DPDPA 2023 • DPDP Rules 2025 • Framework v2.0

The Data Privacy Architecture That Leaves Nothing Unprotected

Q: What is the DPDPA implementation architecture for BFSI?

It is a comprehensive framework covering 67 documents, 78 data entry points, 14 grey areas, and 10 consent layers designed for Indian banking, financial services and insurance companies to achieve full DPDPA 2023 and DPDP Rules 2025 compliance across all regulatory regimes including RBI, SEBI, IRDAI, and PFRDA.

Q: What are the DPDPA penalties for BFSI non-compliance?

DPDPA penalties under Section 18 are per instance and cumulative: Rs 250 crore for children's data breach (Section 9), Rs 200 crore for failure to take reasonable security safeguards, Rs 200 crore for failure to notify breach to DPB and data principals, Rs 150 crore for SDF obligation failures, and Rs 50 crore for other provision breaches.

Q: How many consent layers does the DPDPA BFSI framework require?

The framework requires 10 distinct consent instances across three tiers: Consent 1.0 (core processing, credit bureau), Consent 2.0 (marketing, cross-entity sharing), and Consent 3.0 (profiling, AI automated decision-making), plus separate consents for health data, children's data, cross-border transfers, and call recording.

Q: What is the breach reporting timeline under DPDPA for BFSI?

BFSI entities must report breaches to four bodies simultaneously: CERT-In within 6 hours, the Data Protection Board within 72 hours, the sectoral regulator (RBI/SEBI/IRDAI/PFRDA) within 2-6 hours, and affected data principals within 7 days.

Q: How long does DPDPA BFSI implementation take?

The framework prescribes a 9 to 13 month roadmap: Months 1-4 for governance setup and data mapping, Months 5-6 for consent engine build, Months 7-10 for operationalisation including rights management, AI governance, and vendor DPA execution, and Months 11-13 for final gap closure and full compliance.

Regulated entities. Multiple regulators. Thousands of agents. Millions of customers. One framework that governs every data atom from birth to burial.

Documents

Entry Points

Grey Areas Closed

Consent Layers

If this framework is implemented, nothing more needs to be done. If this framework is not implemented, nothing is privacised under DPDPA. No data principal’s personal data is unparented. No processing activity is ungoverned. No consent is assumed. No sharing is uncontrolled. No AI model operates without accountability.

Part I

The Reckoning

A customer walks into a branch. She fills a home loan form. Her DSA photographs her Aadhaar card, uploads it to the lending platform. The platform pulls her credit score from four bureaus. Thirty machine learning models score her risk. Her data migrates to a unified digital platform, where she is profiled for life insurance, mutual funds, health insurance. She consented once. She was processed nine times.

This is not hypothetical. This is the daily operational reality of every diversified financial services conglomerate in India. And on May 13, 2027, every one of these processing activities becomes individually actionable under DPDPA. Maximum penalty: Rs 250 crore per instance. Cumulative. No grace period.

The existing privacy architecture across Indian BFSI was built for a world where consent was a checkbox and regulators did not have a dedicated enforcement body. That world ended on November 13, 2025, when India notified the DPDP Rules. This framework exists because the old world cannot survive the new law.

The Single Entity Fallacy

Most BFSI conglomerates maintain a single privacy policy covering all group companies. Under DPDPA, each subsidiary is a separate Data Fiduciary. A single policy document is a material compliance failure on Day One. Each entity must have its own notice, its own consent architecture, its own DPO. The holding company cannot represent the subsidiaries.

Critical Gap

The ABCD Platform Problem

When twenty financial products are delivered through a single digital interface, data commingling is not just likely. It is structural. A unified app pulling customer data from lending, insurance, investments, and payments creates a joint controller scenario. The consent architecture for such platforms does not exist in Indian BFSI today. It must be built from zero.

Structural Risk

The DSA Data Trap

Two hundred thousand channel partners. Seventy eight thousand mutual fund distributors. Ninety thousand insurance advisors. Every one touches personal data. Every one is a Data Processor under DPDPA. Not one has a compliant Data Processing Agreement. If a single DSA sells a customer’s financial details, the conglomerate carries full liability. The penalty does not stay with the agent.

