AMLEGALS
DPDPA 2023 · Data Fiduciary Obligation

Every business in India
processes personal data.
None of them are exempt.

The Digital Personal Data Protection Act 2023 places statutory obligations on every organisation — irrespective of size, sector, or intent. The Data Protection Board does not distinguish between the prepared and the unprepared. It adjudicates.

Explore Your Sector
₹250CrMaximum penalty under DPDPA Schedule
26+Sectors now carrying Data Fiduciary obligations
27+Years of AMLEGALS legal practice across regulatory counsel
10AMLEGALS offices across India — pan-India coverage
DPDPA Section 6 · Consent Architecture

Consent collected
is not consent
understood.

Section 6 requires consent to be free, specific, informed, and unconditional. A pre-ticked checkbox is not consent. A 14-page privacy policy is not consent. Most Indian businesses are collecting data on a legal basis that does not exist.

See Sector Risks
4Conditions for valid DPDPA consent. Most organisations satisfy fewer than two.
Section 6The single most violated provision across India's data landscape
₹50CrMinimum catch-all penalty for any DPDPA violation — no floor exemption
0Days advance notice the Board is required to give before adjudication begins
PRAMAANA™ · Evidence Readiness Framework

The Board evaluates
evidence. Not
intention.

When the Data Protection Board issues a notice, your privacy policy is not a defence. PRAMAANA™ — AMLEGALS' original Evidence Readiness Framework — builds the documentation that stands before the Board. Systematically. Defensibly.

Learn the Framework
5Steps in PRAMAANA™ — from data mapping to Board-ready evidence package
Quasi-JudicialPowers of the Data Protection Board — no negotiation, only adjudication
₹200CrPenalty for failure to notify a breach. Silence is not a strategy.
140+Chapters in India's most comprehensive DPDPA guidance publication
FINTECH
HEALTHCARE
EDUCATION & EDTECH
STARTUPS
SME
E-COMMERCE
MANUFACTURING
SERVICES
INSURANCE
REAL ESTATE
LOGISTICS
MEDIA & OTT
PHARMA
TELECOM
HOSPITALITY
BANKING
AUTOMOBILE
RETAIL
GOVERNMENT
LEGAL TECH
AGRITECH
DEFENCE
AVIATION
ENERGY
GAMING & ESPORTS
HR TECH
COOPERATIVES
NGO & NON-PROFIT
SPORTS & FITNESS
COWORKING
FINTECH
HEALTHCARE
EDUCATION & EDTECH
STARTUPS
SME
E-COMMERCE
MANUFACTURING
SERVICES
INSURANCE
REAL ESTATE
LOGISTICS
MEDIA & OTT
PHARMA
TELECOM
HOSPITALITY
BANKING
AUTOMOBILE
RETAIL
GOVERNMENT
LEGAL TECH
AGRITECH
DEFENCE
AVIATION
ENERGY
GAMING & ESPORTS
HR TECH
COOPERATIVES
NGO & NON-PROFIT
SPORTS & FITNESS
COWORKING
Every Sector. One Law.

The law does not ask
what industry you are in.

DPDPA 2023 applies to every organisation processing personal data of Indian residents. Your sector changes the risk. The obligation does not.

KYC data is not a formality.
It is a liability.

Every credit score, every UPI transaction, every insurance claim is built on personal data. DPDPA treats that data as borrowed trust — not owned asset.

  • KYC data retained beyond onboarding purpose violates Section 8(7)
  • Credit scoring algorithms must comply with transparency obligations
  • NBFC loan data shared with recovery agents triggers third-party liability
  • Payment aggregators hold India’s largest personal data stores — with matching exposure
⚠ Security failure exposure: up to ₹250 Crores
Before DPDPA
KYC data retained indefinitely for fraud prevention
→ Retention must end when purpose ends. Section 8(7).
The Real Question
Your loan is repaid. Your customer's Aadhaar is still in your system from 2019.
Can you justify that retention to the Data Protection Board?
AMLEGALS Approach
Data mapping → Retention schedule → Consent audit → Vendor risk → DPBI readiness.
The five steps between you and ₹250 Crores.

Patient data is not a
medical record. It is sacred.

A diagnosis shared without consent is not a privacy violation. Under DPDPA it is a statutory breach. Health data carries the highest duty of care — and the highest penalty exposure.

  • Telemedicine platforms must build consent architecture from day one
  • Patient records shared with insurers require explicit, specific, fresh consent
  • Mental health data, HIV status, genetic information treated with acute sensitivity
  • Health aggregators and wearables face Significant Data Fiduciary scrutiny
⚠ Breach notification failure: up to ₹200 Crores
The Scenario
Patient shared diagnosis with treating hospital
→ Hospital shared it with insurer without fresh consent. Section 6(1) violated.
The Boardroom Question
Who decides what patient data leaves your building?
If the answer takes more than 3 seconds, you have a governance failure.
AMLEGALS Approach
Consent lifecycle audit → Data sharing agreement review → Breach response protocol → DPO support.

Small business.
Full obligation.

DPDPA 2023 has no SME exemption. A 20-employee company carries the same statutory obligations as a 20,000-employee enterprise. The penalty scale does not know your turnover.

  • Customer databases, purchase histories, and CRM data are personal data
  • Employee records — offer letters, medical leaves, performance reviews — all covered
  • WhatsApp used for business creates unstructured personal data liability
  • Vendor contacts require legitimate purpose documentation
⚠ Catch-all violation: up to ₹50 Crores
The Belief
We are too small to matter to regulators
→ The Data Protection Board has no minimum business size threshold. Section 2(i) applies to all.
The Reality Check
Your customer contact list. Your employee Aadhaar copies. Your delivery partner's numbers.
All personal data. All your responsibility. All covered.
AMLEGALS Approach
SME DPDPA Starter Pack → 30-day gap assessment → Privacy Policy → Employee data protocol.

Move fast.
But not past the law.

Investor due diligence now includes DPDPA compliance. Enterprise clients are demanding Data Processing Agreements before signing. Growth built on non-compliant data is a liability.

  • App onboarding collecting PAN, Aadhaar, location — each requires specific consent
  • Growth retargeting without purpose-alignment is a statutory violation
  • Third-party SDKs in your app — you are the fiduciary responsible for their data use
  • Series A and beyond: compliance gaps discovered in due diligence kill valuations
⚠ Security + purpose violation: up to ₹250 Crores
Startup Assumption
Privacy compliance is a problem for after Series B
→ Non-compliant data architecture was discovered in due diligence. The round did not close.
What Investors Are Asking
Do you have a Privacy Policy reflecting actual data use? A DPA with your cloud provider?
No to either. Your valuation just dropped.
AMLEGALS Approach
Privacy-by-design audit → Consent flow review → DPA drafting → Investor-ready compliance certification.

The factory floor
is a data floor now.

