AMLEGALSDPDPAVibe Data Privacy
Exhibit 1 — Framework Architecture

DRISHTI

Banking · Financial Services · Insurance
The Definitive Privacy Governance Framework. Seven Dimensions. Zero Orphan Data. Every DPDPA Section Mapped. Every DPDP Rule Operationalised. Nothing Left Unprotected.
Original Framework by AMLEGALS
DPDPA 2023 + DPDP Rules 2025 · Five Regulators
7
Governance Dimensions
185+
Data Points Mapped
23
Orphan Points Parented
47
Documents Catalogued
28
Measurable KPIs
21
Gaps Plugged in V2.0
5
Regulators Covered
Exhibit 2 — The BFSI Thesis

Five Regulators. One Act.
Zero Margin for Error.

BFSI entities in India operate under a five regulator architecture: RBI, SEBI, IRDAI, PFRDA, and IBBI. Each imposes its own data obligations. DPDPA 2023 now sits across all of them. The result is the most complex compliance surface in Indian industry.

31 Million Records. One Breach.

Star Health. August 2024. The largest data breach in Indian insurance history. Aadhaar numbers, PAN cards, medical records, biometric data. Leaked through Telegram chatbots. DRISHTI™ BFSI exists because that should never happen again.

6 Hours. Not 6 Days.

CERT-In mandates breach reporting within 6 hours of detection. DPDPA adds its own notification timeline. RBI requires its own reporting. Three clocks running simultaneously. One missed deadline is one enforcement action.

Cross Sell Is the Kill Zone

When a bank shares customer data with its subsidiary insurance company for cross selling without granular consent, that is a DPDPA violation hiding in plain sight. The DSA, the agent, the TPA, the account aggregator. Every node is a leak point.

AI Without Governance Is Liability

Credit scoring algorithms, fraud detection engines, underwriting models, robo advisors. Every one processes personal data. Section 10(2) demands algorithmic accountability from Significant Data Fiduciaries. Most BFSI entities have not even catalogued their AI systems.

Exhibit 3 — BFSI Data Universe

Entry Points. Retention Nodes. Exit Pathways.

Banking
47+

Data Collection Points

  • KYC data (Aadhaar, PAN, CKYC, Video KYC, e KYC)
  • Core banking customer master and account master
  • Transaction data (UPI, NEFT, RTGS, IMPS, cheque)
  • Credit bureau flows (CIBIL, Experian, Equifax, CRIF)
  • Loan origination (ITR, bank statements, property docs)
  • Mobile/internet banking (device fingerprint, IP, location, biometrics)
  • ATM data (card, PIN logs, CCTV footage)
  • SWIFT cross border remittance data
  • Recovery/NPA data (SARFAESI, DRT, IBC, ARC)
  • Account Aggregator consent flows
Insurance
38+

Data Collection Points

  • Proposal form (personal, medical history, family history)
  • Underwriting (medical exams, pathology, tele medical recordings)
  • Claims (hospital records, FIR, surveyor reports)
  • TPA data flows (Medi Assist, FHPL, Paramount)
  • Reinsurance data (Munich Re, Swiss Re, GIC Re)
  • Agent/broker/POSP/bancassurance data
  • Telematics (vehicle GPS, OBD, driving behaviour)
  • Wearable data (health trackers for premium pricing)
  • Fraud investigation SIU data and surveillance
Securities & Capital Markets
29+

Data Collection Points

  • Demat account and beneficial owner data
  • Trading order logs, margin data, position data
  • Mutual fund folio, SIP, transaction, nominee data
  • KRA data flows (CAMS, KFintech)
  • PMS and AIF investor profiling data
  • UCC and dormant account data
  • SCORES complaint data flows to SEBI
NBFCs & Digital Lending
34+

Data Collection Points

  • Digital lending app device access (contacts, SMS, photos — now restricted by RBI)
  • LSP data flows and retention
  • BNPL transaction and credit data
  • Microfinance group lending and field officer data
  • Gold loan valuation and photo documentation
  • Vehicle finance GPS tracking and repo data
  • P2P lending platform lender/borrower data
  • Account Aggregator consent architecture
Payment Systems
22+

