AMLEGALS
Practice Areas  ·  AMLEGALS DPDPA  ·  India

The Data Protection Board
does not distinguish
between organisations
that did not know
and organisations that
did not act.

Thirteen practice areas. One framework. Every engagement produces a documented, operative, defensible legal position — built before the Board looks, not in response to its notice.

Based on AMLEGALS gap assessments 2024–2025: most organisations have addressed fewer than ten of the forty-four operative DPDPA sections.

Doctrine I  ·  Proprietary Methodology
Vibe Data Privacy™
Compliance that lives inside the organisation. Not archived in a folder.
01

Statutory Mapping

All 44 sections. Every processing activity. Gap Matrix and exposure quantification.

02

Consent Architecture

Rule 3-compliant. Product by product. Language by language.

03

Governance Design

Board accountability. DPO mandate. Executed DPA with every processor.

04

Technical Integration

Security safeguards to Rule 6. Tested breach protocol.

05

Continuous Intelligence

DPB monitoring. Regulatory updates. Programme adapts with the business.

Doctrine II  ·  Anandaday Misshra
DPDPA Resilience Doctrine
Build for the decade. Not the audit quarter.
I

Build for trajectory, not the snapshot

A programme measured by where it will be when tested — not when assembled.

II

Governance absorbs what documentation cannot

A filing exercise without operational governance is not a programme.

III

Enforcement learns. So must the programme.

The Board’s practice is forming now. The programme that does not monitor will be surprised.

IV

Legal certainty is the product

Every engagement produces a documented, defensible legal position. Not a report.

The Client Problem

Three functions. Three specific exposures.
One regulatory framework that applies to all.

General Counsel
“Every vendor contract signed before DPDPA has no data processing agreement clause.”

Section 8(2) requires a written contract with every processor. One hundred percent of legacy contracts are non compliant from day one. The Board does not distinguish between a vendor failure and a fiduciary failure when the contract is silent.

₹250Cr Maximum exposure when a vendor breach occurs without a valid DPA in place
Foundation Services address this →
CFO & Board
“DPDPA Schedule I sits unmodelled in most Indian balance sheets.”

One breach event can trigger ₹250 Cr plus ₹200 Cr plus ₹150 Cr simultaneously. The organisations whose first Board response produces a compliance undertaking are the ones with documentation assembled before the notice arrived.

₹600Cr+ Compound Schedule I exposure from a single breach across three simultaneous categories
Regulatory Services address this →
CISO & DPO
“Reasonable security is defined by the Board after the breach — not by you before it.”

Section 8(5) says “reasonable security safeguards.” The Board defines reasonable retrospectively, after the breach, based on what was feasible and what the data’s sensitivity required.

81% Penalty reduction Marriott achieved through documentation. £99M reduced to £18.4M by the ICO.
Regulatory Services address this →
₹250 Crore. Maximum Penalty · Schedule I, DPDPA 2023
One breach. Multiple simultaneous violations. The organisations with documented compliance programmes are the ones whose first Board response produces a compliance undertaking — not a penalty. Documentation assembled in response to a Board notice is not a compliance programme. It is an admission.
Find out where you stand →
Return on Compliance

The cost of building
the programme.
Against the cost of the breach.

DPDPA compliance is a risk management decision, not a legal overhead. The organisations that treat it as a cost will spend the fee. The organisations that treat it as an investment will recover it in the first enforcement cycle — as a compliance undertaking instead of a penalty. The evidence file, built before the notice arrives, is the deciding document.

