AMLEGALSDPDPA
AMLEGALS  ·  Data Privacy Practice  ·  India

The DPDPA is law.
The question is no longer
whether it applies to you.

India’s Digital Personal Data Protection Act 2023 applies to every organisation — Indian or foreign — that processes the personal data of an individual in India. The Data Protection Board is operational. Maximum penalty: up to ₹250 Crores per violation. The only remaining question is whether your organisation is legally ready.

The Man Behind This Practice
Doctrine I
Vibe Data Privacy™
Doctrine II
DPDPA Resilience Doctrine
28+
Years of Legal Practice
10
Offices Across India
8
DPDPA Specialists
₹250Cr
Maximum Penalty Per Violation
6
Jurisdictions — GDPR to DPDPA
Day 1
Obligation begins the moment you process Indian data
DPDP Rules
Notified 13 November 2025 — operative law
DPB Active
Data Protection Board processing complaints
Extra-Territorial
Section 3(a) — applies regardless of incorporation
One Firm
Specialist — not a practice group. A purpose.
The Strategic Position

The problem every
organisation with Indian data faces.

The Problem

Most organisations are not ready. Most do not know it.

!
The DPDPA applies from the moment of processing — not from the moment of registration with an authority. There is no grace period for ignorance.
!
Privacy policies, cookie banners and vendor contracts written before August 2023 do not satisfy the DPDP Rules 2025. They have never been reviewed against the statute.
!
Significant Data Fiduciary classification — with its additional DPO, DPIA and audit obligations — is determined by the Central Government, not by the organisation’s own assessment of its risk.
!
Foreign companies processing Indian data from outside India are in scope. Section 3(a) does not require a physical presence or a registered entity.
The Answer

Specialist legal advice. Not a compliance checklist.

A legal opinion on whether and how the DPDPA applies to your specific fact pattern — not a generic assessment based on industry category.
Consent architecture that satisfies Rule 3 of the DPDP Rules 2025 — the prescribed format, the required content, the withdrawal mechanism and the record.
Data processor agreements with every vendor processing Indian personal data — drafted to the statute, not to a generic template borrowed from a GDPR playbook.
Regulatory defence before the Data Protection Board when proceedings are initiated — because the first enforcement actions will define the standard for a decade.
Doctrine I — Proprietary Framework

Vibe Data Privacy™
Compliance that is alive.
Not archived.

Most compliance programmes are built to survive an audit. Vibe Data Privacy™ is built to survive enforcement — the difference between a document stack and a functioning legal state. Developed by Anandaday Misshra. Deployed by AMLEGALS. Proprietary to this practice.

Five Layers. One Continuous System.
In the era of infinite data, the law is the only valid firewall. Vibe Data Privacy™ hard-codes the statute into your system architecture — so compliance is not a posture you adopt before an audit. It is a state your organisation lives in permanently. Anandaday Misshra  ·  Founder, AMLEGALS
01
Statutory Mapping
Every processing activity traced to its statutory basis. A Statutory Gap Matrix — not a questionnaire. The forensic audit of your data architecture against Section 8 through 12 of the DPDPA and every rule thereunder.
02
Consent Architecture
Rule 3 of the DPDP Rules 2025 prescribes the form and content of consent notice. We design consent mechanisms that satisfy the prescribed standard and are technically implementable by your product team — not retrofitted after launch.
03
Governance Design
Board accountability. DPO appointment. Governance frameworks that survive personnel changes. Not a policy PDF — a functioning accountability structure that a DPB investigation would find operative, not aspirational.
04
Technical Integration
Legal compliance that exists in documents but not in systems is a liability. We work alongside your engineering teams to embed the legal framework into the actual architecture of the systems that process personal data.
05
Continuous Intelligence
The DPB is newly constituted. Its enforcement practice will define compliance standards for a decade. AMLEGALS monitors every DPB development, regulatory notification and enforcement trend — and adjusts your programme before you need to.
Doctrine II — AMLEGALS

DPDPA Resilience Doctrine
Build for the decade.
Not the audit quarter.

Articulated by Anandaday Misshra. The conviction that an organisation’s data privacy programme must withstand whatever the Data Protection Board’s enforcement practice produces over the next ten years — not merely satisfy today’s audit standard.

I
Build for Trajectory
The law as it stands today is the starting point. Restricted-destination notifications, SDF classifications, and additional Central Government regulations will follow. Every AMLEGALS programme is built to absorb them without reconstruction.
“Today’s compliance posture must accommodate tomorrow’s enforcement priority.”
II
Governance Over Documentation
Documents can be updated. Governance structures survive the updates. An organisation with embedded board accountability, clear DPO ownership and operational procedures will adapt to regulatory change. One with only a privacy policy will not.
“A policy in a folder is not a compliance programme. It is a defence exhibit.”
III
Enforcement Learns. So Must the Programme.
The DPB will develop interpretive positions, enforcement priorities and sanction norms over the coming years. The organisation that monitors those developments and adjusts proactively will not be surprised by them. AMLEGALS monitors continuously.
“The first DPB enforcement decisions will define compliance for a generation.”
IV
Legal Certainty is the Product
A board cannot make decisions on qualified opinions and hedged assessments. Every AMLEGALS opinion is precise, every position is defensible, and every answer to a specific legal question is an answer — not a list of considerations for the client to resolve.
“Precision is not a premium. It is the minimum standard of legal advice.”
The Founding Partner
Anandaday Misshra
AM
FDPPI — Ahmedabad Chapter President
28+ Years Legal Practice
HKU International Podcast — EU AI Act & DPDPA
MeitY Closed Room Advisory 2024
35,000+ LinkedIn  ·  Vibe Data Privacy™ Newsletter
CIO  ·  ET  ·  Computerworld  ·  NDTV Profit