Manufacturing organisations collect worker biometrics, vendor contracts, and supply chain data across every shift. DPDPA treats all of it as personal data — with full statutory obligations attached.

  • Worker biometric data — fingerprints, retina scans, attendance records — requires explicit consent
  • Vendor and contractor personal data held for procurement requires lawful basis and purpose limitation
  • CCTV footage on the shop floor is personal data retention — subject to Section 8(7) erasure
  • IoT sensors and wearable monitoring of workers trigger data principal rights obligations
⚠ Biometric data + security safeguard failure: up to ₹250 Crores
The Assumption
Worker attendance biometrics are an operations tool — not personal data
→ Biometric data is personal data. Collecting it without consent violates Section 6.
The Supply Chain Gap
Your vendor's employee data shared during procurement. Your contractor's personal records held for compliance.
All personal data. All your fiduciary responsibility. All covered.
AMLEGALS Approach
Worker data consent framework → Biometric processing audit → Vendor DPA review → Retention schedule for CCTV and IoT data.

From classroom to platform —
every learner is a data principal.

Educational institutions and EdTech platforms together hold the most sensitive and legally complex personal data in India — spanning minors, sensitive admissions records, biometric attendance, and decades of legacy data rarely audited or erased.

  • Admission data — income certificates, caste documents, medical records — is sensitive personal data with strict purpose limitation
  • EdTech platforms must obtain verifiable parental consent before processing any data of learners under 18
  • Alumni databases repurposed for fundraising or marketing violate DPDPA Section 6(2) purpose limitation
  • Behavioural analytics, learning patterns, and performance tracking on minors attract the highest regulatory scrutiny
  • Exam data and assessment results shared with third-party companies require formal Data Processing Agreements
⚠ Children’s data + purpose violation: up to ₹200 Crores
The EdTech Gap
Student signed up using school email — that is sufficient consent
→ A minor cannot give DPDPA-valid consent for themselves. Section 9 requires verifiable parental consent.
The Institutional Problem
Alumni data used for fundraising campaigns — always been done this way
→ Purpose was admission. Not fundraising. Section 6(2) violated.
AMLEGALS Approach
Parental consent framework → Legacy data audit → Retention policy → Research data protocol → Alumni consent re-architecture.

Every cart. Every click.
Every return. A data trail.

E-commerce platforms generate the most granular consumer behavioural data in India — and distribute it across the widest ecosystem of sellers, logistics partners, and ad networks. DPDPA makes the platform responsible for all of it.

  • Purchase history profiling used for retargeting without declared lawful purpose
  • Third-party seller access to buyer personal data without Data Processing Agreements
  • Abandoned cart tracking and re-engagement without fresh consent
  • Delivery partner and logistics chain data sharing without DPA
  • Return and refund process collecting additional personal data beyond original purpose
⚠ Security + purpose violation: up to ₹250 Crores
The Platform Gap
Sellers on our marketplace handle their own buyer data — not our responsibility
→ The platform is the Data Fiduciary. Seller access to buyer data is your liability. Section 8 applies to you.
The Retargeting Problem
Customer browsed running shoes. Your ad network showed ads for 60 days across 12 platforms.
Each platform, each data share, each ad impression — a purpose not declared at consent.
AMLEGALS Approach
Seller DPA framework → Ad network data flow audit → Consent architecture rebuild → Retargeting purpose mapping.

Banking holds India's
deepest personal data.
DPDPA holds banks accountable.

Banks and NBFCs operate under a dual regulatory burden — RBI directives mandate data retention while DPDPA grants erasure rights. This unresolved tension has no safe harbour. Until rules clarify, both risks coexist.

  • Account statements and transaction histories shared with credit bureaus and analytics firms
  • Nomination and beneficiary personal data held without purpose review
  • Loan recovery communications sharing debtor personal data with collection agents
  • Fixed deposit and investment data shared with wealth management partners
  • Dormant account data retained for decades without statutory basis under DPDPA
⚠ Security safeguard failure: up to ₹250 Crores
The Dual-Regulator Conflict
RBI mandates we retain records for 8 years — DPDPA erasure rights cannot apply to us
→ No exemption issued. DPDPA Section 8(7) applies. The conflict is yours to navigate — not ignore.
The Collection Agent Problem
Loan defaulter's mobile number, address, and employment details shared with third-party recovery agents.
No DPA. No purpose limitation. Full DPDPA liability on the lending bank.
AMLEGALS Approach
RBI–DPDPA conflict mapping → Collection agent DPA → Credit bureau data sharing audit → Dormant account erasure protocol.

The claim file holds
more than a number.
It holds a life story.

Insurance processes some of the most sensitive personal data in India — health records for underwriting, claim investigation data shared with third-party investigators, motor accident reports, life insurance nominee data. The tension between IRDAI data retention mandates and DPDPA erasure rights mirrors the banking sector conflict — with no resolution in sight.

  • Health and medical records used for underwriting without specific DPDPA consent
  • Claim investigation data shared with third-party investigators and surveyors without DPA
  • Motor accident reports containing injury details, witness statements, and police FIR data
  • Life insurance nominee and beneficiary data processed without independent consent
  • Actuarial profiling using personal health data without declared DPDPA purpose
⚠ Health data + IRDAI conflict: up to ₹250 Crores
The Underwriting Gap
Customer shared medical history for policy issuance — standard process
→ Medical data used for actuarial profiling requires specific consent. General policy consent does not cover algorithmic health scoring. Section 6(1).
The Investigation Chain
Motor claim filed. Insurer shares accident report, medical bills, and police FIR with three investigation agencies.
No DPA with investigators. No consent for onward sharing. Each agency is a separate DPDPA liability point.
AMLEGALS Approach
IRDAI–DPDPA conflict mapping → Underwriting consent architecture → Investigation agency DPA framework → Nominee data protocol → Actuarial purpose audit.

Location. Call records.
Browsing history.
Telecom holds everything.

Telecom operators hold the most granular personal data of any sector in India — real-time location, call patterns, and browsing history for over a billion subscribers. DPDPA's obligations sit directly in tension with TRAI and DoT data retention mandates.

  • Call detail records and location data retained under TRAI mandates vs DPDPA erasure rights
  • Subscriber KYC and biometric onboarding data without purpose-limited retention
  • SIM swap fraud creating breach notification obligations under Section 8(6)
  • Mobile number portability processes sharing personal data across operators
  • Tower company access to subscriber location data for network optimisation
⚠ Security + breach notification: up to ₹250 Crores
The Statutory Conflict
TRAI requires us to retain CDRs for 1 year — we cannot comply with DPDPA erasure simultaneously
→ No DPDPA exemption for telecom exists. Both obligations apply. Legal architecture is required.
The SIM Swap Exposure
SIM swap fraud results in unauthorised access to customer's banking OTPs and accounts.
This is a personal data breach under Section 8(6). Notification to DPBI is mandatory.
AMLEGALS Approach
TRAI–DPDPA conflict architecture → Subscriber data purpose mapping → Breach notification protocol → SIM swap liability framework.