200,000+ Exposed

The Regulatory Collision

Six regulators. RBI mandates 5 to 8 year data retention. DPDPA requires deletion when purpose is served. IRDAI mandates health data sharing with offshore reinsurers. DPDPA restricts cross border transfers. SEBI requires 8 year investor records. DPDPA storage limitation principle applies. No resolution framework exists anywhere in India. This framework creates one.

Conflict Zone

Part II

The Corporate Organism

Nine entities. Five regulators. The Federal Privacy Model. Each subsidiary is independently liable. The holding company coordinates but cannot absorb liability.

Federal Privacy Architecture

Tier 1: Group DPO & Board Data Privacy Committee
Holding Company • Policy • Coordination • DPB Liaison

↓

Bank / NBFC
EPO • RBI

Life Insurer
EPO • IRDAI

Health Insurer
EPO • IRDAI

AMC
EPO • SEBI

Housing Finance
EPO • NHB

Broking
EPO • SEBI

Pension Fund
EPO • PFRDA

Digital Platform
EPO • Joint DF

↓

Tier 3: Data Champions & Privacy Stewards embedded in every business unit, product team, and technology team

The Cross Selling Consent Wall

Every inter entity transfer requires four things. A documented lawful basis under Section 4. A Data Sharing Agreement between the entities. Separate consent from the data principal for each receiving entity. And a DPIA if the receiving entity will process the data for a new purpose. A blanket consent clause in a bank account opening form does not constitute valid consent for the insurance subsidiary. Each entity must obtain its own. This is the most significant operational change under DPDPA for conglomerates.

Part III

The Data Universe

Every entry point, processing point, sharing point, and exit point. Seventy eight collection channels. Twenty six processing systems. Thirty two sharing destinations. No data atom orphaned.

Data Lifecycle — Birth to Burial

Branch Forms

Digital Apps

eKYC / CKYC

DSA Leads

AA Consent

↓

Core Banking

30+ ML Models

AML / CFT

Underwriting

CRM

↓

Credit Bureaus

5 Regulators

Reinsurers

SWIFT / Cards

Group Entities

↓

Retention per Schedule

Certified Destruction

Erasure on Request

The data universe of a diversified BFSI conglomerate is not a database. It is an organism. Identity and KYC data duplicated across nine entities without a consent trail. Health data flowing from proposal forms to underwriting engines to offshore reinsurers. Behavioural data from a unified digital platform processed under a broad, nonspecific consent that would not survive a single DPB inquiry. Credit bureau data pulled without mapping to DPDPA consent requirements. Agent and DSA data where the agents themselves are data principals whose data is processed without their knowledge.

Every category carries distinct DPDPA obligations. This framework maps each one.

Identity and KYC

Name, DOB, PAN, Aadhaar, address, photograph, signature, video KYC biometrics. Collected by all entities. Cross entity duplication without consent trail is the single largest compliance gap. Solution: CKYC deduplication with entity specific consent tokens.

Critical

Health Data

Medical history, pre existing conditions, health scores, wellness activity, diagnostics. Collected by life and health insurers. Reinsurer sharing creates cross border exposure. Section 9 enhanced obligations apply. Separate explicit consent. Cannot be bundled. Ever.

Sensitive

Behavioural and Digital

App usage, browsing patterns, click behaviour, device fingerprints, location, call recordings. Collected through unified digital platform. No legal basis whatsoever under DPDPA without granular consent. Current broad consent clauses are materially deficient.

No Legal Basis

Children and Minor Data

Minor nominees, children’s insurance plans, joint account minors. Section 9: verifiable parental consent mandatory. No behavioural monitoring. No targeted advertising. Penalty: Rs 250 crore. Age gating on digital platforms required. Not in place anywhere in Indian BFSI today.

Rs 250 Cr Risk

Employee Data

63,750+ employees across a typical conglomerate. HR, payroll, performance, medical benefits, background checks. DPDPA fully applies. Labour Codes 2020 have their own data obligations. Dual compliance required. Overlap entirely unresolved by regulation.

