DPDP Gap Analysis — 60+ Section-mapped requirements

Establish and document lawful basis (consent or legitimate use) for every personal data processing activity.

Serve a notice to Data Principals before or at time of consent, in clear and plain language.

Notice must specify the personal data categories being collected.

Notice must specify the purpose of processing.

Notice must specify how consent can be withdrawn.

Notice must specify the grievance redressal mechanism and contact details.

Notice must inform the Data Principal of the right to file a complaint with the Data Protection Board.

Consent must be freely given — not coerced or conditioned on unrelated service.

Consent must be specific to the stated purpose — not bundled across multiple unrelated purposes.

Consent must be unambiguous — obtained through clear affirmative action.

Consent must be granular — Data Principal may consent to some purposes and decline others.

Withdrawal must be as easy as giving consent and must immediately stop processing.

If using a Consent Manager — ensure it is registered with the DPB and acts on behalf of the Data Principal.

Ensure personal data used in decisions about Data Principals is complete, accurate and consistent.

Implement encryption of personal data at rest and in transit.

Implement access controls based on need-to-know and need-to-use.

Implement monitoring of systems and personal data to detect breaches.

Implement organisational policies and training programmes as part of reasonable safeguards.

Erase personal data when the purpose for which it was collected is no longer served.

Erase or cease processing personal data when Data Principal withdraws consent.

Apply Third Schedule default retention periods for qualifying entity types.

Serve 48-hour advance notice to Data Principals before scheduled erasure.

Retain processing logs and traffic data for a minimum of one year.

Obtain verifiable parental or guardian consent before processing personal data of children under 18.

Verification method for parental consent must meet approved standards (including DigiLocker integration).

Do not track, monitor or profile children — absolute prohibition.

Do not serve targeted advertising directed at children — absolute prohibition.

Assess whether the organisation meets criteria for SDF designation by the Central Government.

If designated SDF — appoint a Data Protection Officer who is an India-resident individual.

DPO must report directly to the Board of Directors — not to a business unit or management layer.

Conduct an annual Data Protection Impact Assessment within 12 months of SDF designation.

Commission an independent annual audit — auditor must be independent, not internal team.

Auditor must submit report with significant findings directly to the Data Protection Board.

Conduct due diligence on algorithmic systems — confirm they do not pose risk to Data Principal rights.

Comply with data localisation requirements for Central Government specified data categories.

Provide a mechanism for Data Principals to access all personal data held about them and the list of processors data was shared with.

Provide a mechanism for correction, completion and update of inaccurate personal data.

Provide a mechanism for erasure on Data Principal request — subject to statutory retention.

Provide a mechanism for withdrawal of consent — as easy as giving consent.

Publish a grievance redressal mechanism and response timeline on website or app.

Provide a mechanism for Data Principals to nominate a person to exercise rights on their behalf in event of death or incapacity.

All rights requests must be fulfilled or formally refused within 90 days.

Inventory all cross-border personal data flows including processor transfers, SaaS and component-level exposures.

Monitor Central Government negative-list notifications and check destination countries against the list.

Ensure purpose limitation is maintained for personal data transferred outside India.

SDF — ensure specified personal data categories are not transferred outside India once Government notifies the categories.

Designate an accountability owner for each personal data processing purpose.

Implement an organisational training programme covering DPDP obligations for all staff handling personal data.

Publish contact information for processing queries on website or application.

Document and justify all claimed exemptions under Section 17 (state functions, research, national security).

Ensure a valid Data Processing Agreement exists with every Data Processor before processing begins.

DPA must specify data categories, purpose and explicit prohibition on processing beyond instructions.

DPA must mandate security safeguards equivalent to Rule 6 — encryption, access control, audit rights.

DPA must require processor to report breaches within a window enabling Fiduciary to meet the 72-hour Rule 7 obligation.

DPA must require processor to erase data on instruction and on contract termination.

Obtain prior approval for sub-processors and ensure equivalent obligations flow down.

Ensure marketing and CRM data processing is based on valid and specific consent — not assumed.

Ensure processors retain processing logs and traffic data for a minimum of one year — mandate via DPA.

Notify the Data Protection Board without delay upon becoming aware of a personal data breach.

Submit detailed breach report to DPB within 72 hours covering all Rule 7(2)(a)-(e) mandatory items.

Notify affected Data Principals of a breach with sufficient information to enable protective action.

Maintain and test an Incident Response Plan covering Rule 7 notification obligations.

Implement breach detection — monitoring must enable awareness before the 72-hour clock expires.

MCI Regulations 2002 require patient records retained minimum 3 years from last visit; DPDP erasure must not override.

NDPS Act 1985 requires Schedule H and Schedule X prescription records retained for 2 years.

Personal data of minor patients — especially victims of offences — must not be disclosed. POCSO Section 23 applies alongside DPDP Section 9.

Health data integrated with ABDM (ABHA / Health ID) is subject to both DPDP and NHA ABDM data privacy framework.