Segment Rule Number Rule Title

Governance
Governance 1 Short title and commencement
Governance 1 Short title and commencement
Governance 1 Short title and commencement
Governance 1 Short title and commencement
Governance 1 Short title and commencement
Governance 1 Short title and commencement
Governance 1 Short title and commencement
Governance 2 Definitions
Governance 2 Definitions
Governance 2 Definitions
Governance 2 Definitions
Governance 2 Definitions
Governance 2 Definitions
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 3 Notice given by Data Fiduciary to Data Principal
Governance 4 Registration and obligations of Consent Manager
Governance 4 Registration and obligations of Consent Manager
Governance 4 Registration and obligations of Consent Manager
Governance 4 Registration and obligations of Consent Manager
Governance 4 Registration and obligations of Consent Manager
Governance 4 Registration and obligations of Consent Manager
Governance 4 Registration and obligations of Consent Manager
Governance 4 Registration and obligations of Consent Manager
Governance 5 Processing for
Governance 5 subsidy/benefit/service/licence/permit
Processing for by State
Governance 5 subsidy/benefit/service/licence/permit
Processing for by State
Governance subsidy/benefit/service/licence/permit
5 Processing for by State
Governance 5 subsidy/benefit/service/licence/permit
Processing for by State
Governance 5 subsidy/benefit/service/licence/permit
Processing for by State
Governance 5 subsidy/benefit/service/licence/permit
Processing for by State
subsidy/benefit/service/licence/permit by State
Security
Security 6 Reasonable security safeguards
Security 6 Reasonable security safeguards
Security 6 Reasonable security safeguards
Security 6 Reasonable security safeguards
Security 6 Reasonable security safeguards
Security 6 Reasonable security safeguards
Security 6 Reasonable security safeguards
Security 6 Reasonable security safeguards
Security 7 Intimation of personal data breach
Security 7 Intimation of personal data breach
Security 7 Intimation of personal data breach
Security 7 Intimation of personal data breach
Security 7 Intimation of personal data breach
Security 7 Intimation of personal data breach
Security 7 Intimation of personal data breach
Security 8 Deemed end of purpose and retention minima
Security 8 Deemed end of purpose and retention minima
Security 8 Deemed end of purpose and retention minima
Security 8 Deemed end of purpose and retention minima
Security 8 Deemed end of purpose and retention minima
Security 8 Deemed end of purpose and retention minima
Security 8 Deemed end of purpose and retention minima
Rights & Consent
Rights & Consent 9 Contact information for privacy queries
Rights & Consent 9 Contact information for privacy queries
Rights & Consent 9 Contact information for privacy queries
Rights & Consent 9 Contact information for privacy queries
Rights & Consent 9 Contact information for privacy queries
Rights & Consent 9 Contact information for privacy queries
Rights & Consent 10 Verifiable parental consent (child data)
Rights & Consent 10 Verifiable parental consent (child data)
Rights & Consent 10 Verifiable parental consent (child data)
Rights & Consent 10 Verifiable parental consent (child data)
Rights & Consent 10 Verifiable parental consent (child data)
Rights & Consent 10 Verifiable parental consent (child data)
Rights & Consent 10 Verifiable parental consent (child data)
Rights & Consent 11 Guardian consent (person with disability)
Rights & Consent 11 Guardian consent (person with disability)
Rights & Consent 11 Guardian consent (person with disability)
Rights & Consent 11 Guardian consent (person with disability)
Rights & Consent 11 Guardian consent (person with disability)
Rights & Consent 11 Guardian consent (person with disability)
Rights & Consent 12 Exemptions for certain child processing
Rights & Consent 12 Exemptions for certain child processing
Rights & Consent 12 Exemptions for certain child processing
Rights & Consent 12 Exemptions for certain child processing
Rights & Consent 12 Exemptions for certain child processing
Rights & Consent 12 Exemptions for certain child processing
Rights & Consent 13 Additional obligations of Significant Data
Rights & Consent 13 Fiduciary
Additional obligations of Significant Data
Rights & Consent 13 Fiduciary
Additional obligations of Significant Data
Rights & Consent 13 Fiduciary
Additional obligations of Significant Data
Rights & Consent 13 Fiduciary
Additional obligations of Significant Data
Rights & Consent 13 Fiduciary
Additional obligations of Significant Data
Rights & Consent 13 Fiduciary
Additional obligations of Significant Data
Rights & Consent 13 Fiduciary
Additional obligations of Significant Data
Rights & Consent 14 Fiduciary
Rights of Data Principals
Rights & Consent 14 Rights of Data Principals
Rights & Consent 14 Rights of Data Principals
Rights & Consent 14 Rights of Data Principals