Exposure Category With AMLEGALS Programme Without Programme
Security Safeguard Failure§8(5) Documented rationale on file. Board investigation produces a mitigation argument, not a gap. Penalty reduced in proportion to evidence of governance discipline. Up to ₹250 Cr. No defensible record. Board determines quantum at its discretion. The Marriott precedent: £99M reduced to £18.4M through documentation alone.
Breach Notification Failure§8(6) Tested protocol activated within 72 hours. Notification filed. Separate violation avoided. Board sees an organisation with a functioning compliance programme. Up to ₹200 Cr on top of the underlying breach. The organisation without a tested protocol spends the 72-hour window on preparation, not notification.
SDF Designation§10 DPO mandate operative. DPIA programme running. Data Auditor appointed. Designation notification arrives into a functioning governance architecture. Up to ₹150 Cr. Governance must be constructed under regulatory observation. Section 10 does not allow a grace period for governance it required to already exist.
Investor Due DiligenceSeries B · M&A Evidence package produced in days. PRAMAANA™ audit trail answers every investment committee question before it is asked. Series B DD cleared in one week. Unquantified DPDPA liability on the cap table. The gap is discovered in the legal memo — which the founder does not see until after the term sheet is pulled.
Board Show Cause ResponseDPB Proceedings First response built on fact and law. Existing evidence file is the submission. Outcome: compliance undertaking. The Board rewards documentation assembled before its notice. First response assembled under time pressure. Documentation gaps become the penalty. Documentation assembled in response to a Board notice is not a programme. It is an admission.
“The organisations with documented compliance programmes are the ones whose first Board response produces a compliance undertaking — not a penalty. Documentation is not overhead. It is the mitigation.”
Anandaday Misshra · Founder & Managing Partner, AMLEGALS · 27 years of data privacy practice
81% Penalty reduction through documentation. Marriott ICO case. £99M reduced to £18.4M.
₹600Cr+ Compound Schedule I exposure from a single breach across three simultaneous categories.
Quantify your Schedule I exposure →
₹250 Crore.
Maximum Penalty  ·  Schedule I, DPDPA 2023

One breach. Multiple simultaneous violations. The organisations with documented compliance programmes are the ones whose first Board response produces a compliance undertaking — not a penalty.

₹250Cr
Security safeguard failure · Section 8(5)
₹200Cr
Breach notification failure · Section 8(6)
₹150Cr
SDF violations · Section 10
₹50Cr
All other violations · catch-all

DPB Update Q1 2026: The Data Protection Board has issued its first operational guidelines. Enforcement practice is forming now. The organisations building their compliance record today will be the ones with documented evidence when the first major penalty is announced.

Foundation Services  ·  The Statutory Floor
What you must have from day one.
No compliance programme exists without these six.

Every organisation processing personal data in India must have these six elements operative — not planned, not drafted, operative. The Data Protection Board’s first question at any inquiry is whether the foundation exists.

Flagship  ·  Full DPDPA 2023 Implementation

DPDPA Full Spectrum Implementation

From Gap Analysis and readiness assessment to full operational compliance

Not templates. A compliance architecture a DPB investigation would find operative — consent records, safeguards, agreements, governance. All functioning. All documented.

After this engagement your organisation will have a complete, operative compliance architecture — consent records, security safeguards, processing agreements, and board-level governance. All functioning. All documented. All defensible.
A private sector bank with 4.2 million accounts cleared its first DPB audit without a remediation notice within 11 weeks of engagement.
What the engagement delivers
Statutory Gap Matrix
Every gap identified against all 44 DPDPA sections
Consent Architecture
Rule 3-compliant, product by product, language by language
Vendor DPA Library
Current, executed DPA with every data processor
Board Governance
Board accountability, DPO mandate, governance protocols
Breach Protocol
Documented, tested, board-approved response protocol
Section 4  ·  DPDPA Rules 2025

Gap Analysis and Readiness Assessment

Built without a Gap Analysis, your programme rests on assumptions. Every gap identified, every exposure quantified, remediation sequenced.

After this engagement your organisation will have a written Statutory Gap Matrix — every gap identified, every exposure quantified, before the Data Protection Board finds it for you.
  • 44-section statutory mapping
  • Quantified exposure per gap
  • Sequenced remediation plan
Sections 5–7  ·  Rule 3

Consent and Notice Architecture

A notice that does not meet Rule 3 is not a notice. We design consent architecture product by product, language by language.

