Data>Nuance
All insights
GuideDPDP Act

DPDP Act readiness for technology businesses

A practical first-pass framework for product, legal and security teams deciding what to document and implement first.

Data>Nuance

The Digital Personal Data Protection Act, 2023 places operational responsibilities on organisations that process digital personal data. Technology businesses should begin with the decisions they can evidence.

Start with the processing map

List the personal data collected across products, marketing, employment, support, analytics and vendors. For each activity identify the purpose, the relevant system, access points, retention position and any transfer to a processor.

Prioritise obligations

A first readiness review should address:

  • the lawful purpose and processing basis;
  • notice content and consent journeys where required;
  • safeguards, vendor instructions and breach readiness;
  • rights and grievance workflows; and
  • whether children or Significant Data Fiduciary duties require heightened controls.

Turn advice into records

The useful output is not a general statement of compliance. It is a sequenced roadmap, accountable owners and records showing why controls were chosen.

This publication is general information and is not legal advice for a specific organisation or matter.

Continue reading

Notice and consent

Notice under Section 5 of the DPDP Act

What a Data Fiduciary should review before putting consent and notice experiences into production.

Read insight

Heightened duties

Children's data under Section 9 of the DPDP Act

Heightened duties for teams building products that may process a child's personal data.

Read insight

Start with context

Book a focused DPDP Act consultation.

Bring an upcoming launch, notice review, data mapping question, incident readiness issue or implementation deadline. We will help identify the right next step.

Book consultation Submit a brief