Clinical data cannot
be erased once
the study is complete.

Pharma faces DPDPA's most operationally impossible obligation — retrospective consent withdrawal by clinical trial participants creates erasure demands that would invalidate completed research. No exemption exists. No rule has been issued.

  • Clinical trial participant data — consent, withdrawal rights, and post-trial erasure
  • Patient health records accessed for pharmacovigilance without re-consent
  • Adverse drug reaction data containing personal health information shared with regulators
  • Medical representative personal data in sales force management systems
  • Distributor and stockist personal data without lawful basis
⚠ Health data + security failure: up to ₹250 Crores
The Trial Data Impossibility
Participant withdrew consent — we erased their data from our records
→ Erasing trial data post-study invalidates the research integrity. DPDPA has no carve-out. Legal architecture is the only solution.
The Pharmacovigilance Gap
Adverse event reported by patient contains name, diagnosis, and treatment history.
Mandatory CDSCO reporting vs DPDPA data minimisation. Both apply. Neither yields.
AMLEGALS Approach
Trial consent architecture → Pharmacovigilance data protocol → CDSCO–DPDPA conflict mapping → MR data purpose audit.

Passport copies.
Dietary restrictions.
Guest preferences. All personal data.

Hotels collect government IDs under legal mandate but retain them far beyond check-out. Loyalty programmes build detailed personal profiles across stays. Dietary restrictions constitute sensitive health data. DPDPA covers all of it.

  • Passport and government ID copies stored beyond statutory check-out requirement
  • Loyalty programme data shared with affiliate hotels and travel partners
  • Food allergy and dietary restriction data as sensitive personal health information
  • Guest feedback and review data used for profiling without declared purpose
  • Event and wedding data containing extensive third-party personal information
⚠ Sensitive data retention: up to ₹50 Crores
The ID Retention Problem
We keep passport scans on file for all guests — standard industry practice
→ Retention beyond the check-out purpose violates Section 8(7). Industry practice is not a statutory defence.
The Loyalty Data Gap
Guest's stay preferences, meal orders, and room requests shared across 47 affiliated properties.
No consent for cross-property sharing. No DPA with affiliates. Full fiduciary liability on the primary hotel.
AMLEGALS Approach
ID retention schedule → Loyalty data DPA framework → Dietary data classification → Affiliate data sharing audit.

The vehicle is now
a data collection
device on wheels.

Connected vehicles process real-time location, driving behaviour, fuel consumption, and in-cabin audio data. The OEM is a Data Fiduciary for every Indian driver — regardless of where their servers are located. DPDPA applies extraterritorially.

  • Vehicle telematics and real-time GPS location data transmitted to OEM servers
  • Driving behaviour scores shared with insurance partners for dynamic pricing
  • Customer test drive data collected and retained post-purchase decision
  • Fleet management systems processing driver personal data and route history
  • EV charging network data linking vehicle identity to driver location history
⚠ Telematics + location data: up to ₹250 Crores
The OEM Extraterritoriality Problem
Our servers are in Germany — Indian DPDPA does not apply to our data processing
→ DPDPA applies to processing of personal data of Indian residents regardless of server location. Section 3.
The Insurance Sharing Gap
Driving behaviour score — harsh braking, speed, night driving — shared with insurer for premium calculation.
Specific consent required. Not covered by vehicle purchase agreement. DPDPA Section 6(1) applies.
AMLEGALS Approach
Telematics consent framework → Insurance data sharing DPA → Fleet driver data protocol → EV charging data purpose mapping.

The algorithm is the product.
The algorithm runs on
your personal data.

OTT platforms, news apps, and broadcasters build recommendation engines on viewing history, search behaviour, and watch-time data. Under DPDPA, every data point feeding the algorithm requires a declared lawful purpose. Most platforms have none documented.

  • Viewing history and content preference profiling without explicit purpose declaration
  • Behavioural targeting advertising using personal data without specific consent
  • Children's content consumption data processed without parental consent
  • News app reader profiling shared with political advertising partners
  • Subscriber payment data retained beyond subscription period
⚠ Profiling + children’s data: up to ₹200 Crores
The Algorithm Problem
Our recommendation engine improves user experience — it is not "processing" in the DPDPA sense
→ Every data point consumed by the algorithm is personal data being processed. Section 2(x). Purpose must be declared.
The Children's OTT Gap
Family subscription. Child uses parent's account. OTT platform profiles viewing behaviour.
No parental consent for minor's data. Section 9 violated. Up to ₹200 Crores.
AMLEGALS Approach
Algorithm purpose audit → Behavioural ad consent framework → Children's profile detection protocol → Subscriber data retention schedule.

Buyer data flows through
a chain with no
Data Processing Agreements.

Property transactions involve a chain of developers, brokers, co-brokers, and channel partners — all handling the same buyer's personal data. None of them have DPAs with each other. All of them are exposed. DPDPA makes the primary developer the first fiduciary.

  • KYC and income documents retained after sale completion without erasure schedule
  • Buyer data shared across co-broker and channel partner networks without DPAs
  • PropTech CRM platforms processing buyer personal data without lawful basis
  • Tenant and rental agreement personal data in property management systems
  • Real estate investment personal data shared with REIT fund managers
⚠ Data sharing without DPA: up to ₹50 Crores
The Broker Chain Problem
The buyer gave consent to the developer — the broker chain is not our responsibility
→ Every entity in the chain that received buyer data is a Data Fiduciary or Processor. DPDPA obligations flow through the chain.
The Post-Sale Retention Gap
Property sale completed in 2019. Buyer's income certificate, PAN, and Aadhaar still on developer's server.
Purpose ended at registration. Retention since then violates Section 8(7).
AMLEGALS Approach
Broker chain DPA framework → Post-sale retention schedule → PropTech platform audit → REIT data sharing protocol.

Passenger manifests.
Customs declarations.
All statutory conflicts with DPDPA.

Aviation operates under DGCA and customs regulations mandating passenger data retention for 5 years. DPDPA grants erasure rights. No exemption has been issued. The conflict is live — and airlines must navigate it without a safe harbour.

  • Passenger Name Records retained for 5 years under DGCA vs DPDPA erasure rights
  • Customs and immigration declaration data shared with multiple government agencies
  • Frequent flyer programme data shared with hotel and car rental partners
  • Cargo consignee personal data retained in logistics systems beyond delivery
  • Courier and last-mile delivery address data shared across sub-contractor networks
⚠ Cross-border + statutory conflict: up to ₹250 Crores
The DGCA Conflict
DGCA requires us to retain passenger records for 5 years — DPDPA erasure requests cannot be honoured
→ No DPDPA exemption for DGCA retention exists. Both obligations apply simultaneously. Legal architecture required.
The Logistics Chain Gap
Courier delivers package. Consignee name, address, and mobile shared across four sub-contractors.
No DPA in the chain. No purpose limitation. Primary courier is the liable Data Fiduciary.
AMLEGALS Approach
DGCA–DPDPA conflict mapping → PNR retention legal architecture → Logistics chain DPA → Cargo data purpose audit.