Dual Regime

Agent and DSA Data

Agent KYC, commission records, client referral lists, performance data. DSAs and agents are Data Principals in their own right. Their data is processed by the conglomerate as employer or principal. Separate notice and consent required for agent data processing.

Overlooked

Part IV

Data Lineage and Provenance

Where did this data come from. Where has it been. Where is it going. Under DPDPA, every Data Fiduciary must answer that question for every data point.

The inability to trace data is not a technology problem. It is a governance failure. Under DPDPA, governance failures attract penalties. Consider a single home loan journey. The DSA uploads the application. The platform pulls CIBIL scores. Thirty credit engines assess risk. KYC is verified against CKYC Registry and Aadhaar. The data migrates to a unified platform for cross sell profiling. Life insurance. Mutual funds. Health insurance. Can any BFSI conglomerate today produce a lineage document showing every system that touched this data? The answer is no.

Lineage Stage	Systems	Data in Transit	Current Gap
Collection via DSA	DSA mobile app, lending platform	Name, PAN, Aadhaar, income, address	Critical: No metadata capture. No consent token at collection.
Credit Bureau Pull	CIBIL, CRIF, Equifax, Experian APIs	PAN, DOB sent. Score and history returned	Medium: CIC logs exist but not mapped to DPDPA consent trail
KYC Verification	CERSAI, UIDAI, Video KYC vendor	Full KYC data plus biometric capture	Critical: Third party systems. No lineage log held at entity level
ML Underwriting	30+ credit engines, analytics vendors	Full financial and behavioural profile	Critical: Model input/output not logged with declared purpose
Cross Sell Profiling	Unified platform, insurance CRM, AMC	Full profile for product recommendations	Critical: No consent trail for cross entity profiling
Collections	Collection platform, recovery agents	Contact, address, DPD status	Critical: Recovery agent access not logged at entity level
Post Closure	Archives, cold storage, backup systems	Complete loan file. All categories.	High: Retention period not defined per DPDPA requirements

Data Provenance by Channel

Branch: Signed physical form. Not digitized into any provenance system. Gap: Physical forms are not DPDPA provenance. Digital: Single click wrap T&C acceptance covering all processing. Gap: One checkbox replaces what must be 15+ separate purpose linked consents. DSA: Paper form uploaded by agent. Gap: No digital consent token issued. Call Centre: Call recording stored. No structured consent capture. Gap: Recording does not constitute legally structured consent. Bancassurance: Bank’s consent framework. Entity is not party to it. Gap: Entity relies on bank’s consent which is legally insufficient. WhatsApp: No structured consent for interaction data use. Gap: Collects data without declared consent. Every channel has a provenance gap. This framework closes each one.

Part V

DPDPA Section by Section Mapping

Every provision mapped to specific BFSI obligation. No section unaddressed.

Section	Provision	BFSI Obligation	Status
S.4	Lawful Processing	Map every activity to Consent (S.6) or Legitimate Use (S.7). No processing without documented basis.	Required
S.5	Notice	Per entity notice. Not group level. In 22 scheduled languages. Three phase retrospective rollout for legacy data.	Required
S.6	Consent	10 separate consent instances. Free, specific, informed, affirmative. Withdrawal as easy as grant. 48 hour processing.	Required
S.7	Legitimate Uses	KYC, AML, credit bureau reporting, regulatory returns, fraud prevention, court orders, employment. No consent needed.	Exemption
S.8(2)	Security	AES 256, TLS 1.3, RBAC, MFA, PAM, SOC, SIEM, DLP, VAPT. Benchmarked against all sectoral frameworks.	Required
S.8(5)	Breach Notification	Quad reporting: CERT In 6hr, DPB 72hr, Sectoral Regulator 2 to 6hr, Data Principals 7 days.	Rs 200 Cr
S.9	Data Processors	DPA with every vendor, cloud provider, DSA, agent, collection agency. Flow down all obligations. Audit rights.	Required
S.10	SDF Obligations	DPO, independent auditor, annual DPIA, algorithmic risk assessment. Banks and large insurers almost certainly SDF.	SDF Only
S.11-14	Data Principal Rights	Access (15 day SLA), Correction, Erasure (30 day), Nomination (new for BFSI), Grievance (two tier).	Required
S.16-17	Cross Border	RBI localization prevails. SEBI: human readable in India. Reinsurance and SWIFT continue unless country blacklisted.	Conditional