There are lawyers who advise on privacy.
There is the lawyer India’s enterprise ecosystem calls
when the statute must become a system.

Anandaday Misshra spent his first decade in the discipline most punishing of imprecision — GST litigation and tax law. He then moved through international commercial arbitration and technology regulation, accumulating the kind of legal judgment that only comes from years of advising at the point where legal questions have real financial consequences and where the quality of the advice determines the outcome.

When the DPDPA received Presidential assent in August 2023, he read it before most organisations knew it existed. He built AMLEGALS’ data privacy practice around a single conviction: this statute requires the depth of specialist legal advice, not the coverage of a compliance vendor. He built two proprietary doctrines — Vibe Data Privacy™ and the DPDPA Resilience Doctrine — that now govern how the practice is delivered to every client.

He taught himself to code and built multiple agentic AI applications. He has been quoted by CIO, Computerworld, Economic Times and NDTV Profit on the intersection of AI governance, national security and statutory protection. He records international podcasts with Hong Kong University. He writes weekly for 35,000 professionals on LinkedIn. He advised MeitY in closed-room discussions in 2024. He is the President of the FDPPI Ahmedabad Chapter. He is, by any objective measure, the most credentialed and most publicly engaged DPDPA specialist in India.

Data privacy is not a compliance checkbox. It is the new constitutional right of the digital Indian. And every organisation that touches that data has a legal duty it cannot delegate, delay or ignore. Anandaday Misshra  ·  Founder, AMLEGALS DPDPA
International Podcasts
Regulatory Ramblings  ·  Apple Podcasts
Respect Personal Data: India’s New DPDPA 2023
Host: Ajay Shamdasani
Regulatory Ramblings #51  ·  YouTube
The EU AI Act: Why It Matters for Asia and Beyond
Host: Ajay Shamdasani
Speaking Engagements
2026
Global AI, Cyber and Privacy ConfExAI Governance and Data Protection in Regulated Industries
New Delhi
2026
CIO and Computerworld Expert PanelAI Contracts, National Security and Ethical Boundaries
Global
2025
Dhirubhai Ambani University — School of LawExecutive Development Programme in Data Privacy and AI Law
Gujarat
2025
NLU JodhpurDPDPA Certification Programme
Jodhpur
2024
MeitY Closed Room DiscussionsData Privacy Framework for India — Policy Level Advisory
New Delhi
2024
IAPP Privacy ConferenceDPDPA Compliance Strategies for Enterprises
Global
2024
ByteBao UAENavigating Data Privacy in Emerging Technologies
UAE
CIO  ·  March 2026
“National security carve outs, classified programs, and sovereign immunity doctrines significantly weaken any attempt to challenge government use purely on ethical grounds. Unlike Europe, the United States does not yet have a binding federal AI law. Companies are operating more on self-imposed policy than statutory protection.”
On OpenAI’s US Defense AI Deal
Computerworld  ·  March 2026
“If Anthropic capitulates, it sets a precedent that commercial Acceptable Use Policies are waivable under government pressure, incentivising a race to the bottom where contractors abandon internal safety and human rights policies.”
On the Anthropic DoD Renegotiation
CIO  ·  March 2026
“Future AI agreements will be more explicit on permitted use, audit rights, model versioning, and liability allocation. Ethical commitments will increasingly be embedded as contractual risk management tools rather than moral vetoes.”
On the Future of AI Governance Contracts

Authoritative weekly analysis on DPDPA, GDPR, AI governance and cross-border data privacy. Read by General Counsels, DPOs, CISOs and compliance leaders across India and the GCC.

7,000+
Subscribers
35,000+
LinkedIn Followers
Follow on LinkedIn →
The Senior Team

The people who carry
the practice’s credibility.

Deepti Bhatia
DB
Deepti Bhatia
Senior Partner
CIPP/ECDPO-DAISO 27701-LIIAPP New Delhi Chair

Twenty years in BFSI compliance and risk. Chair, IAPP New Delhi Chapter — the world’s largest privacy professional body. Among the most credentialed data privacy practitioners in India. Advises at the intersection of financial sector depth and legal rigour.

D.S. Mahajani
DS
D.S. Mahajani
Senior Partner
AdvocateCost AccountantCompany Secretary30+ Years

Triple-qualified. Thirty years across Indirect Tax, Data Privacy and Corporate Law. Addresses the DPDPA not in isolation but in the full commercial context of how organisations actually operate — tax, secretarial compliance and privacy law unified.