Data Collection Points

  • UPI VPA mapping, transaction, dispute data
  • Prepaid wallet KYC and loading data
  • Payment aggregator merchant and settlement data
  • Card network data post tokenisation (Visa, MC, RuPay)
  • BBPS biller and consumer data
  • AEPS Aadhaar biometric at micro ATMs
Cross Cutting
15+

Shared Ecosystem Nodes

  • Cloud DR/BCP data (AWS Mumbai, Azure Pune, GCP) — cross border during failover
  • SaaS CRM vendors (Salesforce, Dynamics) processing customer data
  • IT outsourcing partners (TCS, Infosys, Wipro, HCL)
  • DSA and agent personal device data retention
  • Marketing automation platforms processing PII
  • Employee HR data, POSH data, whistleblower data
Exhibit 4 — The Architecture

Seven Dimensions — BFSI Calibration

Each dimension recalibrated for the five regulator BFSI compliance surface. BFSI specific KPIs. BFSI specific evidence artifacts. BFSI specific regulatory mapping.

01
SATYA — सत्य
Data Inventory Intelligence
185+ Data Elements Across 5 Sub Sectors
Map every personal data element from KYC to claims to trading to lending. Not a spreadsheet. A living, machine readable register that tracks lineage, custodianship, cross border flows, and retention triggers.

BFSI KPIs

% of data assets mapped to DPDPA processing purpose + sectoral regulatory basis
Orphan data ratio across core banking, policy admin, trading systems
Cross border data flow mapping completeness (SWIFT, reinsurance, cloud DR)
Third party data processor inventory coverage (TPAs, LSPs, DSAs, AAs)
Regulatory Map: DPDPA S.4, S.8(7) | RBI KYC Master Direction | RBI Data Localisation 2018 | SEBI CSCRF | IRDAI Cybersecurity Guidelines
02
SAMVIDA — संविदा
Consent Architecture
12+ Consent Touchpoints Per Customer Journey
Map the full consent lifecycle across account opening, loan origination, insurance proposal, investment onboarding, cross selling, bancassurance, AA flows, and marketing. Retrospective notice for pre DPDPA data. 22 language notice compliance. Consent Manager integration with 7 year retention.

BFSI KPIs

Consent validity rate across banking, insurance, and securities onboarding
Cross sell consent isolation score (bank vs subsidiary data walls)
Account Aggregator consent window compliance rate
Legacy data consent migration percentage (pre DPDPA customers)
Regulatory Map: DPDPA S.5, S.6, S.7 | RBI Digital Lending Directions 2025 | RBI AA Framework | IRDAI Web Aggregator | SEBI KRA | DPDP Rules First Schedule (Consent Manager)
03
NIYAMA — नियम
Governance Spine
Multi Regulator Board Reporting Architecture
Board oversight cadence, DPO charter, privacy committee constitution, escalation protocols. 90 day grievance response SLA. Data Principal nomination reconciliation with existing bank/insurance/demat nominees. Research exemption assessment under Rule 16.

BFSI KPIs

Board privacy agenda frequency (quarterly minimum with PGI dashboard)
DPO integration with existing RBI/SEBI/IRDAI compliance functions
Cross regulator policy reconciliation completion rate
Grievance resolution within 90 day SLA (Rule 14(3))
Regulatory Map: DPDPA S.8, S.10, S.11, S.14 | RBI IT Governance 2023 | SEBI CSCRF Governance | IRDAI Board Oversight | DPDP Rule 13 (SDF), Rule 14(3)
04
KAVACH — कवच
Safeguard Engineering
64+ Security Tools, Still Breached
Encryption, access controls, tokenisation, API security, cloud security posture, vendor security assessment. 1 year minimum security log retention per DPDP Rules. Four tier data processor cascade: Fiduciary → Processor → Sub Processor → Cloud Provider. Cross border conditional transfer architecture.