Rights & Consent 14 Rights of Data Principals
Rights & Consent 14 Rights of Data Principals
Rights & Consent 14 Rights of Data Principals
Rights & Consent 14 Rights of Data Principals
Cross-Border & Exemptions
Cross-Border & Exemptions 15 Transfer of personal data outside India
Cross-Border & Exemptions 15 Transfer of personal data outside India
Cross-Border & Exemptions 15 Transfer of personal data outside India
Cross-Border & Exemptions 15 Transfer of personal data outside India
Cross-Border & Exemptions 15 Transfer of personal data outside India
Cross-Border & Exemptions 15 Transfer of personal data outside India
Cross-Border & Exemptions 15 Transfer of personal data outside India
Cross-Border & Exemptions 16 Exemption for research/archiving/statistics
Cross-Border & Exemptions 16 Exemption for research/archiving/statistics
Cross-Border & Exemptions 16 Exemption for research/archiving/statistics
Cross-Border & Exemptions 16 Exemption for research/archiving/statistics
Cross-Border & Exemptions 16 Exemption for research/archiving/statistics
Cross-Border & Exemptions 16 Exemption for research/archiving/statistics
Cross-Border & Exemptions 16 Exemption for research/archiving/statistics
Board Governance
Board Governance 17 Appointment of Chairperson and Members
Board Governance 17 Appointment of Chairperson and Members
Board Governance 17 Appointment of Chairperson and Members
Board Governance 17 Appointment of Chairperson and Members
Board Governance 17 Appointment of Chairperson and Members
Board Governance 18 Service conditions of Chairperson and Members
Board Governance 18 Service conditions of Chairperson and Members
Board Governance 18 Service conditions of Chairperson and Members
Board Governance 18 Service conditions of Chairperson and Members
Board Governance 18 Service conditions of Chairperson and Members
Board Governance 19 Board meetings and authentication of
Board Governance 19 instruments
Board meetings and authentication of
Board Governance 19 instruments
Board meetings and authentication of
Board Governance 19 instruments
Board meetings and authentication of
Board Governance 19 instruments
Board meetings and authentication of
Board Governance 20 instruments
Functioning of Board as digital office
Board Governance 20 Functioning of Board as digital office
Board Governance 20 Functioning of Board as digital office
Board Governance 20 Functioning of Board as digital office
Board Governance 20 Functioning of Board as digital office
Board Governance 20 Functioning of Board as digital office
Board Governance 21 Service terms of officers and employees of Board
Board Governance 21 Service terms of officers and employees of Board
Board Governance 21 Service terms of officers and employees of Board
Board Governance 21 Service terms of officers and employees of Board
Appeals & Info Requests
Appeals & Info Requests 22 Appeal to Appellate Tribunal
Appeals & Info Requests 22 Appeal to Appellate Tribunal
Appeals & Info Requests 22 Appeal to Appellate Tribunal
Appeals & Info Requests 22 Appeal to Appellate Tribunal
Appeals & Info Requests 22 Appeal to Appellate Tribunal
Appeals & Info Requests 22 Appeal to Appellate Tribunal
Appeals & Info Requests 23 Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
Appeals & Info Requests 23 intermediary
Calling for information from Data Fiduciary or
intermediary
 Simple Legal Explanation

Names these as the Digital Personal Data Protection Rules

2025
Names and specifies
these as thewhich
DigitalRules comeData
Personal intoProtection
force on whatRules
2025 and specifies which Rules come into force on
Names these as the Digital Personal Data Protection Rules what
2025
Names and specifies
these as thewhich
DigitalRules comeData
Personal intoProtection
force on whatRules
2025 and specifies which Rules come into force on what
Names these as the Digital Personal Data Protection Rules
2025 and specifies which Rules come into force on
Names these as the Digital Personal Data Protection Rules what
2025
Names and specifies
these as thewhich
DigitalRules comeData
Personal intoProtection
force on whatRules
2025 and specifies which Rules come into force
Defines key terms used in the Rules and says that on what
undefined
Defines keyterms
termstake
usedtheir meaning
in the fromsays
Rules and thethat
DPDP Act.
undefined
Defines keyterms
termstake
usedtheir meaning
in the fromsays
Rules and thethat
DPDP Act.
undefined
Defines keyterms
termstake
usedtheir meaning
in the fromsays
Rules and thethat
DPDP Act.
undefined
Defines keyterms
termstake
usedtheir meaning
in the fromsays
Rules and thethat
DPDP Act.
undefined terms take their meaning from the
Defines key terms used in the Rules and says that DPDP Act.
undefined
Prescribes terms take their
the format meaning from
and minimum theofDPDP
content Act.
privacy
notices thatthe
Prescribes Data Fiduciaries
format must give
and minimum to individuals.
content of privacy
notices that Data Fiduciaries must give to individuals.
