician and the patient through a secure portal. Reference laboratories receiving patient samples shall be bound by DPAs prohibiting secondary analytics use of patient data. NABL accreditation reports shall contain only anonymised quality data."

6
Health Insurance & TPA Data Sharing Policy
CriticalVendorFinance / DPO
Key Requirements
  • TPA data: diagnosis code, treatment code and billed amount only — no full clinical notes.
  • Insurance underwriting using health data requires separate explicit consent.
  • Claim rejection reason not shared with other insurers without patient consent.
  • Pre-authorisation data deleted 30 days after claim resolution.
Sample Clause

"Data shared with Third-Party Administrators shall be limited to: patient name, policy number, diagnosis code (ICD-10), treatment code and billed amount. Full clinical notes, investigation reports and medical history shall not be shared with TPAs without specific patient consent."

7
Mental Health & Genetic Data Protection Policy
CriticalDataDPO / CMO
Key Requirements
  • Segregated Tier 1 system; separate HSM-managed encryption keys.
  • No sharing with insurers for underwriting without separate explicit consent.
  • Genetic data: no use for employer screening or insurance underwriting under any circumstance.
  • Every access triggers real-time DPO alert; weekly access report reviewed.
Sample Clause

"Mental health records, genetic data, HIV status and addiction treatment records shall be stored in a segregated environment with access restricted to the treating clinical team. These records shall not be disclosed to any insurer, employer or third party without the patient's explicit, written and separately obtained consent."

8
Telemedicine Data & Recording Policy
HighTechnologyCMO / DPO
Key Requirements
  • Separate consent for consultation, AI transcription and session recording — obtained before the session starts.
  • Session recordings end-to-end encrypted; stored in India; deleted after 90 days unless clinically required.
  • AI diagnostic outputs: physician must review and confirm before any action is taken.
  • Telemedicine Act 2020 and DPDPA obligations documented as dual-compliance in DPR.
Sample Clause

"Before any telemedicine session is recorded or AI-transcribed, the patient shall be informed and their explicit consent obtained. Session recordings shall be end-to-end encrypted, stored in India and deleted 90 days after the session unless the clinician certifies they are required for ongoing care."

9
Research, Clinical Trials & CRO Data Policy
HighResearchResearch / DPO
Key Requirements
  • ICMR ethics committee approval mandatory before any research using identifiable patient data.
  • Data anonymised or pseudonymised before sharing with CROs and pharma partners.
  • Cross-border research transfers: MeitY whitelist compliance or SCCs required.
  • Research data not used for commercial product development without separate patient consent.
Sample Clause

"Patient data shared with clinical research organisations for research purposes shall be anonymised or pseudonymised before sharing. All research involving identifiable patient data shall require prior approval from the ICMR Ethics Committee and separate research consent from the patient."

10
ABHA / ABDM Health ID Integration Policy
HighRegulatoryIT / Compliance
Key Requirements
  • ABDM consent artefacts obtained per-document; no bulk data pull without per-request consent.
  • ABHA-linked data subject to DPDPA controls in addition to NHA guidelines.
  • No aggregation of ABHA-linked records beyond what the patient's consent artefact authorises.
  • ABDM consent manager linked to the national health consent gateway.
Sample Clause

"Access to a patient's health records through ABHA requires consent through the ABDM-certified consent manager for each health record accessed. The organisation shall not access, aggregate or store ABHA-linked records beyond the scope authorised by the patient's consent artefact."

11
Pharmacy & Drug Dispensing Data Policy
HighDataPharmacy Head / DPO
Key Requirements
  • Prescription data not shared with pharma companies for marketing without explicit patient consent.
  • e-Pharmacy platforms: MoHFW guidelines plus DPDPA dual compliance.
  • Subscription medication: separate consent per medication; withdrawal triggers profile deletion.
  • Pharmacovigilance reports: patient data anonymised before CDSCO submission.
Sample Clause

"Prescription data shall not be used for pharmaceutical marketing or shared with drug manufacturers without the patient's explicit consent. Pharmacovigilance and adverse event reports submitted to CDSCO shall contain no identifiable patient information."

12
ICMR Ethics Committee & Anonymisation Policy
HighResearchResearch / DPO
Key Requirements
  • ICMR EC approval: mandatory before any identifiable health data used in research.
  • Anonymisation standard: k-anonymity ≥ 5 for any published research dataset.
  • Re-identification risk assessment before any dataset released; datasets above threshold re-pseudonymised.
  • EC approval records retained for the life of the research project plus 5 years.
Sample Clause

"All research using identifiable patient data shall obtain prior approval from the ICMR Ethics Committee. Patient data used in published research shall be anonymised to at least k=5 anonymity. Re-identification risk assessment shall be conducted before any dataset is released to external researchers."

13
AI Diagnostics Governance & Explainability Policy
HighAICMO / DPO
Key Requirements
  • AI diagnostic outputs require physician review and confirmation before clinical action.
  • Explainability documentation for all AI models using patient data; updated on model change.
  • Patient informed when AI is used in their diagnosis; right to request non-AI review.
  • AI model training data anonymised; no identifiable patient data used for training without separate consent.
Sample Clause

"AI-generated diagnostic outputs shall not be acted upon without review and confirmation by a qualified clinician. Patients shall be informed when AI systems contribute to their diagnosis and shall have the right to request that their case be reviewed without AI assistance."

