The Digital Personal Data Protection Act is not coming. It is here. This assessment covers the six pillars that determine whether your organisation is compliant or exposed.
Each pillar carries its own compliance burden. A gap in any one of them is a gap in all of them.
The DPDPA requires free, specific, informed, unconditional, and unambiguous consent. Bundled consent is dead. Every processing purpose needs its own clear notice and separate affirmation.
Right to access, correction, erasure, and grievance redressal. Nomination rights for deceased principals. Each right carries a statutory response timeline your organisation must meet.
Reasonable security safeguards are mandatory. The Act does not prescribe technical standards. That makes it harder, not easier. Your safeguards must withstand regulatory scrutiny after a breach.
Personal data can flow outside India except to countries the Central Government restricts. No adequacy finding framework like GDPR. The restricted list can change without notice.
If designated as an SDF, you must appoint a Data Protection Officer based in India, conduct Data Protection Impact Assessments, and submit to periodic audits. The designation criteria are broad.
Every data breach affecting personal data must be reported to the Data Protection Board and each affected Data Principal. The 72 hour clock starts when you become aware. Not when you finish investigating.
25 questions across 5 categories. Takes about 10 minutes.
Compliance is not a destination. It is an operating system.
The DPDPA did not create new obligations. It made existing ones enforceable. The organisations that treat this as a legal project will finish it. The ones that treat it as a technology project will automate it. The ones that treat it as both will be ready.
AMLEGALS has advised on data privacy since the draft stage of the Act.