Farmer data. Rural consent.
The most vulnerable
data principals in India.

Agritech platforms and rural FMCG distribution networks process data from India's most vulnerable data principals — farmers and rural consumers who may lack digital literacy, making informed and meaningful consent structurally impossible without vernacular-language mechanisms.

  • Farmer income, land record, and crop data on digital lending and insurance platforms
  • Rural consumer profiling without meaningful vernacular-language consent
  • Crop insurance claim data shared with reinsurers without data sharing agreements
  • FMCG distributor and retailer personal data in sales force automation systems
  • Agricultural IoT sensor data linking land identity to individual farmers
⚠ Vulnerable principal + purpose: up to ₹50 Crores
The Consent Impossibility
Farmer clicked agree on the app — valid consent obtained
→ Consent must be informed. A farmer with limited digital literacy clicking a button in English is not informed consent. Section 6(1) requires more.
The Insurance Data Chain
Crop insurance claim filed. Farmer's land data, income, and yield history shared with reinsurer and government portal.
No farmer consent for onward sharing. Each share is a separate DPDPA violation.
AMLEGALS Approach
Vernacular consent framework → Farmer data purpose map → Insurance data DPA → IoT sensor data classification → Rural FMCG data protocol.

The player is a minor.
The data is real.
The consent is absent.

India's online gaming sector processes children's data at scale — age verification gaps, in-app purchase behavioural profiling, real-money gaming KYC. Section 9 (children's data) and Section 6 (consent for behavioural targeting) create acute exposure that most gaming companies have not mapped.

  • Minors using parents’ credentials — no verifiable parental consent, no age-gate
  • In-app purchase behavioural profiling of users without declared lawful purpose
  • Real-money gaming KYC data — Aadhaar, PAN — retained beyond verification purpose
  • Player behaviour analytics and addiction pattern data shared with advertisers
  • Esports tournament participant data shared across organiser, sponsor, and broadcaster
⚠ Children’s data + behavioural profiling: up to ₹200 Crores
The Age-Gate Failure
User entered date of birth showing 18+ — age verification complete
→ Self-declared age is not verifiable parental consent. A 14-year-old typing "1999" does not satisfy Section 9. DPDPA requires more.
The Monetisation Problem
Player spending patterns, session duration, and in-app purchase history profiled for targeted loot box offers.
Behavioural profiling without declared purpose. If player is a minor — Section 9 violation. Up to ₹200 Crores.
AMLEGALS Approach
Age verification architecture → Parental consent framework → In-app data purpose mapping → Esports participant DPA → Advertising data sharing audit.

The resume was submitted
for a job. Not for
perpetual retention.

HR Tech platforms, recruitment portals, and background verification agencies hold resume databases with millions of data principals. Candidate data retained after rejection, employee records shared with payroll processors, and background checks accessing Aadhaar and criminal records — all without DPDPA-compliant architecture.

  • Candidate resumes and application data retained indefinitely after rejection — purpose ended
  • Background verification accessing Aadhaar, criminal records, and employment history without specific consent
  • Employee payroll data shared with third-party processors without Data Processing Agreements
  • Performance review and appraisal data used for algorithmic HR decisions
  • Exit interview data and separation records retained without statutory basis
⚠ Purpose violation + retention: up to ₹250 Crores
The Retention Impossibility
We keep all resumes in our database for future openings — industry standard
→ Purpose was a specific job application. Retention for undefined future use violates Section 8(7). Industry practice is not a DPDPA defence.
The BGV Chain
Background verification agency accesses candidate's Aadhaar, criminal records, and three previous employers.
No specific consent for each data source. No DPA with verification agency. Full liability on the hiring company.
AMLEGALS Approach
Candidate data lifecycle mapping → BGV consent architecture → Payroll processor DPA → Retention schedule for rejected applications → Exit data protocol.

Eight lakh societies.
Zero DPDPA awareness.
Full statutory obligation.

India has over 8 lakh cooperative societies — housing, credit, dairy, agricultural. They collect member Aadhaar, bank details, family data, share certificates — all on paper registers, basic Excel sheets, or rudimentary software. Zero DPDPA awareness. Full statutory obligation. The most non-compliant data fiduciaries in India by volume.

  • Member Aadhaar, PAN, and bank account details collected without any consent mechanism
  • Share transfer records containing family and nominee personal data without purpose limitation
  • Housing society maintenance records linking flat ownership to personal financial data
  • Credit society loan data — income proof, guarantor details — retained indefinitely
  • Dairy and agricultural cooperative member data shared with government subsidy portals without DPA
⚠ No compliance infrastructure: up to ₹50 Crores
The Awareness Gap
We are a housing society, not a company — DPDPA does not apply to us
→ DPDPA applies to every entity processing personal data. A housing society collecting Aadhaar copies is a Data Fiduciary. Section 2(i) makes no exception.
The Paper Register Problem
Member register contains Aadhaar numbers, bank details, and family information. Kept in an unlocked office drawer.
No security safeguards. No access controls. No breach detection. Section 8(5) violated before a single digital system is involved.
AMLEGALS Approach
Cooperative DPDPA awareness programme → Member consent framework → Data digitisation protocol → Security safeguard implementation → Government data sharing audit.

Beneficiary data is not
a reporting metric.
It is a sacred trust.

NGOs, non-profits, and social sector organisations process data from India’s most vulnerable populations — children in welfare programmes, disaster relief beneficiaries, health intervention patients. Many share this data with international funders without DPAs, creating cross-border exposure under both DPDPA and FCRA.

  • Beneficiary health data, income records, and family information collected without informed consent
  • Child welfare programme data — names, photographs, school records — shared in donor reports
  • Disaster relief data containing Aadhaar, location, and medical condition shared across multiple agencies
  • International funder reporting containing personal data transferred cross-border without DPDPA compliance
  • Volunteer and donor personal data used for fundraising without declared purpose
⚠ Vulnerable principals + cross-border: up to ₹250 Crores
The Donor Report Problem
We share beneficiary stories with photos in our annual report to donors — it shows impact
→ Beneficiary photographs and personal stories are personal data. Sharing without specific consent violates Section 6. Cross-border transfer to foreign donors adds Section 16 exposure.
The FCRA–DPDPA Intersection
FCRA-regulated NGO shares beneficiary data with international funder in quarterly reports.
FCRA mandates reporting. DPDPA restricts cross-border transfer. No exemption issued. Dual compliance required.
AMLEGALS Approach
Beneficiary consent framework → Donor reporting data anonymisation protocol → FCRA–DPDPA conflict mapping → Volunteer data lifecycle → Child data protection architecture.