BFSI KPIs

Encryption coverage across core banking, policy admin, and trading systems (%)
API security posture score (authentication, rate limiting, input validation)
Vendor security assessment completion rate (TPAs, LSPs, DSAs, cloud)
Card tokenisation compliance rate post RBI mandate
Regulatory Map: DPDPA S.8(5), S.16 | RBI DPSC | RBI Tokenisation | SEBI Cloud Framework 2023 | PCI DSS 4.0 | IRDAI Cybersecurity | DPDP Rules (1 year log retention)
05
PRAMAANA — प्रमाण
Evidence Continuum
Centre of Gravity — Audit Readiness in 72 Hours
Data provenance chain of custody proof. Annual DPIA and independent audit for SDFs (Rule 13). Multi regulator evidence package assembly. Consent Manager 7 year audit trail. Tamper resistant logging with integrity verification.

BFSI KPIs

Evidence coverage ratio (controls with automated logs / total controls)
Multi regulator evidence package assembly time (RBI + SEBI + IRDAI + DPDPA)
Log integrity verification pass rate (tamper resistance)
Annual DPIA and independent audit completion (SDF mandatory per Rule 13)
Regulatory Map: DPDPA S.8, S.10, S.27-33 | RBI IT Governance (audit) | SEBI System Audit | IRDAI Inspection | CERT-In 6 Hour | DPDP Rule 13
06
PRAHARI — प्रहरी
Response Readiness
Three Breach Clocks Running Simultaneously
CERT-In (6 hours), DPDPA Board (72 hours), Sectoral Regulator. Initial intimation + detailed follow up report + confirmation of DP notification. Tabletop exercises quarterly. DPIA for high risk processing including AI/ML and cross border transfers.

BFSI KPIs

Mean time to detect (MTTD) — benchmark against $5.9M average breach cost
Triple clock notification compliance (CERT-In + DPDPA Board + Sectoral)
DPIA completion rate for AI/ML processing, cross border, high volume data
Tabletop exercise frequency covering supply chain breach scenarios
Regulatory Map: DPDPA S.8(6), S.10(2)(b) | CERT-In Directions 2022 | RBI Cyber Security Framework | SEBI CSCRF Incident | IRDAI Breach Notification
07
SAMSKRITI — संस्कृति
Culture Quotient
711+ Phishing Incidents in One Year
Training penetration across branches, call centres, DSAs, recovery agents, field officers, IT teams. Phishing simulation programme. Privacy incident self reporting ratio. Role specific assessment for DPO, IT, legal, business, vendor teams.

BFSI KPIs

Training completion rate across branches, call centres, DSAs, agents (%)
Phishing simulation failure rate (benchmark: below 5%)
Privacy incident self reporting ratio from field staff
Role specific assessment pass rates (DPO, IT, legal, business, vendor)
Regulatory Map: DPDPA S.8, S.10, S.15 | RBI IT Governance (awareness) | SEBI CSCRF Training | IRDAI Awareness Programs
Exhibit 5 — Governance Dashboard

BFSI Privacy Governance Index — Live Measurement

BFSI Privacy Governance Index
69.7
Sample Mid Tier Bank  |  Target: 85+ for SDF Classification
01 SATYA — Inventory Intelligence
78
02 SAMVIDA — Consent Architecture
72
03 NIYAMA — Governance Spine
65
04 KAVACH — Safeguard Engineering
74
05 PRAMAANA — Evidence Continuum
67
06 PRAHARI — Response Readiness
61
07 SAMSKRITI — Culture Quotient
71
Exhibit 6 — Forensic Gap Audit

21 Critical Gaps Identified. All Plugged.

A forensic audit revealed 21 structural gaps in data governance, data lineage, data provenance, statutory mapping, and operational controls. Every one is now closed.

1. Data Lineage Engine Absent

V1 mapped collection points but not the transformation chain. Where data was copied, enriched, merged, anonymised, replicated to DR. Without lineage, provenance is unprovable.

→ Full Data Lineage Architecture added

2. Data Provenance Chain Missing

Lineage tracks the journey. Provenance proves the chain of custody. Who touched data? When? What was changed? Without provenance, evidence is inadmissible.

→ Provenance as sub dimension of PRAMAANA™

3. 23 Orphan Data Points Unparented

CCTV footage. Call centre recordings. Visitor registers. POSH data. Whistleblower data. Board minutes. Employee biometrics. Marketing PII. Testing environment copies. None were mapped.