After this engagement your organisation will have a consent and notice architecture that meets Rule 3 exactly — every consent evidenced, every purpose documented.
  • Rule 3-compliant notice drafting
  • Product-specific consent flows
  • Consent withdrawal mechanisms
Section 8(5)  ·  Rule 6

Data Security Safeguards

Rule 6 prescribes the standard. We measure your architecture against it and produce the written compliance record.

After this engagement your organisation will have a documented security architecture rationale — the written record of why your safeguards were reasonable, built before a breach, not assembled after one.
  • Rule 6 architecture review
  • Vendor security assessment
  • Remediation opinion letter
Section 8(2)–8(4)  ·  DPDP Rules

Data Processing Agreements

A GDPR template does not satisfy the DPDP Rules. We draft to your specific data flows. None templated.

After this engagement your organisation will have a current, executed DPA with every data processor — the contract that makes a vendor breach their documented liability, not yours.
  • DPDPA-compliant DPA drafting
  • Complete vendor DPA library
  • Processor audit obligations
Sections 11–13  ·  Chapter III

Data Principal Rights Infrastructure

Rights granted must be honoured. We build the operational framework — not the policy document.

After this engagement your organisation will have an operational rights framework — tested timelines, escalation pathways, and Board notification records. Rights granted, fully honoured.
  • Rights request workflow
  • Response timeline protocols
  • DPB notification procedures
Specialised Services  ·  Advanced Obligations
Business events and advanced statutory obligations.
Every transaction, transfer, and technology decision has a DPDPA dimension.

M&A transactions, cross-border data flows, SDF classification, AI governance, sector-specific overlays — each creates a DPDPA obligation the parties have not yet addressed. These eleven services address them.

M&A  ·  Due Diligence

Transaction Support and M&A Privacy

We find the liability before the deal closes and structure to ring-fence it. Not after.

After this engagement your organisation will have a written privacy liability assessment, a deal structure that ring-fences the exposure, and representations that hold at closing.
  • Privacy due diligence review
  • Liability quantification
  • Deal structure advisory
Documentation  ·  Bespoke Drafting

Contracts and Documents

Every instrument drafted to the specific processing relationship. None templated.

After this engagement your organisation will have a complete data protection contract library — every instrument drafted to the specific processing relationship it governs.
  • Privacy policy suite
  • Consent documentation
  • Vendor agreement library
Training  ·  Board to Operations

Training and Awareness

Architecture fails when the person handling data does not understand why it matters. Real scenarios — not slides.

After this engagement your organisation will have a workforce that understands why the data they handle matters — and a documented training record that demonstrates it to the Board.
  • Board and C-suite briefings
  • Operational scenario exercises
  • Documented training records
Investors  ·  VCs  ·  PE

Privacy Due Diligence for Investors

Does the programme exist? Does it work? What is the Schedule I exposure? The report goes to the investment committee — not a folder.

After this engagement your organisation will have a DPDPA compliance health report the investment committee can act on — quantified Schedule I exposure, compliance maturity scored.
  • DPDPA health check
  • Schedule I exposure quantification
  • Compliance maturity scoring
GDPR  ·  PDPL  ·  PDPA  ·  UK GDPR

International Data Privacy

One firm. One framework. Both sides of every international data relationship — GDPR to PDPL to DPDPA.

After this engagement your organisation will have both-sides-addressed transfer mechanisms — legally sound on the Indian end, compliant at the destination, no gap between the frameworks.
  • Six-jurisdiction advisory
  • Combined DPDPA DPA and GDPR SCCs
  • Both-sides transfer mechanisms
AI  ·  Algorithmic Decision-Making

AI Governance and Data Privacy

AI systems process personal data. The DPDPA governs it. We build the governance framework the algorithmic rider demands.

After this engagement your organisation will have a documented AI governance framework — consent for automated decisions, data minimisation controls, and a board-ready position on the algorithmic rider.
  • AI processing legal basis
  • Algorithmic rider compliance
  • Automated decision framework
Section 10(1)  ·  SDF Classification

SDF Classification Assessment

The Central Government classifies — not the organisation. We assess your exposure before the notification arrives.