Part VI

The Consent Architecture

Consent 1.0 through 3.0. Ten distinct instances. Each free, specific, informed, unconditional, unambiguous, affirmative, purpose limited.

Consent under DPDPA is not a checkbox. It is a legal contract. The old world of single click wrap acceptance covering all processing is dead. A conglomerate needs a consent architecture that is specific, granular, freely given, withdrawable, and provable. At scale. Across nine entities. For fifty million customer relationships. The consent was obtained. The trap was set. Every day of processing without consent renewal is a day of unauthorized processing under Section 6.

Consent Instance

Layer

DPDPA Ref

Core Processing — Product or service applied for

1.0

S.6 + S.7(a)

Credit Bureau Data Pull — Each bureau separately

1.0

S.6 + CICRA

Marketing and Cross Sell — Opt in only, separate

2.0

S.6(4)

Cross Entity Sharing — Named entity, per entity

2.0

S.6(4)

Profiling and Analytics — Named ML model types

3.0

S.6 + S.10

AI Automated Decision Making — Explicit disclosure

3.0

S.6 + S.10

Health Data — Medical, diagnostics, wellness

Sensitive

S.9 + IRDAI

Children’s Data — Verifiable parental consent

S.9

S.9 + Rs 250Cr

Cross Border Transfer — Specific countries named

Transfer

S.16-17

C10

Call Recording and Interaction Monitoring

Disclosure

S.5 + S.6

Part VII

The Third Party Dependency Web

Every DSA who holds a customer’s Aadhaar photocopy on their phone is a Data Processor under DPDPA. The conglomerate is responsible for all of them.

200,000+ DSAs

Full KYC, financial data, contact details. No DPA. No training. No oversight. Every breach is conglomerate liability under Section 8(2). Lead shopping circulates data across multiple institutions without granular consent. Must execute DPA, mandate 90 day destruction for non converting leads, verify consent before processing.

Critical

90,000+ Insurance Advisors

KYC, health declarations, nominee data. Health data leaves entity systems without any DPA in place. Advisors store data on personal devices. No encryption mandate. No deletion protocol on termination. Each advisor is a walking data breach risk.

Health Data

78,000+ MF Distributors

Investment data, PAN, KYD, bank accounts. SEBI KYD exists but DPDPA Data Processing Agreement absent. Industry standard DPA format needed. Currently completely absent across the ecosystem.

High Gap

Bancassurance Partners

Customer referral data, joint KYC. Joint controller responsibilities entirely undefined under DPDPA. Entity relies on bank’s consent which is legally insufficient. Each bancassurance partner needs a separate data sharing agreement with documented lawful basis.

Joint Controller

30+ Analytics and ML Vendors

Transaction data, behavioural data fed to credit scoring models. Data Processors under DPDPA. Behavioural profiling without granular consent is the highest risk activity. Must execute DPA with algorithmic accountability clause and bias audit requirements.

AI Risk

Cloud, TPAs, Collection Agents

Cloud: Cross border risk if offshore. Must be India stored per RBI. TPAs: Sensitive health data. Maximum sensitivity. Collection agents: Home visit data, contact data, recovery pressure. RBI FPC plus DPDPA dual violation risk. DPA mandatory for every vendor category.

Full Spectrum

Part VIII

AI Governance Layer

Thirty plus credit scoring models. Fraud detection engines. Underwriting algorithms. Each one consumes personal data. Each one needs an accountability chain.

Stage 01

Training Data

Audit every model dataset for personal data. Anonymise (not pseudonymise) or obtain consent for AI training purpose. Document provenance: source, method, consent basis, technique, audit date. No genetic data for insurance. No prohibited categories for credit. CICRA 2005 governs credit bureau input.