→ Complete Orphan Data Register added

4. DPDP Rules 2025 Not Mapped

48 hour erasure pre notice. 90 day grievance response. 7 year Consent Manager retention. Retrospective notice. 22 language requirement. Phased compliance. Annual SDF audit.

→ Every Rule provision mapped to BFSI control

5. Consent Manager Integration Missing

Registered intermediary with INR 2 crore net worth. Interoperable platform. No sub contracting. 7 year consent record retention. New evidence chain.

→ Consent Manager module in SAMVIDA

6. Children/Disability Data Unaddressed

Junior accounts. Student loans. Minor nominees. Dependent children on health insurance. Persons with disability requiring lawful guardian verification under RPWD Act.

→ S.9, Rule 11, Rule 12 fully operationalised

7. Retrospective Notice Obligation Missing

Notices required for all personal data processed before the Act. Banks with 50 to 100 million records face massive operational challenge.

→ Retrospective notice workflow in SAMVIDA

8. 48 Hour Erasure Pre Notice Missing

Data Fiduciary must notify Data Principal 48 hours before completing erasure. New operational process for multi system purge coordination.

→ Erasure lifecycle in SATYA dimension

9. Purpose Limitation Enforcement Absent

Data collected for lending cannot be used for insurance cross selling without fresh consent. Requires purpose tagging at data element level with drift detection.

→ Purpose tagging engine in SATYA + SAMVIDA

10. Data Principal Nomination Rights Unmapped

Section 14 nomination intersects with existing bank/insurance/demat nominee frameworks. Reconciliation architecture was absent.

→ Nomination reconciliation in NIYAMA

11. SDF Annual DPIA/Audit Not Operationalised

Rule 13 mandates annual DPIA and independent audit. Most BFSI entities will be SDFs. Annual cycle was not built into the framework.

→ Annual DPIA/Audit cycle in PRAMAANA

12. Document Registry Incomplete

47 documents across 9 categories required. Policies, DPAs, SOPs, registers, governance documents, security standards, training modules, AI governance documents.

→ Complete 47 document registry built
Exhibit 7 — Data Lineage Architecture

Track Every Transformation. Prove Every Pathway.

Origin

Collection Point Registry

Every data element tagged with its origin: branch form, mobile app, API, third party feed, web form, call centre, field officer, agent device, AA framework, e KYC, CKYC.

Transformation

Processing Chain Log

Every transformation logged: enrichment, merger, anonymisation, pseudonymisation, aggregation, tokenisation, masking for testing environments.

Replication

Copy and Clone Register

Every copy tracked: core banking to data warehouse, production to DR, production to testing, export to regulatory reporting, backup tapes, email attachments.

Sharing

External Flow Map

Every external share logged: credit bureau, insurer, TPA, reinsurer, LSP, DSA, AA, payment network, regulator, auditor, legal counsel, marketing vendor, cloud processor.

Provenance

Chain of Custody Proof

Every access timestamped: who, from what system, for what purpose, what action. Tamper resistant. Retrievable within 72 hours for any data element.

Purpose Tag

Purpose Binding Engine

Every element tagged to lawful purpose at collection. Drift detection triggers alerts for access outside tagged purpose. Cross sell without fresh consent flagged in real time.

Retention

Lifecycle Termination Map

Tagged with retention trigger: purpose fulfilment, contract end, consent withdrawal, regulatory period (PMLA 5 years, security logs 1 year). 48 hour erasure pre notice automated.

Deletion

Verified Erasure Proof

Erasure verification across all copies: production, backup, DR, warehouse, analytics sandbox, testing, email archives, agent devices. Erasure certificate per data class.

Exhibit 8 — Grey Area Register

Where BFSI Compliance Breaks Down

Every grey area identified, risk scored, and mapped to a remediation pathway. These are the zones where DPDPA violations hide in plain sight.

Subsidiary Cross Sell Without Consent Walls

Bank shares customer data with subsidiary insurance company and AMC via common CRM. No fresh consent. No purpose isolation. No audit trail. Customer opens savings account Monday. Insurance subsidiary calls Tuesday.

Critical Risk

DSA and Agent Device Data Retention

DSAs collect documents on personal phones and WhatsApp. KYC photos, income proofs, Aadhaar copies. When DSA relationship terminates, no deletion protocol. Data lives on personal devices indefinitely.

