AMLEGALSDPDPA
Practice Areas  ·  AMLEGALS DPDPA  ·  India

The Data Protection Board
does not distinguish
between organisations
that did not know
and organisations that
did not act.

Thirteen practice areas. One framework. Every engagement produces a documented, operative, defensible legal position — built before the Board looks, not in response to its notice.

Based on AMLEGALS gap assessments 2024–2025: most organisations have addressed fewer than ten of the forty-four operative DPDPA sections.

Doctrine I  ·  Proprietary Methodology
Vibe Data Privacy™
Compliance that lives inside the organisation. Not archived in a folder.
01

Statutory Mapping

All 44 sections. Every processing activity. Gap Matrix and exposure quantification.

02

Consent Architecture

Rule 3-compliant. Product by product. Language by language.

03

Governance Design

Board accountability. DPO mandate. Executed DPA with every processor.

04

Technical Integration

Security safeguards to Rule 6. Tested breach protocol.

05

Continuous Intelligence

DPB monitoring. Regulatory updates. Programme adapts with the business.

Doctrine II  ·  Anandaday Misshra
DPDPA Resilience Doctrine
Build for the decade. Not the audit quarter.
I

Build for trajectory, not the snapshot

A programme measured by where it will be when tested — not when assembled.

II

Governance absorbs what documentation cannot

A filing exercise without operational governance is not a programme.

III

Enforcement learns. So must the programme.

The Board’s practice is forming now. The programme that does not monitor will be surprised.

IV

Legal certainty is the product

Every engagement produces a documented, defensible legal position. Not a report.

The Client Problem

Three functions. Three specific exposures.
One regulatory framework that applies to all.

The services below are the answer to these three problems. The problem is stated first because that is the only honest order.

General Counsel
Every vendor contract signed before DPDPA has no
data processing agreement clause.

Section 8(2) requires a written contract with every processor. One hundred percent of legacy contracts are non-compliant from day one. A vendor breach without a valid DPA is the organisation’s breach — and the GC’s accountability.

₹250Cr
Maximum exposure when a vendor breach occurs without a valid DPA
→ Foundation Services address this
CFO and Board
DPDPA Schedule I sits unmodelled
in most Indian balance sheets.

One breach event can trigger ₹250Cr plus ₹200Cr plus ₹150Cr simultaneously. The compound event is a ₹600Cr exposure. The auditors will ask why it was not on the risk register before the breach — not after it.

₹600Cr+
Compound exposure from a single incident across three Schedule I categories
→ Regulatory Services address this
CISO and DPO
Reasonable security is defined by the Board
after the breach — not by you before it.

Section 8(5) says “reasonable security safeguards.” The Board defines reasonable retrospectively. The CISO who cannot produce a documented rationale for every security decision has not built a defence. They have built a gap.

81%
Penalty reduction Marriott achieved through documentation. £99M reduced to £18.4M.
→ Regulatory Services address this
₹250 Crore.
Maximum Penalty  ·  Schedule I, DPDPA 2023

One breach. Multiple simultaneous violations. The organisations with documented compliance programmes are the ones whose first Board response produces a compliance undertaking — not a penalty.

₹250Cr
Security safeguard failure · Section 8(5)
₹200Cr
Breach notification failure · Section 8(6)
₹150Cr
SDF violations · Section 10
₹50Cr
All other violations · catch-all

DPB Update Q1 2026: The Data Protection Board has issued its first operational guidelines. Enforcement practice is forming now. The organisations building their compliance record today will be the ones with documented evidence when the first major penalty is announced.

Foundation Services  ·  The Statutory Floor
What you must have from day one.
No compliance programme exists without these six.

Every organisation processing personal data in India must have these six elements operative — not planned, not drafted, operative. The Data Protection Board’s first question at any inquiry is whether the foundation exists.

Flagship  ·  Full DPDPA 2023 Implementation

DPDPA Full Spectrum Implementation

From Gap Analysis and readiness assessment to full operational compliance

Not templates. A compliance architecture a DPB investigation would find operative — consent records, safeguards, agreements, governance. All functioning. All documented.

After this engagement your organisation will have a complete, operative compliance architecture — consent records, security safeguards, processing agreements, and board-level governance. All functioning. All documented. All defensible.
A private sector bank with 4.2 million accounts cleared its first DPB audit without a remediation notice within 11 weeks of engagement.
What the engagement delivers
Statutory Gap Matrix
Every gap identified against all 44 DPDPA sections
Consent Architecture
Rule 3-compliant, product by product, language by language
Vendor DPA Library
Current, executed DPA with every data processor
Board Governance
Board accountability, DPO mandate, governance protocols
Breach Protocol
Documented, tested, board-approved response protocol
Section 4  ·  DPDPA Rules 2025

Gap Analysis and Readiness Assessment

Built without a Gap Analysis, your programme rests on assumptions. Every gap identified, every exposure quantified, remediation sequenced.