14
Cross-Border Health Data Transfer Policy
HighTransferLegal
Key Requirements
  • Health data transfers: MeitY whitelist or SCCs; no transfer to countries without adequate health data protection.
  • Patient explicit consent for cross-border sharing; general treatment consent insufficient.
  • DISHA draft act provisions monitored; controls updated when enacted.
  • Transfer register for health data maintained separately; reviewed quarterly by DPO and CMO.
Sample Clause

"Patient health data shall not be transferred to any country outside India without the patient's explicit consent and compliance with DPDPA Section 16. Where the destination country is not on the MeitY whitelist, Standard Contractual Clauses covering health data shall be executed before any transfer."

15
Wearable & Remote Monitoring Data Policy
HighTechnologyDPO / CTO
Key Requirements
  • Patient owns their wearable data; consent obtained at device registration for each collection purpose.
  • Real-time remote monitoring data: encrypted in transit; stored in India; patient controls deletion.
  • Wearable vendor DPAs include prohibition on selling patient data to insurers or pharma.
  • Data from wearables not shared with employers or insurers without separate explicit consent.
Sample Clause

"Data collected from wearable health devices shall be owned by the patient and shall be used only for the clinical purpose for which the monitoring was initiated. This data shall not be shared with employers, insurers or pharmaceutical companies without the patient's separate explicit written consent."

16
AYUSH & Traditional Medicine Data Policy
MediumDataDPO
Key Requirements
  • AYUSH treatment records classified as health data under DPDPA; same protections as allopathic records.
  • Online wellness platforms collecting health questionnaires: separate explicit consent required.
  • MoAYUSH portal: ministry obligations aligned with DPDPA; no commercial secondary use.
  • Yoga and wellness app data: full disclosure; user controls deletion without losing history.
Sample Clause

"Treatment records for Ayurveda, Yoga, Naturopathy, Unani, Siddha and Homeopathy shall be classified as health data under DPDPA 2023 and shall be subject to the same consent, access and deletion controls as allopathic medical records."

17
Mortality & Death Records Handling Policy
MediumLifecycleLegal / DPO
Key Requirements
  • Deceased patient data: DPDPA applies until irreversibly anonymised; nominee or legal heir exercises rights.
  • Cause of death: disclosed only to registered nominees, legal heirs or authorities with documented lawful basis.
  • Research using mortality data: IRB ethics approval; data anonymised; re-identification prohibited.
  • Post-mortem records: law enforcement access on court order only.
Sample Clause

"Following a patient's death, the patient's personal health data shall be accessible only to the registered nominee or legal heir. Cause of death and post-mortem records shall be disclosed to third parties only upon presentation of a court order or verified proof of legal heirship."

18
Hospital Vendor & Third-Party Data Policy
HighVendorProcurement / DPO
Key Requirements
  • DPAs with all hospital IT vendors, EHR vendors, billing systems and diagnostic equipment suppliers.
  • No patient data accessible to vendors without DPA; access logged and monitored.
  • Vendor security assessments annual; access revoked immediately on contract termination.
  • All vendor staff with patient data access required to sign NDAs and complete DPDPA training.
Sample Clause

"No third-party vendor shall access patient personal data without a signed Data Processing Agreement. All vendor personnel with access to patient data shall complete mandatory DPDPA and health data privacy training before access is granted. Access shall be revoked within 24 hours of contract termination."

19
Patient Rights & Grievance Policy
HighRightsDPO / Patient Relations
Key Requirements
  • Patient rights portal: access, correction, erasure and nomination requests available online and at reception.
  • Access request: medical record summary within 72 hours of verified identity.
  • Grievance acknowledgement within 48 hours; resolution within 30 days.
  • DPBI escalation path communicated to patient in all grievance acknowledgement letters.
Sample Clause

"Patients may exercise their data protection rights by submitting a request through the hospital's patient rights portal, at the patient relations desk, or by writing to the DPO. The hospital shall acknowledge grievances within 48 hours and resolve them within 30 days. Unresolved grievances may be escalated to the Data Protection Board of India."

20
DISHA & National Health Data Policy Alignment
HighRegulatoryLegal / DPO
Key Requirements
  • DISHA draft provisions monitored; internal gap analysis conducted every 6 months.
  • All DPDPA controls tagged with future DISHA applicability status in the DPR.
  • NHA digital health policy requirements mapped against current controls.
  • Legal opinion obtained on DISHA applicability scope when the Act is enacted.
Sample Clause

"The organisation shall monitor the progress of the Digital Information Security in Healthcare Act (DISHA) and shall conduct an internal gap analysis within 90 days of enactment. All DPDPA-compliant health data controls shall be reviewed for DISHA alignment and updated as required."