Critical Risk

Legacy Data Consent Migration

Banks hold decades of customer data collected before DPDPA. Section 7(1)(b) covers “performance of contract.” But cross selling, profiling, marketing using legacy data does not qualify. Migration architecture absent in 90% of institutions.

High Risk

TPA Data Retention Beyond Claim Settlement

TPAs retain policyholder health data, hospitalisation records, diagnostics long after claim settlement. No defined deletion trigger. TPA serves multiple insurers. Patient data from Insurer A accessible in systems serving Insurer B.

Critical Risk

Account Aggregator Consent Fatigue

Consent screens are complex. Users click through. Consent window is time bound but data processed may be retained by FIU beyond window. No effective enforcement of deletion post consent expiry.

High Risk

Cloud DR/BCP Cross Border Leakage

RBI mandates data localisation. But during DR failover, data replicates to overseas zones for milliseconds to hours. AWS Mumbai to Singapore. Azure Pune to Southeast Asia. RBI circular silent on transient DR replication.

High Risk

AI Credit Scoring Without Explainability

200+ variables including behavioural data. No right to explanation on loan decline. Section 10(2) mandates algorithmic accountability for SDFs but implementation guidance absent.

High Risk

Deceased Customer Data Limbo

DPDPA provides for nominee to exercise rights. Banks retain deceased data for PMLA (5 years post closure). Insurance retains for claim maturity. Conflict between erasure rights and statutory retention unresolved.

High Risk
Exhibit 9 — Breach Lessons Register

Indian BFSI Breaches — What DRISHTI™ Would Have Caught

EntityYearRecordsRoot CauseDRISHTI™ Dimension Gap
Star Health Insurance202431MInsider access, delayed detection, Telegram chatbot data leakPRAHARI (detection), KAVACH (access controls), PRAMAANA (evidence)
HDFC Life Insurance202416MUnknown exfiltration, ransom demand, delayed disclosurePRAHARI (notification), KAVACH (data loss prevention)
Nupay (Banking Fintech)2025UndisclosedS3 bucket misconfiguration, third party vendor gapKAVACH (vendor security), SATYA (third party inventory)
Juspay2021100MCard data exposure via payment processor vulnerabilityKAVACH (tokenisation), PRAMAANA (audit trail)
SBI Server Exposure2019MillionsUnprotected server exposing customer dataSATYA (inventory), KAVACH (access controls)
Upstox20212.5MKYC data exposed via third party breachKAVACH (vendor DPA), SATYA (third party data mapping)
Exhibit 10 — AI Governance Module

Algorithmic Accountability for BFSI Under DPDPA Section 10

Every AI/ML system processing personal data must be inventoried, impact assessed, bias audited, and explainability mapped.

Credit Risk

Credit Scoring Algorithms

Bureau scores, application scorecards, behavioural scorecards. 200+ variables. Bias audit required. Explainability for loan rejection. DPDPA S.10(2) applies.

Fraud

Fraud Detection Engines

Real time transaction scoring. Behavioural analytics. Session anomaly detection. Continuous personal data processing. Profiling question under DPDPA.

AML/CFT

AML Screening Engines

Name matching, transaction pattern detection, SAR generation. S.7 legitimate use. Model drift and false positive rates must be monitored.

Insurance

Underwriting Risk Models

Health data, genetic predisposition, wearable data, telematics. Discrimination risk. Algorithmic impact assessment across protected categories.

Identity

Face Recognition and Liveness

Video KYC biometric data. Face matching against ID. Liveness creates biometric templates. UIDAI Aadhaar authentication restrictions.

Customer

Chatbots and Voice Assistants

NLP trained on interaction data. Call recordings for sentiment analysis. Consent for secondary use of conversation data typically absent.

Advisory

Robo Advisory Systems

Automated investment advice from financial profiling. SEBI suitability requirements. DPDPA profiling consent. Algorithmic liability unresolved.

Collections

Collection Score Models

Payment prediction using transaction patterns, demographics. Priority recovery actions. Demographic bias must be audited.

