Reports & Research
Data Privacy Intelligence
REPORT
India DPDPA Readiness Report 2026
Our annual survey of CXOs, DPOs and General Counsel across twelve sectors reveals the compliance gap — and the commercial opportunity — as the Data Protection Board commences full enforcement from 13 May 2027. Includes sector-by-sector maturity scores, the most common compliance gaps, and a 90-day priority roadmap.
GUIDE
Cross-Border Data Transfers Under DPDPA
A definitive practitioner's guide to India's cross-border transfer framework — the most permissive major economy transfer model in the world. Covers Section 16 mechanics, the negative list approach versus GDPR adequacy, and corridor-by-corridor analysis for India-EU, India-US, India-Singapore, India-UAE, and thirteen other transfer routes.
FRAMEWORK
The Consent Architecture Blueprint
Consent under the DPDPA is not a checkbox. It must be free, specific, informed, unconditional and unambiguous — and withdrawal must be as easy as giving consent. This framework document provides the complete architecture for a consent management layer that satisfies Rule 3, integrates with existing CRM and MarTech systems, and survives regulatory examination.
GUIDE
Significant Data Fiduciary Classification
When the Central Government notifies the Significant Data Fiduciary classification criteria under Section 10, every organisation processing digital personal data in India will need to assess whether it falls within the designation. This guide provides a practical breakdown of the expected classification criteria and explains the additional obligations — DPO appointment, DPIA, Data Auditor engagement — that follow.
PLAYBOOK
The 72-Hour Breach Response Playbook
When a personal data breach occurs, the DPDPA requires notification to the Data Protection Board and each affected data principal within seventy-two hours. This playbook provides the minute-by-minute legal and operational guide — from breach detection and classification through containment, notification drafting, board communication, and post-incident remediation under Rule 7.
WHITEPAPER
Board-Level Privacy Governance
Section 36 of the DPDPA introduces personal liability for officers of organisations. When a contravention is committed with consent or attributable to neglect, the officer is deemed guilty. This whitepaper addresses the governance architecture that boards must build — data protection committees, risk escalation protocols, quarterly compliance reporting, and the documentation standards that constitute evidence of due diligence.
REPORT
AI Governance at the Intersection of DPDPA and EU AI Act
Indian AI companies deploying systems in the EU face simultaneous compliance obligations under the DPDPA and the EU AI Act. This report maps the overlapping requirements — from automated decision-making transparency under both frameworks, to the EU AI Act's prohibited practices list, high-risk AI obligations, and the DPDPA's data principal rights that intersect with algorithmic accountability.
REPORT
DPDPA Impact on BFSI: Banking, Insurance and FinTech
The financial sector processes more sensitive personal data than any other industry in India. This report addresses the DPDPA compliance architecture specific to banks, insurance companies, NBFCs, payment processors and fintech platforms — covering RBI interplay, customer KYC data flows, credit bureau obligations, UPI transaction data governance, and the heightened security safeguard requirements that the sector must meet.
FRAMEWORK
Privacy by Design Implementation Framework
Privacy by design is not an aspiration under the DPDPA — it is an operational necessity. This framework document provides the complete methodology for embedding data protection principles into product development lifecycles, engineering workflows, and organisational processes. Covers privacy impact assessments, data minimisation patterns, purpose limitation enforcement, and the technical architecture for privacy-first systems.