Stage 02

Inference

Every inference on live data is a processing activity. Purpose limitation: fraud model output cannot become marketing input. Significant effect decisions (loan denial, premium loading, claim rejection) require disclosure: automated decision made, logic involved, data that influenced it. Model Card mandatory.

Stage 03

Retraining

New processing cycle. Same data, same purpose: original consent covers. New purpose: fresh consent. Maintain Model Card: purpose, data sources, bias assessment, performance, last retraining date, DPIA reference. Retraining logs must be audit ready.

Stage 04

Accountability

Bias audit across protected categories. Explainability for customer facing decisions. Human override for every AI denial. Third party vendor models assessed under same framework. Entity bears DPDPA liability regardless of vendor. Algorithmic risk assessment mandatory for SDF under Section 10(2)(d).

The 30+ Model Problem

A typical lending NBFC runs thirty or more ML credit engines. Each ingests transaction data, behavioural signals, and bureau scores. None log model input and output with a declared DPDPA purpose. None have been assessed for bias against protected categories. None offer explainability to customers whose applications are declined. Under Section 10, Significant Data Fiduciaries must assess algorithmic risks. These thirty models are thirty compliance timebombs. This framework defuses each one.

Part IX

Fourteen Grey Areas. All Closed.

Every structural ambiguity in BFSI data privacy. Identified. Analysed. Resolved. No loophole survives.

Joint Account Data

DPDPA does not address joint controllership. Joint accounts, loans, policies create dual data principal scenarios.

Resolution

Treat each holder as independent data principal. If one requests erasure, preserve other’s data. Maintain ability to service for remaining holder.

Nominee and Guarantor Data

Data provided by account holder, not the nominee or guarantor. Both are data principals processed without direct consent.

Resolution

Direct notice to nominees and guarantors. Independent consent from guarantors who have significant financial data exposure.

WhatsApp Banking

No RBI guidelines. Meta collects metadata. BSP routing. AI features not end to end encrypted.

Resolution

Classify high risk. No account numbers or balances via WhatsApp. Notifications only. Redirect data intensive interactions to secure channels.

DSA Lead Shopping

Lead rejected by one entity, redirected to another. Customer data circulates without granular per entity consent.

Resolution

DSA must obtain consent disclosing all entity identities. 90 day destruction for non converting leads. Verify consent before processing.

Unified Digital Platform

Single app, twenty products, nine entities. Data commingling is structural. No consent architecture exists for cross product profiling.

Resolution

Platform treated as joint controller. Separate consent per entity per product category. Technical data segregation with entity specific access controls.

Bancassurance Consent Gap

Insurance entity relies entirely on bank partner’s consent. Legally insufficient under DPDPA. Entity must hold its own independent consent.

Resolution

Data sharing agreement with bank. Independent consent collection by insurance entity before underwriting. Bank consent covers referral only.

Account Aggregator Post Receipt

AA encryption strong in transit. Once FIU decrypts, no standardised handling requirements exist.

Resolution

FIU policy: storage per consent artifact duration, purpose limitation enforcement, prohibition on combining with existing data for profiling without consent, deletion on expiry.

Rejected Insurance Proposals

No regulatory mandate specifies retention. Insurers retain medical records indefinitely. Hidden gap.

Resolution

Three year maximum. Destroy all medical records unless fraud investigation pending. Section 8(3) purpose completion triggers erasure.

Pre DPDPA Legacy Data

Section 5(2): retrospective notice required. Billions of records across decades.

Resolution

Three phase rollout. Phase 1 (June 2026): digital. Phase 2 (Dec 2026): physical. Phase 3 (April 2027): residual. Destroy data with no regulatory retention basis.

Collection Agent Home Visits

Recovery agents access borrower address, family details, visit records. RBI FPC applies. DPDPA adds new layer.

Resolution

DPA with every agency. Minimum necessary data. No contacting non borrowers. Mandatory destruction on case closure.