Exhibit 11 — Regulatory Alignment Matrix

DPDPA + RBI + SEBI + IRDAI — Provision by Provision

DRISHTI™ DimensionDPDPA SectionsRBI DirectionsSEBI / IRDAI
SATYA — InventoryS.4, S.5, S.8(7)KYC Master Direction, Data Localisation 2018, CKYC, PMLA RulesSEBI KRA Regulations | IRDAI Repository Guidelines
SAMVIDA — ConsentS.5, S.6, S.7, S.9Digital Lending Directions 2025, AA Framework, Customer ConfidentialitySEBI Suitability | IRDAI Web Aggregator | TRAI TCCCPR
NIYAMA — GovernanceS.8, S.10, S.11, S.14IT Governance Direction 2023, Outsourcing DirectionSEBI CSCRF Governance | IRDAI Board Oversight
KAVACH — SafeguardsS.8(5), S.16DPSC Master Direction, Tokenisation, Cyber Security FrameworkSEBI Cloud Framework 2023 | IRDAI Cybersecurity | PCI DSS 4.0
PRAMAANA — EvidenceS.8, S.10, S.27-33IT Governance (audit), System Audit, Compliance CertificatesSEBI System Audit | IRDAI Inspection Framework
PRAHARI — ResponseS.8(6), S.10(2)(b)6 Hour RBI Reporting, Cyber Security Framework Incident ProtocolsSEBI CSCRF Incident | IRDAI Breach Notification | CERT-In 6 Hour
SAMSKRITI — CultureS.8, S.10, S.15IT Governance (awareness), Guidelines on Information SecuritySEBI CSCRF Training | IRDAI Awareness Programs
Exhibit 12 — Complete Document Registry

47 Documents. 9 Categories. Zero Gaps.

Every document, contract, policy, SOP, notice, and register that DPDPA 2023, DPDP Rules 2025, and all five sectoral regulators require from a BFSI entity.

1. Consent & Notice

8 Documents

  • Data Protection Notice (standalone, 22 languages)
  • Granular Consent Form (account, loan, insurance, investment, cross sell)
  • Retrospective Notice for pre DPDPA data
  • Consent Withdrawal Mechanism and SOP
  • 48 Hour Erasure Pre Notice Template
  • Children’s Data Parental Consent Form
  • Lawful Guardian Consent Form (Rule 11)
  • Consent Manager Integration Agreement
2. Policies

9 Documents

  • Enterprise Data Protection Policy
  • Data Classification and Labelling Policy
  • Data Retention and Erasure Policy (PMLA reconciliation)
  • Cross Border Data Transfer Policy
  • Employee Data Privacy Policy
  • Children and Vulnerable Persons Policy
  • Purpose Limitation and Minimisation Policy
  • AI and Algorithmic Processing Policy
  • Marketing and Profiling Consent Policy
3. Contracts

10 Documents

  • Data Processing Agreement (Master)
  • Sub Processor Flow Down Agreement
  • TPA Data Processing Agreement
  • LSP/DSA Data Handling Agreement
  • Cloud Service Provider DPA (localisation)
  • IT Outsourcing DPA (RBI alignment)
  • Reinsurance Data Transfer Agreement
  • Account Aggregator FIU Agreement
  • Marketing Vendor DPA
  • Auditor Data Handling Agreement
4. SOPs

8 Documents

  • Data Subject Access Request SOP (90 day)
  • Data Correction Request SOP
  • Erasure SOP (48 hour pre notice, multi system purge)
  • Consent Withdrawal Processing SOP
  • Breach Notification SOP (6 hr + 72 hr + sectoral)
  • Cross Sell Data Wall Enforcement SOP
  • DSA/Agent Termination SOP
  • Testing Environment Anonymisation SOP
5. Registers

8 Documents

  • Record of Processing Activities (ROPA)
  • Data Inventory and Lineage Register
  • Consent Register (7 year Consent Manager retention)
  • Breach Register (triple clock tracking)
  • DSAR Register (90 day SLA)
  • Vendor/Data Processor Register
  • AI/ML Model Inventory Register
  • Cross Border Transfer Log
6. Governance

