The Act applies to processing in India and to processing outside India that is connected with offering goods or services to individuals in India. A Data Fiduciary determines purposes and means; a Data Processor acts on documented instructions.

• Personal Data (PDP) and Special Personal Data (SPDP) should be identified in each system and across vendor chains.
• Sectoral overlays (RBI, IRDAI, MeitY) prevail if stricter—maintain a living law register.
• Children (<18): heightened safeguards; no profiling/targeted ads; verifiable parental consent.

Use valid consent or a recognised legitimate use. For each purpose, record the legal basis, necessity test, and compensating safeguards.

• Consent is itemised, unbundled, and revocable with parity; artefacts are immutable and auditable.
• For legitimate uses (employment/emergency), keep an interpretation memo with harm analysis.

• Layered, just-in-time notices (multilingual) with a versioned repository.
• Dark-pattern-free UX; non-essential processing is opt-in only.
• Canonical RoPA linking systems → purposes → retention → transfers → vendors.

• DPAs must cover purpose limitation, sub-processor approvals, audit rights, breach SLAs, and end-of-contract deletion/return.
• Tier vendors by risk; collect SOC 2/ISO 27001/PCI evidence; track remediation from DDQs.

• Baseline: MFA, least-privilege, encryption in transit/at rest, monitoring, and tested vulnerability management.
• Retention schedules per dataset; deletion evidence; litigation-hold alignment.

Operate a predictable workflow that preserves timelines and evidence:

• ID/authority checks → federated searches → standard redaction → response pack.
• Ticketing with SLA timers; DPO escalation on exemptions; formal closure letters with rationale.

Run quarterly assurance. Attach artefacts to controls to maintain regulator-ready posture.

1. Catalogue PDP/SPDP across storefront, payment, CRM; map to purpose; capture consent.
2. Dark-pattern tests; immutable consent artefacts with timestamp and UI text.
3. Segment PCI; tokenise cards; joint vendor breach drills.
4. Retention matrices for orders/logs/audiences; record deletion proof.

SPDP handling, e-consent per episode, segregated HIMS/LIS, priority response for incidents involving diagnosis codes.

Telemetry policies; DPIAs for monitoring; minimise camera analytics; firmware update trails; controls on cross-border telemetry.

• Detect → contain → eradicate → recover with pre-approved procedures; maintain an evidence log.
• 72-hour checkpoint to evaluate notifications; prepare regulator pack and user comms in parallel.

Use discovery time, SPDP impact, containment state, and cross-border effects; document rationale for notify/no-notify.

1. DPO mandate, independence, reporting lines.
2. RoPA with purposes & data-flow maps.
3. Itemised, withdrawable consent; immutable artefacts.
4. Layered notices with version control & languages.
5. DSAR SOP + tooling + evidence; 15-day SLA.
6. DPAs + TPRM with remediation tracking.
7. Security baseline (authn, encryption, logging, IR).
8. Children’s data: age gates, profiling restrictions.
9. Retention schedules; deletion proofs.
10. Breach playbook; notification logic; regulator templates.

Use to drive a 90-day remediation sprint—prioritise high-risk, low-effort items.

• Context & purpose; necessity & proportionality.
• Risks → mitigations → residual risk sign-off.
• Review triggers (features/geo changes).

Concise tracks for executives, engineers, HR, and marketing; collect attestations and store completion proofs for audit readiness.