Prescribes the format and minimum content of privacy
notices thatthe
Prescribes Data Fiduciaries
format must give
and minimum to individuals.
content of privacy
notices that Data Fiduciaries must give to individuals.
Prescribes the format and minimum content of privacy
notices thatthe
Prescribes Data Fiduciaries
format must give
and minimum to individuals.
content of privacy
notices that Data Fiduciaries must give to individuals.
Prescribes the format and minimum content of privacy
notices thatthe
Prescribes Data Fiduciaries
format must give
and minimum to individuals.
content of privacy
notices that Data Fiduciaries must give to
Sets up how Consent Managers are registered and individuals.
governed,
Sets up howand how the
Consent Board can
Managers aresupervise
registeredthem.
and
governed, and how the Board can supervise
Sets up how Consent Managers are registered and them.
governed,
Sets up howand how the
Consent Board can
Managers aresupervise
registeredthem.
and
governed, and how the Board can supervise
Sets up how Consent Managers are registered and them.
governed,
Sets up howand how the
Consent Board can
Managers aresupervise
registeredthem.
and
governed, and how the Board can supervise
Sets up how Consent Managers are registered and them.
governed,
Sets up howand how the
Consent Board can
Managers aresupervise
registeredthem.
and
governed, and how the Board can supervise
Governs how government bodies process personal datathem.
for schemes
Governs howand services under
government bodiesthe sectionpersonal
process 7(b) legitimate
data
for schemes and services under the section 7(b)
Governs how government bodies process personal data legitimate
for schemes
Governs howand services under
government bodiesthe sectionpersonal
process 7(b) legitimate
data
for schemes and services under the section 7(b)
Governs how government bodies process personal data legitimate
for schemes
Governs howand services under
government bodiesthe sectionpersonal
process 7(b) legitimate
data
for schemes and services under the section 7(b)
Governs how government bodies process personal data legitimate
for schemes and services under the section 7(b) legitimate
Defines the minimum technical and organisational
safeguards
Defines thethat Data Fiduciaries
minimum must
technical and implement to
organisational
safeguards
Defines thethat Data Fiduciaries
minimum must
technical and implement to
organisational
safeguards that Data Fiduciaries must implement to
Defines the minimum technical and organisational
safeguards that Data Fiduciaries must implement to
Defines the minimum technical and organisational
safeguards
Defines thethat Data Fiduciaries
minimum must
technical and implement to
organisational
safeguards that Data Fiduciaries must implement to
Defines the minimum technical and organisational
safeguards
Defines thethat Data Fiduciaries
minimum must
technical and implement to
organisational
safeguards that
Sets out what Data
Data Fiduciaries
Fiduciaries must
must implement
tell the Boardtoand
affected individuals after a personal data breach
Sets out what Data Fiduciaries must tell the Board andand
affected individuals
Sets out what after a personal
Data Fiduciaries must data breach
tell the Boardand
and
affected individuals after a personal data breach
Sets out what Data Fiduciaries must tell the Board andand
affected individuals
Sets out what after a personal
Data Fiduciaries must data breach
tell the Boardand
and
affected individuals after a personal data breach
Sets out what Data Fiduciaries must tell the Board andand
affected individuals
Sets out what after a personal
Data Fiduciaries must data breach
tell the Boardand
and
affected individuals after a personal data breach
Implements inactivity logic for end of purpose and and
prescribes
Implementsminimum
inactivityretention for certain
logic for end logs and
of purpose and data.
prescribes
Implementsminimum
inactivityretention for certain
logic for end logs and
of purpose and data.
prescribes
Implements inactivity logic for end of purpose and data.
minimum retention for certain logs and
prescribes
Implementsminimum
inactivityretention for certain
logic for end logs and
of purpose and data.
prescribes
Implementsminimum
inactivityretention for certain
logic for end logs and
of purpose and data.
prescribes
Implementsminimum
inactivityretention for certain
logic for end logs and
of purpose and data.
prescribes minimum retention for certain logs and data.
Requires public contact details for privacy queries.
Requires public contact details for privacy queries.
Requires public contact details for privacy queries.
Requires public contact details for privacy queries.
Requires public contact details for privacy queries.
Requires public contact details for privacy queries.