6 Documents

  • DPO Charter and Terms of Reference
  • Privacy Committee Constitution and ToR
  • Board Privacy Resolution Template
  • Quarterly PGI Dashboard Report
  • Annual DPIA Report (SDF mandatory)
  • Independent Data Audit Report (SDF)
7. Security

5 Documents

  • Encryption Standards (rest, transit, processing)
  • Access Control Matrix (role and purpose based)
  • Security Log Retention Standard (1 year minimum)
  • VAPT Schedule
  • Incident Response Playbook
8. Training

4 Documents

  • Annual Privacy Training Calendar
  • Role Specific Training Modules
  • Phishing Simulation Programme
  • Privacy Awareness Assessment
9. AI Governance

5 Documents

  • AI/ML Model Risk Policy
  • Algorithmic Impact Assessment Template
  • Bias Audit Report Template
  • Model Explainability Standard
  • Synthetic Data Generation Policy
Exhibit 13 — Penalty Architecture

What Non Compliance Costs

₹250 Cr
Maximum
Failure to implement reasonable security safeguards (S.8(5))
₹200 Cr
Maximum
Failure to notify Board and Data Principals of breach (S.8(6))
₹200 Cr
Maximum
Violations relating to children’s data (S.9)
₹150 Cr
Maximum
Non compliance with SDF obligations (S.10)
₹50 Cr
Maximum
Any other DPDPA or Rules violation
₹10K
Per Instance
Breach of duty by Data Principal
Exhibit 14 — Phased Compliance Timeline

Three Phases. Full Compliance by May 2027.

Nov 2025
Phase I — Foundation
Board established. Definitions finalised. Consent Manager registration opens. Readiness planning begins.
Nov 2026
Phase II — Operationalisation
Consent Manager obligations enforceable. Notice and consent active. Data Principal rights exercisable. Retrospective notices issued.
May 2027
Phase III — Full Enforcement
Complete regime enforceable. SDF: DPO, annual DPIA, audit. Breach notification. Cross border restrictions. Penalties operational.
Exhibit 15 — BFSI Maturity Model

Five Stages — Calibrated for Financial Services

LevelStageBFSI Governance PostureScore
1Ad HocNo formal privacy processes beyond existing RBI/SEBI compliance. Customer data scattered across core banking, CRM, agent devices. No data inventory. Consent is a checkbox buried in 40 page terms. Breach response reactive. No DPO appointed.0 – 20
2AwarePrivacy policy drafted. Partial inventory. Consent exists for digital channels but not branch operations. Third party register incomplete. CERT-In reporting untested. DSA data handling unaddressed.21 – 40
3DefinedAll seven dimensions documented. Consent granular and purpose locked. Vendor DPAs cover TPAs, LSPs, cloud. Breach playbook covers triple clock. AI inventory exists. Cross sell consent walls designed. 47 document registry complete.41 – 60
4ManagedAll dimensions instrumented with automated evidence. Board receives quarterly PGI. AI impact assessments complete. Multi regulator evidence assemblable in 72 hours. Tabletop exercises quarterly. Data lineage operational. Orphan data parented.61 – 80
5OptimisedGovernance predictive. AI monitoring flags consent drift, leakage, vendor risk before incidents materialise. Evidence readiness continuous. Privacy is competitive differentiator. Net Privacy Dividend™ positive.81 – 100
The Zero Orphan Data Doctrine

If It Contains Personal Data, It Has a Parent in DRISHTI™

“Every data element in a BFSI entity now has a parent: a purpose tag, a consent basis, a retention trigger, a deletion protocol, an evidence chain, and a regulatory anchor. From branch CCTV footage to Board minutes. From DSA WhatsApp messages to reinsurance data flows. From junior savings accounts to deceased customer records. If this is implemented, nothing more needs to be done. If this is not implemented, nothing is privacised under DPDPA.”
— Anandaday Misshra, Founder & Managing Partner, AMLEGALS
DRISHTI™ BFSI — The Definitive Edition
Original intellectual property of AMLEGALS
Ahmedabad · Mumbai · New Delhi · Bengaluru · Pune · Chennai · Kolkata · Hyderabad · Vadodara · Prayagraj
© 2026 AMLEGALS. All rights reserved. Conceived and architected by Anandaday Misshra.