After this engagement your organisation will have a written classification exposure assessment and a data operations structure that manages that exposure before the Central Government notification arrives.
  • Classification criteria analysis
  • Data volume and sensitivity audit
  • Pre-notification structuring
Section 10(2)(b)–(d)  ·  SDF Obligations

DPO Appointment, Data Audit and DPIA

Three statutory SDF obligations — DPO appointment as KMP, independent data audit, and periodic DPIA — each requiring documented legal instruments.

After this engagement your organisation will have a board-approved DPO mandate, audit-ready documentation, and a board-submitted DPIA prepared by a lawyer — not a questionnaire.
  • DPO mandate and governance
  • Audit readiness programme
  • Full DPDPA standard DPIA
Section 16  ·  GDPR · ASEAN · Gulf

Cross-Border Data Transfers

Section 16 permits the transfer. It does not remove the receiving jurisdiction’s law. We resolve both sides of every corridor simultaneously.

After this engagement your organisation will have both-sides-addressed transfer documentation for every corridor — EU, UK, ASEAN, Gulf — with no conflicting obligations between frameworks.
  • India-EU: DPDPA DPA and GDPR SCCs combined
  • ASEAN corridor documentation
  • Sector localisation resolution
BFSI · Healthcare · EdTech · Technology · E-Commerce

Sector-Specific DPDPA Advisory

Every regulated sector carries a compliance overlay on top of the DPDPA. Each conflict must be resolved before two enforcement authorities pursue the same breach.

After this engagement your organisation will have a sector-compliant architecture — DPDPA plus every applicable sector overlay — with no gap between any framework.
  • BFSI: multi-regulator coordination
  • Healthcare: DISHA and DPDPA mapping
  • EdTech: Section 9 verifiable consent
Startups  ·  Privacy by Design

Startup Privacy by Design

Retrofitting compliance costs multiples of building it correctly from the start. Privacy by design from day one — investor-ready, lean, scalable with the business.

After this engagement your organisation will have investor-ready, enterprise-ready DPDPA compliance — built into the product architecture, not retrofitted at Series B due diligence.
  • Privacy by design architecture
  • Investor due diligence package
  • Enterprise procurement readiness
Regulatory Services  ·  When the Board Is Engaged
Breach response, DPB proceedings, retained counsel.
The first response to a Board notice determines the outcome.

The Data Protection Board is operational. Enforcement practice is forming now. These six services address what happens when the Board is watching — or has already made contact.

Section 8(6)  ·  72-Hour Statutory Window

Data Breach Response

For active breaches: [email protected] — Subject: Breach — [Organisation Name]

Notifiability. DPB notification. Sector regulatory coordination. Managed through to closure. The obligation is immediate. The organisation without a prepared response protocol spends the notification window on organisation, not notification.

After this engagement your organisation will have a filed DPB notification, coordinated sector regulatory responses, and a closed correspondence file — not an emergency assembled at 2am.
A pharmaceutical company facing a DPB show cause notice received a compliance undertaking — not a penalty — within six weeks. The evidence file, built before the notice, was the deciding document.
What the engagement delivers
T+0   Detection
Protocol activated. DPO notified.
T+4   Containment
Systems isolated. Scope assessed.
T+12 Assessment
Data categories mapped. Principals estimated.
T+48 Draft
DPBI notification drafted. Legal review complete.
T+72 Notified
Notification submitted. Obligation met. File opened.
DPB Proceedings  ·  Schedule I

DPB Show Cause Response

The first response to a DPB notice determines whether the outcome is a compliance undertaking or a penalty. We draft it on fact and law — not procedural delay.

