DPDP Audit & Gap Assessment
A structured diagnostic of your current data-handling practices, mapped clause-by-clause against the Act and Rules. You receive a prioritised remediation roadmap with effort estimates.
EnquireEnacted 11 August 2023 · Draft DPDP Rules released for consultation 2025. A landmark reform of India's privacy landscape.
The Digital Personal Data Protection Act, 2023 is India's first standalone, comprehensive privacy statute. It governs how Data Fiduciaries — any entity determining the purpose and means of processing personal data — collect, store, use and share the digital personal data of Data Principals located in India.
With the Draft DPDP Rules and the constitution of the Data Protection Board of India, enforcement has arrived. Non-compliance can attract penalties up to ₹250 crore per instance. Beyond fines, the reputational and operational cost of a poorly handled breach is significant.
Applies to processing outside India if it relates to offering goods or services to Data Principals within India.
Free, specific, informed, unconditional and unambiguous consent — with a clear, itemised purpose notice.
Access, correction, erasure, grievance redressal and the right to nominate — all operational and time-bound.
Significant Data Fiduciaries face enhanced duties: DPIAs, independent audits and a dedicated Data Protection Officer.
Six focused services covering the entire compliance lifecycle — from diagnosing where you stand today to running the programme on your behalf tomorrow.
A structured diagnostic of your current data-handling practices, mapped clause-by-clause against the Act and Rules. You receive a prioritised remediation roadmap with effort estimates.
EnquireOutsource your Data Protection Officer function to experienced practitioners. Suited for Significant Data Fiduciaries and mid-market firms that need competence without a full-time hire.
EnquirePlain-language, legally sound privacy notices, consent forms, vendor DPAs, retention schedules and internal policies — drafted for your specific business model and data flows.
EnquireRole-based training for boards, legal, product, engineering, HR and customer-support teams. Delivered in-person or virtual, with assessments, certificates and ongoing refreshers.
Enquire24×7 retainer for suspected breaches. We guide containment, forensic triage, regulator notification within statutory timelines and communications to affected Data Principals.
EnquireDiscover, classify and document every flow of personal data across your systems, vendors and jurisdictions. The foundation of every downstream compliance obligation.
EnquireWe don't sell templates. Every engagement starts with understanding your business, your data, and your regulatory exposure — then builds outward from there.
Stakeholder interviews, systems walkthrough, vendor review and a preliminary data-flow map. We learn how data actually moves through your organisation — not how the org chart says it does.
Clause-by-clause evaluation of current practices. You receive a heat-mapped report identifying legal, operational and technical gaps, with each finding rated by severity and remediation effort.
Drafting of policies, consent architecture, DPIA frameworks, vendor contracts and grievance mechanisms. Training rolled out to relevant teams. Technical controls implemented alongside your engineering partners.
Quarterly reviews, DPO support, incident response readiness, regulator liaison, and an audit-ready evidence trail. Compliance is a posture, not a project.
Our clients range from venture-backed startups preparing for scale, to listed enterprises with complex group structures, to global firms serving Indian users.
Banks, insurers, fintechs and NBFCs handling large volumes of financial personal data.
B2B and B2C platforms, analytics firms, AI companies, and anyone processing at scale.
Hospitals, diagnostic chains, telemedicine and pharma — where sensitive health data is central.
Direct-to-consumer brands, marketplaces and hospitality — handling rich behavioural data.
Non-Indian companies offering goods or services to data principals within India.
Products serving minors — subject to stricter consent, verification and processing rules.
HR tech, background verification firms, and large employers processing workforce data.
Founders building compliant from day one — avoiding costly retrofits at Series B.
There is a narrow window between now and active enforcement. The organisations that use it well will find compliance a competitive asset, not a cost centre.
Start with a diagnostic →If your question isn't here, a 30-minute introductory consultation is the fastest way to get a clear answer on your specific situation.
The Act received Presidential assent on 11 August 2023. Different provisions are being notified in phases. The Draft DPDP Rules, released for public consultation in 2025, operationalise the statute — and once finalised, most substantive obligations will have a short transition window. Treating compliance as urgent is now appropriate.
Yes. The Act applies to any Data Fiduciary processing digital personal data, with no blanket turnover or headcount exemption. Certain obligations are eased for startups via notification, but the baseline duties — consent, purpose limitation, security, breach notification, grievance redressal — apply to almost everyone.
Both are consent-centric and rights-based, and a mature GDPR programme is a strong starting point. But the DPDP Act has distinctive features: the Consent Manager framework, specific rules for children and persons with disabilities, a dedicated Data Protection Board, and different cross-border transfer mechanics. Mapping, not copy-pasting, is required.
The Act prescribes financial penalties up to ₹250 crore for certain breaches (e.g. failure to take reasonable security safeguards). The Data Protection Board of India adjudicates. Beyond fines, the reputational damage, operational disruption and civil exposure from a poorly handled incident typically exceed the statutory penalty.
A DPO is mandatory for Significant Data Fiduciaries (to be notified by the Central Government based on volume, sensitivity, risk and other factors). Even non-SDFs benefit from a designated, competent point of contact for Data Principal queries and regulator interaction. Our DPO-as-a-Service is built for exactly this.
For a typical mid-market organisation, a focused gap assessment takes 3 to 6 weeks depending on complexity, number of business units, and vendor ecosystem. We can accelerate on request — and for very small teams, we offer a condensed 10-day diagnostic.
A confidential, no-obligation 30-minute consultation. We'll help you understand where you stand and what your next three steps should look like.