E-Commerce & Retail

Marketplace / D2C / ONDC20 Policies — see dashboard Policy Register for full content

All 20 E-Commerce policies with full content (purpose, scope, requirements, sample clauses) are available in the main dashboard → Policy Register → E-Commerce tab. The 20 policies cover: Behavioural Profiling, Cookie & Tracking, Children's Data, Payment Tokenisation, Dark Patterns, Marketplace Seller, Consumer Protection Rules, Cross-Border Commerce, Subscription Billing, Anti-Fraud, ONDC Network, Social Commerce, Loyalty/Referral, BNPL, Returns/Refunds, UGC/Reviews, Delivery Partner, Recommendation Algorithm, Account Deletion, Abandoned Cart Retention.

EdTech Platforms

Learning / Exams / Schools20 Policies — see dashboard Policy Register for full content

All 20 EdTech policies cover: Student Data Protection, Parental Consent, Anti-Profiling (Minors), Online Proctoring, Competitive Exam Data, EdTech Vendor/Ad-Tech, Breach Response, Learning Analytics, Video Recording, School Partnerships, AI Learning Tools, Student Loans, International Students, Assessment/Certification, Teacher/Faculty Data, Account Deletion, NEP 2020 Alignment, Parental Transparency, Disability Data, Student Grievance.

Telecom & ISP

TSP / ISP / Mobile Operators20 Policies — see dashboard Policy Register for full content

All 20 Telecom policies cover: CDR & Network Data, Location Tracking, SIM KYC, Lawful Interception, Dual Breach Reporting (DoT+DPBI+CERT-In), TRAI Compliance, Telecom Act 2023, Subscriber Rights Portal, IPDR Retention, VAS/OTT Consent, Subscriber Consent, International Roaming, Mobile Money/UPI, Emergency Services, 5G/Edge Computing, Network Security Logs, Anti-SPAM, Subscriber Portability, SIM Swap Fraud, Tower/Infrastructure Data.

Government & Public Sector

PSE / e-Gov / Welfare20 Policies — see dashboard Policy Register for full content

All 20 Government policies cover: Sovereign Function Exemption, Section 17 Exemptions Governance, Citizen Data Governance, Inter-Departmental Sharing, Aadhaar Integration, National Security Boundaries, Sovereign Cloud, Law Enforcement Disclosure, e-Gov Vendor Onboarding, Citizen Rights & Grievance, Welfare Scheme Minimisation, MeitY CSCRF, Public Procurement, DigiLocker/UMANG, DBT Data, Census/Population, e-Gov Portal Notice, Citizen Biometric Data, Government AI Policy, CERT-In Compliance.

SaaS & IT Services

Cloud / SaaS / Processors20 Policies — see dashboard Policy Register for full content

All 20 SaaS policies cover: Multi-Tenant Isolation, Sub-Processor Management, Customer DPA Template, Cross-Border Transfer Assessment, Breach Detection & Notification, Incident Classification Matrix, Customer Offboarding & Deletion Certificate, Employee Access to Customer Data, DevSecOps/Secure SDLC, API Security, SOC 2/ISO 27001 Maintenance, Privacy by Design, AI-SaaS Model Training, Privacy Engineering Controls, Tenant Data Portability, Vulnerability Management, Data Residency, Third-Party SDK Governance, Synthetic Test Data, Logging & Audit Trail Retention.

Manufacturing & Industrial

Factory / OT / Industrial IoT20 Policies — see dashboard Policy Register for full content

All 20 Manufacturing policies cover: Employee Biometric Data, Biometric Offboarding Deletion, OT/SCADA Network Security, Contract Worker/Agency Staff, CCTV & Surveillance, Workforce Monitoring/GPS, IoT Device Governance, Smart Product/Connected Device, Third-Party IoT Vendor, Factory Access Control Data, Employee Health & Safety, Migrant/Contractual Labour, Supply Chain/Supplier Data, Customer/Dealer Data, Warranty/After-Sales, Industrial Safety/Incident, Environmental Monitoring, Product Registration, B2B Contact Data, Plant/OT System Governance.

HRMS & Recruitment Platforms

HR / Payroll / Talent20 Policies — see dashboard Policy Register for full content

All 20 HRMS policies cover: Employee Data Lifecycle, Payroll & Financial Data, Employee Health/Wellness/EAP, Employee Biometric Data, Union/Grievance/Collective Bargaining, Whistleblower Confidentiality, Recruitment & Candidate Data, BGV Vendor Policy, Performance Management/PIP, AI Hiring Tools, Diversity/Equity/Inclusion, Third-Party HR Vendors, Employee Monitoring/Surveillance, Gig/Freelancer/Contract Worker, Employee Data Portability, DPDPA Rights & Training, Employee Benefits & Insurance, Travel/Expense/Corporate Card, Alumni/Former Employee, Contractor/Alumni Retention.

Need help closing these gaps?

CyberSigma delivers end-to-end DPDP Act compliance — gap assessment, DPIA, consent architecture, policy drafting and DPO-as-a-service — with CERT-In empanelled senior auditors.

Explore DPDP Compliance Services Take the 5-min DPDP Readiness Check

© CyberSigma Consulting Services LLP · Privacy Policy