After this engagement your organisation will have a written Statutory Gap Matrix — every gap identified, every exposure quantified, before the Data Protection Board finds it for you.
  • 44-section statutory mapping
  • Quantified exposure per gap
  • Sequenced remediation plan
Sections 5–7  ·  Rule 3

Consent and Notice Architecture

A notice that does not meet Rule 3 is not a notice. We design consent architecture product by product, language by language.

After this engagement your organisation will have a consent and notice architecture that meets Rule 3 exactly — every consent evidenced, every purpose documented.
  • Rule 3-compliant notice drafting
  • Product-specific consent flows
  • Consent withdrawal mechanisms
Section 8(5)  ·  Rule 6

Data Security Safeguards

Rule 6 prescribes the standard. We measure your architecture against it and produce the written compliance record.

After this engagement your organisation will have a documented security architecture rationale — the written record of why your safeguards were reasonable, built before a breach, not assembled after one.
  • Rule 6 architecture review
  • Vendor security assessment
  • Remediation opinion letter
Section 8(2)–8(4)  ·  DPDP Rules

Data Processing Agreements

A GDPR template does not satisfy the DPDP Rules. We draft to your specific data flows. None templated.

After this engagement your organisation will have a current, executed DPA with every data processor — the contract that makes a vendor breach their documented liability, not yours.
  • DPDPA-compliant DPA drafting
  • Complete vendor DPA library
  • Processor audit obligations
Sections 11–13  ·  Chapter III

Data Principal Rights Infrastructure

Rights granted must be honoured. We build the operational framework — not the policy document.

After this engagement your organisation will have an operational rights framework — tested timelines, escalation pathways, and Board notification records. Rights granted, fully honoured.
  • Rights request workflow
  • Response timeline protocols
  • DPB notification procedures
Specialised Services  ·  Advanced Obligations
Business events and advanced statutory obligations.
Every transaction, transfer, and technology decision has a DPDPA dimension.

M&A transactions, cross-border data flows, SDF classification, AI governance, sector-specific overlays — each creates a DPDPA obligation the parties have not yet addressed. These eleven services address them.

M&A  ·  Due Diligence

Transaction Support and M&A Privacy

We find the liability before the deal closes and structure to ring-fence it. Not after.

After this engagement your organisation will have a written privacy liability assessment, a deal structure that ring-fences the exposure, and representations that hold at closing.
  • Privacy due diligence review
  • Liability quantification
  • Deal structure advisory
Documentation  ·  Bespoke Drafting

Contracts and Documents

Every instrument drafted to the specific processing relationship. None templated.

After this engagement your organisation will have a complete data protection contract library — every instrument drafted to the specific processing relationship it governs.
  • Privacy policy suite
  • Consent documentation
  • Vendor agreement library
Training  ·  Board to Operations

Training and Awareness

Architecture fails when the person handling data does not understand why it matters. Real scenarios — not slides.

After this engagement your organisation will have a workforce that understands why the data they handle matters — and a documented training record that demonstrates it to the Board.
  • Board and C-suite briefings
  • Operational scenario exercises
  • Documented training records
Investors  ·  VCs  ·  PE

Privacy Due Diligence for Investors

Does the programme exist? Does it work? What is the Schedule I exposure? The report goes to the investment committee — not a folder.

After this engagement your organisation will have a DPDPA compliance health report the investment committee can act on — quantified Schedule I exposure, compliance maturity scored.
  • DPDPA health check
  • Schedule I exposure quantification
  • Compliance maturity scoring
GDPR  ·  PDPL  ·  PDPA  ·  UK GDPR

International Data Privacy

One firm. One framework. Both sides of every international data relationship — GDPR to PDPL to DPDPA.

After this engagement your organisation will have both-sides-addressed transfer mechanisms — legally sound on the Indian end, compliant at the destination, no gap between the frameworks.
  • Six-jurisdiction advisory
  • Combined DPDPA DPA and GDPR SCCs
  • Both-sides transfer mechanisms
AI  ·  Algorithmic Decision-Making

AI Governance and Data Privacy

AI systems process personal data. The DPDPA governs it. We build the governance framework the algorithmic rider demands.