Government Scheme Firewalling

PMJDY, PMSBY, PMJJBY data processed under S.7(b). Cross selling risk to low literacy populations.

Resolution

Strict firewall between scheme data and marketing databases. No commingling. Separate consent for any non scheme processing.

Minor Nominees in Life Insurance

Children named as nominees. Section 9 applies. Verifiable parental consent not in place anywhere.

Resolution

Parent or guardian identity verification. Age gating on digital platforms. No behavioural tracking. No targeted communications.

NRI and Cross Jurisdiction

NRI accounts, FCNR deposits. Dual law applicability. GDPR for EU NRIs.

Resolution

Map NRI data flows for cross border transfer points. Comply with both DPDPA and applicable foreign law.

Merger and Portfolio Transfer

S.7(h) permits processing. But buyer becomes new Data Fiduciary.

Resolution

Privacy notice within 30 days of transfer. Original consent valid for same purposes only. New purposes need fresh consent.

Part X

Quad Breach Reporting Protocol

Four simultaneous obligations. Four different timelines. Four different recipients. Miss one, face Rs 200 crore.

6 hrs

CERT-In

IT Act Directions April 2022. Targeted scanning, system compromise, data breach, data leak.

72 hrs

Data Protection Board

DPDP Rules 2025, Rule 7. Nature, records affected, consequences, mitigation, DPO contact. Penalty: Rs 200 crore.

2-6 hrs

Sectoral Regulator

RBI: 2 to 6 hrs. SEBI: 6 hrs (CSCRF). IRDAI: 6 hrs (ICG 2023). PFRDA: 6 hrs (Cyber Policy 2024).

7 days

Data Principals

DPDPA S.8(5). Multi channel: in app, email, SMS, postal. Nature, data exposed, measures, contact for queries.

Part XI

The Complete Document Architecture

Board Policies

SOPs

Agreements

Registers

Notices

Board Policies (14)

Data Privacy Policy (Master)

Information Security Policy

Retention and Destruction Policy

Breach Response Policy

Cross Border Transfer Policy

AI/ML Governance Policy

Consent Management Policy

Data Principal Rights Policy

Vendor Data Protection Policy

Employee Data Privacy Policy

CCTV and Surveillance Policy

Cookie and Tracking Policy

Data Classification Policy

ROPA Maintenance Policy

SOPs (21)

Consent Collection (per channel)

Consent Withdrawal Processing

Access Request Handling

Correction Request Handling

Erasure Request Handling

Nomination Registration

Breach Detection and Escalation

DPB 72 Hour Notification

Data Principal Breach Notice

DPIA Conduct and Review

New Product Privacy Gate

Vendor Onboarding Assessment

Vendor Periodic Audit

Intra Group Sharing Approval

Cross Border Transfer Approval

Legacy Data Remediation

Destruction and Certificate

DPB Inquiry Response

AI Model Privacy Review

Call Recording Consent

WhatsApp Data Handling

Agreements (13)

Data Processing Agreement

Intra Group Data Sharing

Consent Manager Agreement

Cloud Provider DPA

DSA/Agent Data Handling

Collection Agency DPA

Reinsurance Data Clause

Correspondent Banking Clause

Account Aggregator Terms

Credit Bureau Amendment

Employment Privacy Clause

NDA with Data Protection

Whistleblower Channel

Registers and Notices (19)

Record of Processing Activities

Consent Record Register

Rights Request Register

Breach Register

DPIA Register

Vendor Assessment Register

Cross Border Transfer Register

AI Model Register

Destruction Certificate Register

Customer Privacy Notice (per entity)

Employee Privacy Notice

Website/App Privacy Policy

Cookie Notice

CCTV Notice

Call Recording Disclosure

DPB Breach Template

Data Principal Breach Template

Legacy Data Notice (S.5(2))

Privacy Nomination Form

Part XII

Penalty Architecture

Section 18. Per instance. Cumulative. Attributable to every person in charge.