Smart meters read more
than consumption.
They read behaviour.

Smart meters, prepaid electricity systems, and renewable energy platforms collect granular consumption data that reveals household occupancy patterns, daily routines, and appliance usage. State electricity boards hold millions of Aadhaar-linked consumer accounts. DPDPA applies to every unit of data — not just every unit of power.

  • Smart meter data revealing household occupancy patterns and daily routines
  • Aadhaar-linked consumer accounts in state electricity board databases
  • Prepaid meter recharge data containing payment and location information
  • Rooftop solar customer data shared with grid operators and subsidy portals
  • EV charging station data linking vehicle identity to driver location and payment
⚠ Behavioural data + Aadhaar linkage: up to ₹250 Crores
The Smart Meter Exposure
Smart meter data is consumption data — not personal data
→ Consumption patterns linked to a household identity reveal occupancy, routine, and lifestyle. This is personal data under DPDPA. Section 2(t) defines it broadly.
The Subsidy Chain
Rooftop solar subsidy application contains Aadhaar, bank details, property documents, and electricity bill history. Shared with DISCOM, MNRE, and state nodal agency.
No DPA between agencies. No consent for multi-agency sharing. Each share is a separate DPDPA event.
AMLEGALS Approach
Smart meter data classification → Aadhaar-linked account audit → Subsidy data DPA framework → EV charging data purpose mapping → Grid operator data sharing protocol.

Your heart rate.
Your weight. Your sleep.
All personal data.

Gym chains, fitness apps, and wellness platforms process biometric and health data at scale — heart rate, body composition, sleep patterns, calorie intake. Wearable integrations transmit real-time health data to servers that most users never consented to. DPDPA treats every health metric as personal data with full statutory obligations.

  • Biometric data — heart rate, body composition, VO2 max — collected via wearable integration
  • Health and fitness goals containing medical conditions and dietary restrictions
  • Membership data including payment information, attendance patterns, and personal training records
  • Wearable device data transmitted to third-party servers without explicit user consent
  • Gym CCTV footage containing identifiable members in workout settings
⚠ Health data + biometric: up to ₹250 Crores
The Wearable Consent Gap
User connected their fitness band to our app — consent obtained via app terms
→ App terms covering general use do not constitute specific consent for real-time health data transmission to third-party servers. Section 6(1) requires informed, specific consent.
The Health Profile Problem
Fitness app stores user's weight history, blood pressure readings, injury records, and dietary preferences.
This is health data. Shared with a nutrition partner for marketing. No specific consent. No DPA. Full DPDPA exposure.
AMLEGALS Approach
Wearable data consent architecture → Health data classification → Third-party integration DPA → Membership data retention schedule → CCTV footage protocol.

Shared space.
Shared access.
Shared liability.

Coworking spaces and managed offices process visitor logs, biometric access records, CCTV footage, and tenant company employee data flowing through shared infrastructure. The coworking operator becomes a Data Fiduciary for every individual who walks through the door — their own tenants, visiting clients, delivery personnel, and event attendees.

  • Visitor registration collecting government ID, photograph, and contact data at reception
  • Biometric access systems — fingerprint, facial recognition — for shared office entry
  • CCTV surveillance across common areas capturing all occupants without individual consent
  • Tenant company employee data flowing through shared Wi-Fi, printers, and access systems
  • Event and conference attendee data collected for access but retained for marketing
⚠ Biometric + surveillance: up to ₹250 Crores
The Shared Infrastructure Problem
Our tenants are responsible for their own employees\u2019 data — we just provide the space
→ The coworking operator processes biometric access data, CCTV footage, and visitor logs for all occupants. You are the Data Fiduciary for that processing. Section 2(i).
The Visitor Data Trail
Visitor registers at reception with Aadhaar copy and photograph. Data retained for 3 years. Used for marketing mailers.
Purpose was building access. Marketing is a separate purpose. Retention for 3 years has no statutory basis. Two DPDPA violations in one visitor entry.
AMLEGALS Approach
Visitor data consent framework → Biometric access audit → CCTV retention schedule → Tenant data segregation protocol → Event attendee data lifecycle mapping.
0+
Years of legal practice across disputes, contracts, and regulatory advisory
0Cr
Maximum single-breach penalty under DPDPA 2023. Per event.
0
Offices across India — Ahmedabad to Kolkata to Bengaluru
0+
Chapters in India's most comprehensive DPDPA guidance publication
Sector Intelligence

Every sector.
One law. Different stakes.

The obligation under DPDPA is uniform. The exposure is not. Click any sector to see specific risk terrain, unique legal challenges, and maximum penalty exposure.

🏦
Fintech
KYC · Credit · Payments

Every loan, UPI transaction, and insurance claim is a consent event under DPDPA.

DPDPA Exposure Points
  • KYC data retained beyond onboarding purpose
  • Credit profiles shared with co-lending partners
  • Recovery agent data transfer liability
  • Third-party payment SDK responsibility
Unique Aspect
Fintech is the only sector where consent, purpose, and security obligations collide simultaneously in a single customer journey — from onboarding to collection.
Security failure exposure: up to ₹250 Crores
🏥
Healthcare
Hospitals · Telemedicine · Diagnostics

A diagnosis shared without consent is not negligence under DPDPA — it is a statutory breach.

DPDPA Exposure Points
  • Patient records shared with insurers without fresh consent
  • Telemedicine platforms without consent architecture
  • Health data sold to pharma for research
  • Wearable and wellness app data flows
Unique Aspect
Healthcare is unique because the data principal (patient) often cannot meaningfully withhold consent in an emergency — creating a legal grey zone DPDPA is yet to address through rules.
Breach notification failure: up to ₹200 Crores
🏗️
Manufacturing
Plants · Supply Chain · Industrial

The factory floor is now a data compliance zone — biometrics, IoT, and vendor records all covered.

DPDPA Exposure Points
  • Worker biometric attendance data without consent
  • Vendor and contractor personal records
  • CCTV footage retained beyond operational purpose
  • IoT wearable monitoring of employees
Unique Aspect
Manufacturing is the only sector where the data principal (worker) and the data fiduciary (employer) share the same physical premises — making coercive consent a systemic risk.
Biometric + security failure: up to ₹250 Crores
🚀
Startups
SaaS · D2C · App · Platform · B2B

Growth built on non-compliant data is a liability, not a moat. Investors are asking.

DPDPA Exposure Points
  • App onboarding consent not specific or informed
  • Third-party SDK data responsibility
  • Series funding due diligence readiness
  • User retargeting purpose misalignment
Unique Aspect
Startups face a dual compliance burden — DPDPA obligations to Indian users AND GDPR-equivalent duties to EU customers — often with a single privacy policy that satisfies neither.
Combined violation exposure: up to ₹250 Crores
🏭
SME
Manufacturing · Retail · Services · Trade

DPDPA has no SME exemption. A 15-employee shop with a customer database has full obligations.

