DPDP Risk Assessment

The DPDP Act applies whether or not you've reviewed it yet.

The Digital Personal Data Protection Act, 2023 applies to any organization that processes the personal data of individuals in India — regardless of where that organization is headquartered. Rules under the Act are being progressively operationalized, and obligations around consent, breach notification, and data principal rights apply to data fiduciaries and processors alike.

Non-compliance carries real financial exposure, with penalties that scale by the nature and severity of the failure. For most businesses, the bigger risk isn't the fine — it's discovering a gap during a breach investigation instead of before one.

What this assessment covers

• Data inventory and purpose mapping — what personal data you hold, where, and why.
• Consent mechanisms — whether they meet the Act's standard for clear, specific, informed consent.
• Data principal rights readiness — your ability to act on access, correction, and erasure requests.
• Breach notification readiness — whether you could meet your reporting obligations today, not eventually.
• Data fiduciary and data processor obligations, mapped to your actual role in each data flow.
• Security safeguards required under the Act, and whether your current controls actually meet them.

A scored report, not a checklist

You'll get a prioritized view of where you stand — gaps ranked by actual risk, mapped to the specific provisions of the Act they relate to, and organized into an action plan with clear ownership. This feeds directly into the governance work we do with clients long-term, but it stands on its own if all you need right now is a clear picture.