After this engagement your organisation will have a first response built on fact and law — the documented legal position that determines whether the Board issues a penalty or a compliance undertaking.
  • Show cause response drafting
  • Mitigation strategy
  • DPB correspondence management
Appellate Tribunal  ·  DPDPA Section 29

Appellate Tribunal Representation

The DPB record determines the appellate case. The quality of the first-instance proceedings is the quality of the appeal.

After this engagement your organisation will have a complete appellate record — grounds of appeal, written submissions, and oral advocacy built on the same precision as first-instance proceedings.
  • Grounds of appeal drafting
  • Written submissions
  • Oral advocacy at Tribunal
Proactive Defence  ·  DPDPA Resilience Doctrine

Compliance Posture Review

Legal certainty is the product. Documentation assembled in response to a notice is not a programme.

After this engagement your organisation will have a documented, operative, auditable compliance programme — the one that holds when the DPB investigates, not the one assembled in response to their notice.
  • Existing programme audit
  • Documented gaps remediated
  • Board-presentable posture report
Retained Engagement  ·  Vibe Data Privacy™

DPO as a Service

Not vendors. Not quarterly visitors. Named practitioners embedded in your compliance structure who happen to sit at AMLEGALS.

After this engagement your organisation will have a named DPO embedded in your governance structure — attending meetings, managing the DPB relationship, functioning as your compliance strategist.
  • Named DPO practitioner
  • Board governance attendance
  • PRAMAANA™ evidence maintenance
Ongoing Advisory  ·  Annual Engagement

Annual DPDPA Retainer

Your primary DPDPA adviser throughout the year — monitoring, advising before launch, ensuring your programme leads the regulatory environment rather than chasing it.

After this engagement your organisation will have a standing advisory relationship that ensures your compliance programme leads the regulatory environment rather than being surprised by it.
  • Regulatory monitoring and alerts
  • New processing activity review
  • Annual board compliance report
Client Evidence

Three outcomes. One sentence each.
Sector. Situation. Result. Timeframe.

No other words are needed. The outcome sentence is the only sentence a GC or CFO actually reads.

Foundation Services

“A private sector bank with 4.2 million retail accounts implemented DPDPA-compliant consent architecture, vendor DPA library, and board governance framework in eleven weeks — and cleared its first DPB audit without a single remediation notice.”

BFSI  ·  DPB audit cleared  ·  11 weeks
Regulatory Defence

“A pharmaceutical company facing a DPB show cause notice received a compliance undertaking — not a penalty — within six weeks. The AMLEGALS evidence file, built before the notice arrived, was the deciding document in the Board’s determination.”

Healthcare  ·  Compliance undertaking, no penalty  ·  6 weeks
Retained Services

“A technology company with 2.8 million users embedded AMLEGALS as their standing DPO. Series B investor due diligence cleared in one week. The PRAMAANA™ evidence package was the reason the investment committee did not raise a single compliance question.”

Technology  ·  Series B DD cleared  ·  1 week
Who We Serve

Six client types. Six different statutory positions.

The obligation is identical. The architecture differs. The consequence of inaction is specific to each.

01
Cross-Border

Foreign Companies in India

DPDPA applies to every organisation processing personal data of Indian data principals — regardless of where incorporated. The first DPB notice before a programme exists sets the penalty at the maximum. There is no mitigation without prior documentation.

02
Enterprise India

MNCs and Large Corporates

SDF classification is determined by the Central Government — not the organisation. It arrives without warning. The compliance programme the classification requires must exist before the notification. Not after it.

03
Growth-Stage

Startups and Scale-Ups

DPDPA obligations begin from user one. Not from Series B. Not from profitability. A DPDPA gap discovered in Series B due diligence does not delay the round. It kills it — in a legal memo no one shows you until the term sheet is pulled.

04
Regulated Sectors

BFSI, Healthcare and Telecom

One breach event triggers simultaneous notification obligations to the DPB, RBI, IRDAI, and SEBI. Four enforcement authorities. Four different timelines. Four different formats. One point of instruction.