Rs 250 Cr

Children’s data breach (Section 9)

S.18 Table Item 1

Rs 200 Cr

Failure to take reasonable security safeguards

S.18 Table Item 4

Rs 200 Cr

Failure to notify breach to DPB and principals

S.18 Table Item 5

Rs 150 Cr

Failure to comply with SDF obligations

S.18 Table Item 3

Rs 50 Cr

Failure to comply with other provisions

S.18 Table Item 6

Part XIII

9–13 Months Implementation Roadmap

From engagement to full compliance. No specific calendar dependency. Scalable to any BFSI conglomerate’s starting point.

Month 1 — 2

Foundation: Governance Setup

Appoint Group DPO and Entity Privacy Officers. Constitute Board Data Privacy Committee. Launch data discovery exercise across all systems and all entities. Begin Record of Processing Activities documentation. Pass four Board Resolutions (DPO, Policy, Consent Manager, DPC).

Month 3 — 4

Foundation: Data Mapping and Classification

Complete data inventory and classification per entity. Map all 78 entry points, 26 processing systems, 32 sharing destinations. Identify all Data Processors (200,000+ DSAs, 90,000 advisors, 78,000 MFDs). Begin DPA negotiation campaign. Board approve Data Privacy Policy. Issue Phase 1 retrospective notices (digital customers).

Month 5 — 6

Foundation: Consent Engine Build

Build Consent Management Platform with 10 layer consent stack. Redesign all onboarding forms across all entities and channels (branch, app, website, call centre, WhatsApp). Implement Consent 1.0, 2.0, 3.0 architecture. Begin vendor DPA execution. Deploy data lineage tracking system.

Month 7 — 8

Operationalisation: Rights, AI, and Training

Deploy Data Principal Rights Request management system with 15 day SLA. Train all customer facing staff on consent collection and privacy notice delivery. Conduct DPIAs for all 30+ ML models. Implement data deletion workflows. Deploy AI Model Cards and algorithmic risk assessment framework. Issue Phase 2 retrospective notices (physical customers).

Month 9 — 10

Operationalisation: Testing and Hardening

Conduct breach response tabletop exercise with quad reporting simulation. Deploy AI model governance and bias audit programme. Complete vendor DPA execution across all 200,000+ channel partners. Data lineage system fully operational. Conduct first round of internal privacy audits per entity.

Month 11 — 12

Operationalisation: Final Gap Closure

Deploy monitoring dashboards (consent status, rights requests, breach metrics, vendor compliance). Conduct final pre compliance gap assessment across all entities. Issue Phase 3 retrospective notices (residual customers). Remediate all identified gaps. Board sign off on compliance readiness.

Month 13

Full Compliance: Day Zero

All DPDPA substantive provisions operational. Consent architecture live across all channels and entities. Rights engine processing requests within SLA. Breach protocol tested and ready. Cross border transfers documented. SDF obligations discharged. First post compliance internal audit within 30 days. No grace period. No extensions. The framework is the operating system.

Part XIV

Retention Schedule

Category	Period	Citation	Trigger
KYC Records	5 yrs post closure	PMLA S.12, RBI KYC MD	Closure + 5 years
Transaction Records	5 yrs from date	PMLA S.12	Date + 5 years
Loan Documents	8 yrs post repayment	Limitation Act	Repayment + 8 years
Insurance Policy	Maturity + 8 yrs	Limitation Act, IRDAI	Settlement + 8 years
Health/Claims Data	8 yrs post settlement	Limitation Act, IRDAI	Settlement + 8 years
Rejected Proposals	3 yrs maximum	Framework prescription	Rejection + 3 years
Securities Records	5 to 8 yrs	SEBI	Closure/trade + period
Behavioural/Digital	2 yrs unless anonymised	Framework + DPDPA S.8(3)	Collection + 2 years
Non Converting Leads	90 days	Framework prescription	Receipt + 90 days
Call Recordings	1 yr min, 8 yr rec	RBI CS guidelines	Date + retention
Consent Records	Lifetime + 5 yrs	Framework + Limitation	Purpose end + 5 years
Breach Records	10 yrs	Framework prescription	Breach + 10 years
Biometric Post KYC	Immediate deletion	Aadhaar Act S.32	Verification complete