DPDPA Exposure Points
  • Customer data in WhatsApp groups and Excel sheets
  • Employee Aadhaar and medical leave records
  • Vendor contact data without lawful basis
  • CCTV footage without retention schedule
Unique Aspect
SMEs uniquely store personal data across informal channels — WhatsApp, Google Sheets, email drafts — that are invisible to any compliance audit but fully covered by DPDPA.
Catch-all breach: up to ₹50 Crores
💼
Services
IT · BPO · HR · Consulting · Professional

Service firms carry direct DPDPA obligations as Data Processors. The principal’s liability does not erase yours.

DPDPA Exposure Points
  • Client personal data retained post-engagement
  • HR outsourcing payroll and medical data
  • BPO customer processing without valid DPA
  • Call centre agent access to sensitive records
Unique Aspect
Service sector firms are uniquely exposed as both Data Processors (for clients) and Data Fiduciaries (for their own employees) — creating a double-layer compliance obligation.
Purpose + security failure: up to ₹250 Crores
🏫
Education & EdTech
Universities · Schools · EdTech Platforms

Every learner is a data principal. DPDPA treats minors with zero tolerance.

DPDPA Exposure Points
  • EdTech minor data without verifiable parental consent
  • Alumni databases for fundraising campaigns
  • Behavioural analytics on learners under 18
  • Exam data shared with third-party assessors
Unique Aspect
Education is unique because data collected for one purpose (admission) routinely migrates to another (alumni fundraising, marketing, research) without re-consent — a systemic DPDPA violation.
Children’s data + purpose violation: up to ₹200 Crores
🛒
E-Commerce
Retail · D2C · Marketplace · Quick Commerce

Every cart, every delivery, every review is personal data. The data trail never ends.

DPDPA Exposure Points
  • Purchase history profiling without declared purpose
  • Third-party seller access to buyer data
  • Abandoned cart retargeting without re-consent
  • Delivery partner data sharing without DPA
Unique Aspect
E-commerce platforms are uniquely exposed through third-party seller ecosystems — the platform is the Data Fiduciary but has limited control over how sellers handle buyer data they receive.
Security + purpose violation: up to ₹250 Crores
🏦
Banking & NBFC
PSB · Private Banks · NBFCs · Cooperative Banks

Banking holds India's deepest personal financial data — and DPDPA's most precise obligations.

DPDPA Exposure Points
  • Account data shared with credit bureaus and co-lenders
  • Nomination and beneficiary personal data
  • Safe deposit locker and vault access records
  • Loan recovery communication with third parties
Unique Aspect
Banks are uniquely regulated under both RBI directives and DPDPA — creating a dual-regulator compliance obligation where a conflict between RBI retention requirements and DPDPA erasure rights has no settled resolution.
Security safeguard failure: up to ₹250 Crores
📱
Telecom
ISP · Mobile Operators · Tower Companies

Telecom operators hold location, call, and browsing data for millions — the most granular personal data in India.

DPDPA Exposure Points
  • Call detail records and location data retention
  • TRAI-mandated data sharing vs DPDPA purpose limits
  • Subscriber KYC and biometric onboarding
  • SIM swap fraud creating breach liability
Unique Aspect
Telecom is uniquely caught between mandatory data retention under TRAI/DoT rules and erasure obligations under DPDPA — a direct statutory conflict requiring legal architecture to navigate.
Security + breach notification: up to ₹250 Crores
💊
Pharma
Drug Makers · Clinical Research · Distributors

Clinical trial data, patient health records, and research participant consent — all now under DPDPA.

DPDPA Exposure Points
  • Clinical trial participant data consent and withdrawal
  • Patient health records used for R&D without re-consent
  • Distributor and MR personal data management
  • Adverse drug reaction reporting with patient data
Unique Aspect
Pharma is unique because retrospective consent withdrawal by clinical trial participants creates an operational impossibility — data used in completed trials cannot be practically erased without invalidating the study.
Health data + security: up to ₹250 Crores
🏨
Hospitality
Hotels · Restaurants · Travel · Events

Guest profiles, passport copies, dietary restrictions, and loyalty data — all personal data under DPDPA.

DPDPA Exposure Points
  • Passport and ID copies stored beyond check-out
  • Guest preference profiles shared with affiliates
  • Event attendee data used for future marketing
  • Food preference data as sensitive health data
Unique Aspect
Hospitality is unique because passport and government ID data is routinely collected under legal mandate but retained far beyond statutory requirement — a DPDPA erasure violation hiding in plain sight.
Sensitive data retention: up to ₹50 Crores
🚗
Automobile
OEMs · Dealerships · EV · Fleet Management

Connected vehicles, GPS tracking, and customer test drive data — the automobile sector's data footprint is expanding rapidly.

DPDPA Exposure Points
  • Vehicle telematics and real-time location data
  • Customer test drive data retained post-purchase
  • Service record data shared with insurance partners
  • Fleet management driver monitoring and behaviour data
Unique Aspect
The automobile sector faces a novel DPDPA challenge — the vehicle itself is a data collection device. OEMs processing in-vehicle data from Indian residents become Data Fiduciaries regardless of where their servers are located.
Telematics + location data: up to ₹250 Crores
📺
Media & OTT
Streaming · News · Broadcasting · Publishing

Viewing habits, search history, and subscriber profiles — OTT platforms hold behavioural gold mines with DPDPA liability.

DPDPA Exposure Points
  • Viewing history and content preference profiling
  • Subscriber payment data and renewal automation
  • Targeted advertising using behavioural data
  • Children's content consumption without parental consent
Unique Aspect
Media platforms face a unique challenge — the algorithm is the product, and the algorithm is built on personal data. Under DPDPA, every recommendation engine must have a declared lawful purpose for every data point it consumes.
Profiling + children’s data: up to ₹200 Crores
🏢
Real Estate
Developers · Brokers · PropTech · REITs

Property buyers share income statements, PAN, Aadhaar, and family data during purchase — all personal data.

DPDPA Exposure Points
  • KYC and income data retained after sale completion
  • Buyer data shared with co-brokers and channel partners
  • Property management tenant data and access records
  • PropTech platform data sold to financial service partners
Unique Aspect
Real estate is unique because buyer personal data is shared across a chain of agents, co-brokers, and developers — none of whom have DPAs with each other, creating collective DPDPA liability with no clear primary fiduciary.
Data sharing without DPA: up to ₹50 Crores
✈️
Aviation & Logistics
Airlines · Cargo · Courier · Supply Chain

Passenger manifests, customs declarations, and delivery address databases — aviation and logistics hold deeply personal data at scale.