After this engagement your organisation will have a documented AI governance framework — consent for automated decisions, data minimisation controls, and a board-ready position on the algorithmic rider.
  • AI processing legal basis
  • Algorithmic rider compliance
  • Automated decision framework
Section 10(1)  ·  SDF Classification

SDF Classification Assessment

The Central Government classifies — not the organisation. We assess your exposure before the notification arrives.

After this engagement your organisation will have a written classification exposure assessment and a data operations structure that manages that exposure before the Central Government notification arrives.
  • Classification criteria analysis
  • Data volume and sensitivity audit
  • Pre-notification structuring
Section 10(2)(b)–(d)  ·  SDF Obligations

DPO Appointment, Data Audit and DPIA

Three statutory SDF obligations — DPO appointment as KMP, independent data audit, and periodic DPIA — each requiring documented legal instruments.

After this engagement your organisation will have a board-approved DPO mandate, audit-ready documentation, and a board-submitted DPIA prepared by a lawyer — not a questionnaire.
  • DPO mandate and governance
  • Audit readiness programme
  • Full DPDPA standard DPIA
Section 16  ·  GDPR · ASEAN · Gulf

Cross-Border Data Transfers

Section 16 permits the transfer. It does not remove the receiving jurisdiction’s law. We resolve both sides of every corridor simultaneously.

After this engagement your organisation will have both-sides-addressed transfer documentation for every corridor — EU, UK, ASEAN, Gulf — with no conflicting obligations between frameworks.
  • India-EU: DPDPA DPA and GDPR SCCs combined
  • ASEAN corridor documentation
  • Sector localisation resolution
BFSI · Healthcare · EdTech · Technology · E-Commerce

Sector-Specific DPDPA Advisory

Every regulated sector carries a compliance overlay on top of the DPDPA. Each conflict must be resolved before two enforcement authorities pursue the same breach.

After this engagement your organisation will have a sector-compliant architecture — DPDPA plus every applicable sector overlay — with no gap between any framework.
  • BFSI: multi-regulator coordination
  • Healthcare: DISHA and DPDPA mapping
  • EdTech: Section 9 verifiable consent
Startups  ·  Privacy by Design

Startup Privacy by Design

Retrofitting compliance costs multiples of building it correctly from the start. Privacy by design from day one — investor-ready, lean, scalable with the business.

After this engagement your organisation will have investor-ready, enterprise-ready DPDPA compliance — built into the product architecture, not retrofitted at Series B due diligence.
  • Privacy by design architecture
  • Investor due diligence package
  • Enterprise procurement readiness
Regulatory Services  ·  When the Board Is Engaged
Breach response, DPB proceedings, retained counsel.
The first response to a Board notice determines the outcome.

The Data Protection Board is operational. Enforcement practice is forming now. These six services address what happens when the Board is watching — or has already made contact.

Section 8(6)  ·  72-Hour Statutory Window

Data Breach Response

For active breaches: [email protected] — Subject: Breach — [Organisation Name]

Notifiability. DPB notification. Sector regulatory coordination. Managed through to closure. The obligation is immediate. The organisation without a prepared response protocol spends the notification window on organisation, not notification.

After this engagement your organisation will have a filed DPB notification, coordinated sector regulatory responses, and a closed correspondence file — not an emergency assembled at 2am.
A pharmaceutical company facing a DPB show cause notice received a compliance undertaking — not a penalty — within six weeks. The evidence file, built before the notice, was the deciding document.
What the engagement delivers
T+0   Detection
Protocol activated. DPO notified.
T+4   Containment
Systems isolated. Scope assessed.
T+12 Assessment
Data categories mapped. Principals estimated.
T+48 Draft
DPBI notification drafted. Legal review complete.
T+72 Notified
Notification submitted. Obligation met. File opened.
DPB Proceedings  ·  Schedule I

DPB Show Cause Response

The first response to a DPB notice determines whether the outcome is a compliance undertaking or a penalty. We draft it on fact and law — not procedural delay.

After this engagement your organisation will have a first response built on fact and law — the documented legal position that determines whether the Board issues a penalty or a compliance undertaking.
  • Show cause response drafting
  • Mitigation strategy
  • DPB correspondence management
Appellate Tribunal  ·  DPDPA Section 29

Appellate Tribunal Representation

The DPB record determines the appellate case. The quality of the first-instance proceedings is the quality of the appeal.