05
Capital Markets

Investors and VCs

73% of Indian VC and PE due diligence checklists now include DPDPA compliance as a specific line item. An unquantified DPDPA liability is a valuation risk that the next funding cycle will price — whether you have quantified it or not.

06
At Every Scale

SMEs and Professional Services

There is no size exemption in DPDPA. The obligation applies from the first act of processing. The penalty under Schedule I is not proportionate to size. The obligation is identical to an enterprise. The Board does not distinguish.

Before You Decide

Questions clients ask
before instructing counsel.

Intentionally precise. For orientation only — not a substitute for advice specific to your facts, processing activities, and risk position.

There is no size exemption in the DPDPA. The Schedule I penalties are not proportionate to organisational size — they are proportionate to the violation. A startup processing 50,000 user records without a compliant consent architecture is exposed to the same §33 penalty ceiling as a large corporate. DPDPA obligations begin from user one — not from Series B, not from profitability, not from a certain revenue level. A DPDPA gap discovered in investor due diligence does not delay the round. It ends it — in a legal memo you are not shown until after the term sheet is pulled.
No. A GDPR programme cannot be transplanted to DPDPA without fundamental architectural redesign. The DPDPA has no legitimate interest processing basis — GDPR Article 6(1)(f) does not exist in Indian law. DPDPA uses a negative list for cross-border transfers; GDPR uses a positive list. There is no data minimisation principle in the primary Act. The child age threshold is 18, not 16. Consent withdrawal under §8(7) triggers mandatory erasure — not an Article 17 GDPR balancing exercise. Your GDPR documentation is a starting inventory. The programme itself must be redesigned for the DPDPA standard.
A compliance consultant maps obligations and builds frameworks. A law firm produces legal advice — the documented legal position that is privileged, signed by a lawyer, and stands up in a Board proceeding. The distinction matters the moment the Board initiates inquiry. A consultant’s report is discoverable. Legal advice from counsel is not. The organisations whose first Board response produces a compliance undertaking rather than a penalty are the ones with a documented legal position — not a framework deck. Both have a role. The legal position requires a lawyer.
“Every organisation will eventually answer to the Data Protection Board. The only question is whether they answer from a position of documented compliance — or documented absence of it.”
Anandaday Misshra  ·  Founder and Managing Partner, AMLEGALS

The compliance record that holds when the Board looks
is built before they look.

Thirteen practice areas. Three tiers. One framework. Every engagement produces a documented, operative, defensible legal position.

New Delhi  ·  Ahmedabad  ·  Mumbai  ·  Bengaluru  ·  Kolkata  ·  Chennai  ·  Pune  ·  Prayagraj
AMLEGALS Legal Tech Products

Three products. Built on the same
statutory backbone as the advisory.

Not generic platforms. Each product is built by practitioners who use them in advisory engagements — designed for the specific obligations and evidence requirements of the DPDPA.

AMLEGALS Product · Data Privacy
Vibe Data Privacy™

Compliance that lives inside the organisation. Not archived in a folder. Visibility → Instruction → Behaviour → Evidence. Five operational layers. One Vibe Pulse Score the board can act on every quarter.

Consent Lifecycle Rights Fulfilment OCE Framework Board Reporting
Explore Vibe Data Privacy™ →
AMLEGALS Product · Risk Intelligence
DPDPA Resilience Pro

Purpose-built for Data Fiduciaries who need to stress-test their DPDPA programme against Board investigation scenarios, breach simulations and Schedule I penalty quantum modelling. Build the defensible posture before enforcement arrives — not after.

Breach Simulation Penalty Modelling Board Readiness Stress-Test
Explore Resilience Pro →
AMLEGALS Product · Knowledge Architecture
DPDPA Ontology Pro

Every section, obligation, definition, enforcement pathway and cross-reference across the DPDPA 2023 and DPDPA Rules 2025 mapped into a navigable, queryable knowledge graph. Built for GCs and DPOs who need the statute at their fingertips — not in a PDF.

44-Section Map Rules 2025 Integration GC & DPO Ready Queryable
Explore Ontology Pro →