DPDPA Exposure Points
  • Passenger PNR and travel history retention
  • Cargo and customs declaration personal data
  • Delivery address and contact data across courier chains
  • Driver and field staff biometric check-in systems
Unique Aspect
Aviation is uniquely governed by DGCA requirements mandating passenger data retention for 5 years — directly conflicting with DPDPA\u2019s erasure rights. No exemption has been issued. No resolution exists.
Cross-border + sensitive data: up to ₹250 Crores
🌾
Agritech & FMCG
AgriPlatforms · Rural Finance · FMCG · Distribution

Farmer data, land records, crop insurance information — Agritech is processing some of India's most vulnerable data principals.

DPDPA Exposure Points
  • Farmer income and land data on digital platforms
  • Rural consumer profiling without meaningful consent
  • Crop insurance claim data shared with reinsurers
  • Distribution network and retailer personal data
Unique Aspect
Agritech uniquely processes data from rural data principals who may lack digital literacy — making informed consent structurally impossible without vernacular-language, accessible consent mechanisms not yet standard in the industry.
Vulnerable data principal exposure: up to ₹50 Crores
🛡️
Insurance
Life · General · Health · Reinsurance · Brokers

Insurance underwrites risk using deeply personal data — medical histories, genetic predispositions, income, lifestyle habits, and family structures.

DPDPA Exposure Points
  • Medical underwriting data retained indefinitely post-rejection
  • Claims investigation accessing third-party hospital records
  • Nominee and beneficiary data processed without their consent
  • Agent networks sharing policyholder data across insurers
Unique Aspect
Insurance is uniquely exposed because underwriting inherently requires processing sensitive health and financial data of data principals who never become customers — rejected applicants whose data sits in actuarial databases with no legal basis for retention under DPDPA.
Sensitive personal data misuse: up to ₹250 Crores
🎮
Gaming & Esports
Online Gaming · Esports · Fantasy Sports · In-App

Gaming platforms process player behavioural data, spending patterns, location, device identifiers, and — for minors — data requiring verifiable parental consent under DPDPA.

DPDPA Exposure Points
  • Minor player data processed without verifiable parental consent
  • In-game purchase and spending pattern profiling
  • Behavioural tracking and engagement manipulation algorithms
  • Cross-border data transfers to foreign game publishers
Unique Aspect
Gaming is uniquely problematic because a disproportionate percentage of players are children — Section 9 of DPDPA mandates verifiable parental consent, but most gaming platforms use self-declaration age gates that satisfy neither the letter nor the spirit of the law.
Child data non-compliance: up to ₹200 Crores
👥
HR Tech & Recruitment
HRMS · ATS · Payroll · Background Verification

HR Tech platforms process the most intimate employment data — salary slips, performance reviews, medical leave records, background checks, and biometric attendance.

DPDPA Exposure Points
  • Candidate data retained years after rejection
  • Background verification accessing criminal and credit records
  • Employee health data in wellness programmes without consent
  • Exit interview data repurposed for organisational analytics
Unique Aspect
HR Tech is uniquely dangerous because the power asymmetry between employer and employee makes "free" consent structurally impossible — employees cannot meaningfully refuse data processing when their livelihood depends on compliance, making every workplace consent mechanism suspect under DPDPA Section 6.
Employee data mishandling: up to ₹50 Crores
🏘️
Cooperatives & Housing
Housing Societies · Credit Cooperatives · PACS · Federations

Cooperatives hold member financial data, property ownership records, voting histories, and defaulter lists — processing personal data of millions with minimal digital governance.

DPDPA Exposure Points
  • Member financial data in digitised ledgers without access controls
  • Defaulter lists published without lawful basis
  • Property ownership and family data shared with managing agents
  • Credit cooperative loan data transferred to recovery agents
Unique Aspect
Cooperatives are uniquely vulnerable because they are governed by state-level Cooperative Acts with no data protection provisions — creating a regulatory vacuum where DPDPA obligations exist but institutional awareness and compliance infrastructure are virtually absent.
Unstructured personal data exposure: up to ₹50 Crores
🤝
NGO & Non-Profit
Charities · Foundations · Social Enterprises · Think Tanks

NGOs process beneficiary data including health status, caste, religion, disability, and economic vulnerability — the most sensitive categories of personal data imaginable.

DPDPA Exposure Points
  • Beneficiary data including caste, religion, and disability status
  • Donor PAN and financial data retained beyond statutory periods
  • Field survey data collected from vulnerable populations
  • Data shared with international funding partners across borders
Unique Aspect
NGOs are uniquely exposed because their beneficiaries are often the most vulnerable data principals in society — persons with disabilities, children, tribal communities — for whom DPDPA mandates the highest standard of consent and processing governance, yet most NGOs operate with zero data protection infrastructure.
Vulnerable principal data: up to ₹200 Crores
Energy & Utilities
Power · Gas · Water · Renewable · Smart Grid

Energy utilities process household consumption data, smart meter readings, payment histories, and Aadhaar-linked subsidy records — mapping the daily life patterns of every connected household.

DPDPA Exposure Points
  • Smart meter data revealing household occupancy and lifestyle patterns
  • Aadhaar-linked subsidy and payment records
  • Consumer complaint data shared with outsourced call centres
  • Renewable energy installation data including property and income details
Unique Aspect
Energy utilities are uniquely positioned because smart metering creates granular behavioural profiles of household activity patterns — energy consumption data reveals when residents are home, their appliance usage, and lifestyle habits, making it personal data under DPDPA even though utilities have never treated it as such.
Household surveillance data: up to ₹50 Crores
🏋️
Sports & Fitness
Gyms · Sports Academies · Wearables · Wellness Apps

Fitness platforms and sports organisations process biometric data, health metrics, GPS tracking, body composition, and minor athlete data at unprecedented scale.

DPDPA Exposure Points
  • Biometric and body composition data from gym equipment and wearables
  • Minor athlete data processed by academies without parental consent
  • GPS and location tracking during outdoor fitness activities
  • Health metrics shared with insurance and corporate wellness partners
Unique Aspect
Sports and fitness is uniquely problematic because wearable devices and fitness apps collect continuous biometric data streams — heart rate, sleep patterns, menstrual cycles, stress levels — that constitute sensitive personal data under DPDPA but are routinely shared with third-party analytics and advertising platforms without specific consent.
Biometric data misuse: up to ₹200 Crores
🏢
Coworking & Managed Offices
Coworking · Managed Offices · Virtual Offices · Business Centres

Coworking spaces process visitor logs, biometric access data, CCTV footage, Wi-Fi usage logs, and corporate client employee data — functioning as data processors for hundreds of tenant companies simultaneously.