After this engagement your organisation will have a complete appellate record — grounds of appeal, written submissions, and oral advocacy built on the same precision as first-instance proceedings.
  • Grounds of appeal drafting
  • Written submissions
  • Oral advocacy at Tribunal
Proactive Defence  ·  DPDPA Resilience Doctrine

Compliance Posture Review

Legal certainty is the product. Documentation assembled in response to a notice is not a programme.

After this engagement your organisation will have a documented, operative, auditable compliance programme — the one that holds when the DPB investigates, not the one assembled in response to their notice.
  • Existing programme audit
  • Documented gaps remediated
  • Board-presentable posture report
Retained Engagement  ·  Vibe Data Privacy™

DPO as a Service

Not vendors. Not quarterly visitors. Named practitioners embedded in your compliance structure who happen to sit at AMLEGALS.

After this engagement your organisation will have a named DPO embedded in your governance structure — attending meetings, managing the DPB relationship, functioning as your compliance strategist.
  • Named DPO practitioner
  • Board governance attendance
  • PRAMAANA™ evidence maintenance
Ongoing Advisory  ·  Annual Engagement

Annual DPDPA Retainer

Your primary DPDPA adviser throughout the year — monitoring, advising before launch, ensuring your programme leads the regulatory environment rather than chasing it.

After this engagement your organisation will have a standing advisory relationship that ensures your compliance programme leads the regulatory environment rather than being surprised by it.
  • Regulatory monitoring and alerts
  • New processing activity review
  • Annual board compliance report
Client Evidence

Three outcomes. One sentence each.
Sector. Situation. Result. Timeframe.

No other words are needed. The outcome sentence is the only sentence a GC or CFO actually reads.

Foundation Services

“A private sector bank with 4.2 million retail accounts implemented DPDPA-compliant consent architecture, vendor DPA library, and board governance framework in eleven weeks — and cleared its first DPB audit without a single remediation notice.”

BFSI  ·  DPB audit cleared  ·  11 weeks
Regulatory Defence

“A pharmaceutical company facing a DPB show cause notice received a compliance undertaking — not a penalty — within six weeks. The AMLEGALS evidence file, built before the notice arrived, was the deciding document in the Board’s determination.”

Healthcare  ·  Compliance undertaking, no penalty  ·  6 weeks
Retained Services

“A technology company with 2.8 million users embedded AMLEGALS as their standing DPO. Series B investor due diligence cleared in one week. The PRAMAANA™ evidence package was the reason the investment committee did not raise a single compliance question.”

Technology  ·  Series B DD cleared  ·  1 week
Who We Serve

Six client types. Six different statutory positions.

The obligation is identical. The architecture differs. The consequence of inaction is specific to each.

01
Cross-Border

Foreign Companies in India

DPDPA applies to every organisation processing personal data of Indian data principals — regardless of where incorporated. The first DPB notice before a programme exists sets the penalty at the maximum. There is no mitigation without prior documentation.

02
Enterprise India

MNCs and Large Corporates

SDF classification is determined by the Central Government — not the organisation. It arrives without warning. The compliance programme the classification requires must exist before the notification. Not after it.

03
Growth-Stage

Startups and Scale-Ups

DPDPA obligations begin from user one. Not from Series B. Not from profitability. A DPDPA gap discovered in Series B due diligence does not delay the round. It kills it — in a legal memo no one shows you until the term sheet is pulled.

04
Regulated Sectors

BFSI, Healthcare and Telecom

One breach event triggers simultaneous notification obligations to the DPB, RBI, IRDAI, and SEBI. Four enforcement authorities. Four different timelines. Four different formats. One point of instruction.

05
Capital Markets

Investors and VCs

73% of Indian VC and PE due diligence checklists now include DPDPA compliance as a specific line item. An unquantified DPDPA liability is a valuation risk that the next funding cycle will price — whether you have quantified it or not.

06
At Every Scale

SMEs and Professional Services

There is no size exemption in DPDPA. The obligation applies from the first act of processing. The penalty under Schedule I is not proportionate to size. The obligation is identical to an enterprise. The Board does not distinguish.

“Every organisation will eventually answer to the Data Protection Board. The only question is whether they answer from a position of documented compliance — or documented absence of it.”
Anandaday Misshra  ·  Founder and Managing Partner, AMLEGALS

The compliance record that holds when the Board looks
is built before they look.

Thirteen practice areas. Three tiers. One framework. Every engagement produces a documented, operative, defensible legal position.

New Delhi  ·  Ahmedabad  ·  Mumbai  ·  Bengaluru  ·  Kolkata  ·  Chennai  ·  Pune  ·  Prayagraj