Rohit Lalwani
RL
Rohit Lalwani
Associate Partner
DPDPATechnology LawCross Border TransfersDispute Resolution

A decade of DPDPA and technology law practice. End-to-end implementation, enterprise privacy audits, cross-border transfer frameworks. Bridges rigorous legal compliance with commercial practicality — the combination organisations actually need.

Mridusha Guha
MG
Mridusha Guha
Principal Associate
DPDPAAI GovernanceEmployment LawIPR

Data privacy, AI governance, employment law and intellectual property — a genuinely integrated practice. Advises on consent management, breach response and privacy-by-design. The rare practitioner who understands how AI systems are actually built.

Mayur Punjabi
MP
Mayur Punjabi
Senior Associate
Data PrivacyTechnology LawEmployment LawLabour Codes

Dual focus on data privacy and employment law — a combination that organisations managing both DPDPA employee data obligations and workforce compliance simultaneously find directly useful. Advises on technology contracts, privacy policies and regulatory queries.

Khilansha Mukhija
KM
Khilansha Mukhija
Associate
DPDPAPrivacy by DesignAI EthicsConsent Management

Compliance embedded in how systems are built — not appended after the fact. Practice covers algorithmic transparency, automated decision-making and responsible AI. Ensures technological innovation remains grounded in legal and ethical standards.

Industry Leadership
FDPPI
Ahmedabad Chapter
Anandaday Misshra is President of the FDPPI Ahmedabad Chapter — India’s foremost body for data protection professionals. Given by peers. Not claimed.
International Standing
IAPP New Delhi
Chapter Chair
Senior Partner Deepti Bhatia chairs the IAPP New Delhi Chapter of the world’s largest privacy professional organisation. A position of peer recognition.
Global Jurisdiction Coverage
GDPR · PDPL
DPDPA · PDPA
From the EU GDPR and Saudi PDPL to Singapore’s PDPA and India’s DPDPA — advisory across every framework governing India’s cross-border data flows.
Proprietary Framework
Vibe Data
Privacy™
The only proprietary five-layer DPDPA compliance methodology in the Indian market. Developed in-house. Deployed exclusively through AMLEGALS.
Global Reach

Six jurisdictions.
One unified advisory perspective.

Every framework that governs cross-border data flows involving India.

🇮🇳
India
DPDPA 2023
Core Practice
🇪🇺
European Union
GDPR
Core Practice
🇦🇪
Saudi Arabia
PDPL 2021
Active
🇦🇪
UAE
Federal Decree-Law 45
Active
🇬🇧
United Kingdom
UK GDPR
Active
🇸🇬
Singapore
PDPA 2012
Active
Pan-India Presence

Ten offices.
One standard of counsel.

Geography changes. The quality of counsel does not.

01 — Head Office
Ahmedabad
Gujarat
201-203, AMLEGALS, Westface, Near Baghban Party Plot, Zydus Hospital Road, Thaltej, Ahmedabad 380059
02 — Financial Capital
Mumbai
Maharashtra
Office No. 221, 2nd Floor, Old Bake House, Nagindas Master Road, Near Kalaghoda, Fort, Mumbai 400001
03 — Technology Hub
Bengaluru
Karnataka
Cinnabar Hills, Embassy Golf Links Business Park, Challaghatta, Bengaluru 560071
04 — Capital Office
New Delhi
Delhi
409, World Trade Centre, Babar Road, Connaught Place, New Delhi 110001
05 — Eastern Region
Kolkata
West Bengal
Level 11, GP, Godrej Genesis Building, Salt Lake, Sector V, Bidhannagar, Kolkata 700091
06 — Southern Region
Chennai
Tamil Nadu
47 and 95, B 14, PH1, ASTA AVM, P.V. Rajamannar Salai, KK Nagar, Chennai 600078
07 — Western Region
Pune
Maharashtra
91Springboard, Sky Loft, Creaticity Mall, Off Airport Road, Yerawada, Pune 411006
08 — Gujarat Regional
Surat
Gujarat
B 502, Shreeji Arcade, Anand Mahal Road, Adajan, Surat, Gujarat
09 — Gujarat Regional
Vadodara
Gujarat
AMLEGALS, Race Course Circle, Vadodara, Gujarat
10 — UP Office
Prayagraj
Uttar Pradesh
60 Feet Road, Zero Road, Near Yamuna Multiplex, Allahpur, Prayagraj 211006
The Compliance Cycle Begins Here

The Data Protection Board
is operational.
Instruct us before
it instructs you.

Every day without a DPDPA compliance programme is a day of unaddressed legal exposure. The question is not whether to act. The question is whether to act now or under compulsion.

India Market Entry Guide
Write directly: dataprivacy@amlegals.com  ·  Boardline: +91 8448548549  ·  10 Offices Across India
AMLEGALS  ·  Data Privacy Practice
New Delhi  ·  Ahmedabad  ·  Mumbai  ·  Bengaluru  ·  Pune  ·  Kolkata  ·  Chennai  ·  Surat  ·  Vadodara  ·  Prayagraj
India Market EntryAPAC GuideBreach Response