DPDPA Exposure Points
  • Biometric access control data for daily entry and exit
  • CCTV footage capturing tenant employees and visitors
  • Wi-Fi network logs tracking browsing and device data
  • Visitor management systems collecting government ID copies
Unique Aspect
Coworking is uniquely complex because a single operator simultaneously acts as data processor for hundreds of tenant organisations — each tenant\u2019s employees are data principals whose data is processed under the tenant\u2019s fiduciary obligations, but the coworking operator controls the processing infrastructure, creating layered DPDPA accountability that no standard lease agreement addresses.
Multi-tenant processing liability: up to ₹50 Crores
The Convergence Imperative

Why Every Sector Needs
Specialised DPDPA Architecture

DPDPA does not differentiate by sector — but compliance necessarily must. A hospital's consent architecture cannot mirror a fintech's. A gaming platform's child data protocol cannot borrow from manufacturing. The statute is uniform; the implementation is irreducibly sector-specific.

🗺️
Data Mapping
Every sector generates different categories of personal data through different processing activities. Without sector-specific data flow mapping, organisations cannot identify what they hold, why they hold it, or whether they have lawful basis to continue.
📋
Consent Architecture
Section 6 mandates free, specific, informed, and unconditional consent — but "informed" means different things for a hospital patient, a gig worker, a rural farmer, and a minor gamer. Consent design must reflect the data principal's actual capacity and context.
🔗
Vendor Governance
Data Processing Agreements under DPDPA must specify purpose limitation, retention schedules, and breach notification obligations. Each sector has distinct vendor ecosystems — pharma CROs, logistics subcontractors, fintech API partners — requiring tailored contractual frameworks.
🚨
Breach Readiness
Section 8(6) mandates breach notification to the Board and affected data principals. A healthcare breach involving patient records demands different response protocols than a retail breach involving purchase histories. Sector context determines severity, urgency, and regulatory expectation.
📦
Evidence Packaging
When the Data Protection Board adjudicates, it evaluates documented evidence — not intentions. PRAMAANA™-grade evidence packaging must demonstrate sector-appropriate consent records, data maps, DPAs, breach logs, and governance documentation that reflect the specific processing reality of the organisation.

These five pillars are not independent obligations — they are interconnected systems. A consent architecture built without data mapping is incomplete. A breach protocol without evidence packaging is performative. Vendor governance without purpose limitation is contractually hollow. DPDPA compliance is a unified, sector-calibrated system — not a checklist.

Practical Perspective & Challenges
01
Most organisations discover their
DPDPA gaps only after the regulator does.
The common challenge is not ignorance of the law. It is the assumption that existing privacy policies and IT security controls constitute compliance. They do not. DPDPA demands documented consent architecture, mapped data flows, and evidence-ready governance — not policy documents that sit in folders.
83%
of Indian enterprises have no
formal data mapping in place
Practical Perspective & Challenges
02
Consent is being collected.
But it is not being understood.
Across sectors — from fintech onboarding flows to hospital admission forms — consent is treated as a checkbox to be ticked, not a legal relationship to be maintained. DPDPA Section 6 requires consent to be free, specific, informed, and unconditional. Most consent mechanisms in India today satisfy none of these four conditions simultaneously.
Section 6
Four conditions. Most organisations
currently satisfy fewer than two.
Practical Perspective & Challenges
03
The Board does not evaluate
your intent. It evaluates your evidence.
The Data Protection Board of India has quasi-judicial powers. It does not conduct advisory reviews. It adjudicates. The organisation that walks into a Board proceeding with documented consent records, a completed data map, a tested breach response protocol, and a PRAMAANA™-grade evidence package walks out differently from the one that brings a website privacy policy and good intentions.
₹250Cr
Maximum exposure under the Schedule.
Intentions are not a defence.
Original IP

PRAMAANA™
Evidence Readiness
Framework

The Data Protection Board does not evaluate your intentions. It evaluates your evidence. PRAMAANA™ builds that evidence — systematically, defensibly, before a breach, not after.

Developed by AMLEGALS from first principles of Indian procedural law. Not adapted from any third-party framework. Original jurisprudential architecture.

Request PRAMAANA™ Assessment
P
PRAMAANA™ — The Proof Standard
Evidence-first compliance architecture for DPDPA 2023. Every document, process, and decision — built to withstand Board scrutiny.
📍
Purposeful Processing
Every data touchpoint mapped to a lawful basis. No gaps. No assumptions.
🔐
Rights Architecture
Data principal rights operationalised — access, correction, erasure, grievance.
⚖️
Adjudication Readiness
Documentation that speaks the language of the Data Protection Board.
🔄
Managed Accountability
Governance structure with named owners, documented decisions, and audit trails.
🛡️
Adaptive Controls
Security and breach response mechanisms that evolve with your data footprint.
📊
Notified Standards
Aligned with every Rules notification under DPDPA as they are issued.
On Data & Trust

Data without consent is not an asset.
It is evidence — waiting to be used against you.

DPDPA 2023 · Section 6
On Compliance & Time

The law does not wait for your
readiness. It waits for your breach.

Data Protection Board · Quasi-Judicial Powers
The Five Steps

From exposure to evidence.

PRAMAANA™: the Evidence Readiness Framework for DPDPA 2023. No gaps. No excuses.

1🗺️
Data Mapping
Know what personal data you hold, where it lives, and who touches it
2📋
Consent Audit
Validate every consent mechanism against DPDPA Section 6 requirements
3🛡️
Risk Architecture
Build security safeguards and vendor controls that satisfy Section 8
4🔔
Breach Readiness
Incident response protocol meeting DPBI notification timelines
5📁
Evidence Package
Documented proof that holds before the Data Protection Board
The Cost of Non-Compliance

Not penalties.
Balance sheet events.

The Data Protection Board does not negotiate. It adjudicates. Know the numbers before your name appears on a notice.

What Went Wrong
Exposure
The Reality
Failed to implement adequate security safeguards — Section 8(5)
₹250 Cr
"Your firewall costs less than your fine."
Failed to notify DPBI of a data breach — Section 8(6)
₹200 Cr
"Silence after a breach is the most expensive sound."
Violated obligations regarding children’s personal data — Section 9
₹200 Cr
"A child’s data is not a cookie. Stop treating it like one."
Violated additional obligations of Significant Data Fiduciaries — Section 10
₹150 Cr
"Significant Data Fiduciary is not a title. It is a target."
Any other breach of DPDPA 2023 — catch-all provision
₹50 Cr
"₹50 Crores. That is the minimum embarrassment."

Source: Digital Personal Data Protection Act, 2023 — Schedule. Penalty amounts are maximums as determined by the Data Protection Board of India.

Every Business in India is Now a Data Fiduciary

The question is not
whether to comply.
The question is when.

The Data Protection Board has quasi-judicial powers. It does not negotiate. The organisations that call us before enforcement are the ones that sleep at night.

Request DPDPA CounselExplore Your Sector
Ahmedabad (HQ)MumbaiBengaluruNew DelhiKolkataChennaiPuneSuratPrayagrajVadodara