Explains what verifiable parental consent means in
practice
Explains for
whatchild data. parental consent means in
verifiable
practice
Explains for
whatchild data. parental consent means in
verifiable
practice
Explains for
whatchild data. parental consent means in
verifiable
practice
Explains for
whatchild data. parental consent means in
verifiable
practice for child data. parental consent means in
Explains what verifiable
practice
Explains for
whatchild data. parental consent means in
verifiable
practice
Sets the for child data.
verification standard when a lawful guardian
consents on behalf of a personwhen
Sets the verification standard with adisability.
lawful guardian
consents on behalf of a person
Sets the verification standard whenwith adisability.
lawful guardian
consents on behalf of a person with disability.
Sets the verification standard when a lawful guardian
consents on behalf ofstandard
Sets the verification a personwhen
with adisability.
lawful guardian
consents on behalf of a person with disability.
Sets the verification standard when a lawful guardian
consents on behalf
Provides limited of aouts
carve person
fromwith
some disability.
child specific duties
for specific organisations and purposes.
Provides limited carve outs from some child specific duties
for specific
Provides organisations
limited carve outsand purposes.
from some child specific duties
for specific organisations and purposes.
Provides limited carve outs from some child specific duties
for specific
Provides organisations
limited carve outsand purposes.
from some child specific duties
for specific organisations and purposes.
Provides limited carve outs from some child specific duties
for specific
Details organisations
operational dutiesand purposes. Data Fiduciaries
for Significant
beyond the base Act requirements.
Details operational duties for Significant Data Fiduciaries
beyond the base Actduties
Details operational requirements.
for Significant Data Fiduciaries
beyond the base Act requirements.
Details operational duties for Significant Data Fiduciaries
beyond the base Actduties
Details operational requirements.
for Significant Data Fiduciaries
beyond the base Act requirements.
Details operational duties for Significant Data Fiduciaries
beyond the base Act requirements.
Details operational duties for Significant Data Fiduciaries
beyond the base Actduties
Details operational requirements.
for Significant Data Fiduciaries
beyond the base Act requirements.
Makes the rights in sections 11 to 14 workable by
prescribing publication
Makes the rights and SLA
in sections requirements.
11 to 14 workable by
prescribing publication and SLA requirements.
Makes the rights in sections 11 to 14 workable by
prescribing publication
Makes the rights and SLA
in sections requirements.
11 to 14 workable by
prescribing publication and SLA requirements.
Makes the rights in sections 11 to 14 workable by
prescribing publication
Makes the rights and SLA
in sections requirements.
11 to 14 workable by
prescribing publication and SLA requirements.
Makes the rights in sections 11 to 14 workable by
prescribing publication
Makes the rights and SLA
in sections requirements.
11 to 14 workable by
prescribing publication and SLA requirements.
Sets an additional condition on cross border transfers tied
to government
Sets orders.
an additional condition on cross border transfers tied
to government orders.
Sets an additional condition on cross border transfers tied
to government
Sets orders.
an additional condition on cross border transfers tied
to government orders.
Sets an additional condition on cross border transfers tied
to government orders.
Sets an additional condition on cross border transfers tied
to government
Sets orders.
an additional condition on cross border transfers tied
to government orders.
Clarifies when and how research, archiving or statistical
processing canand
Clarifies when be exempt from the
how research, Act. or statistical
archiving
processing canand
Clarifies when be exempt from the
how research, Act. or statistical
archiving
processing canand
Clarifies when be exempt from the
how research, Act. or statistical
archiving
processing canand
Clarifies when be exempt from the
how research, Act. or statistical
archiving
processing can be exempt from the Act. or statistical
Clarifies when and how research, archiving
processing canand
Clarifies when be exempt from the
how research, Act. or statistical
archiving
processing can be exempt from the Act.
Regulates how the Board’s leadership is selected.
Regulates how the Board’s leadership is selected.
Regulates how the Board’s leadership is selected.
Regulates how the Board’s leadership is selected.
Regulates how the Board’s leadership is selected.
Sets out the service conditions of the Board’s leadership.
Sets out the service conditions of the Board’s leadership.
Sets out the service conditions of the Board’s leadership.
Sets out the service conditions of the Board’s leadership.
Sets out the service conditions of the Board’s leadership.
Prescribes how the Board meets and authenticates its
decisions.
Prescribes how the Board meets and authenticates its
decisions.
Prescribes how the Board meets and authenticates its
decisions.
Prescribes how the Board meets and authenticates its
decisions.
Prescribes how the Board meets and authenticates its
decisions.
Provides for the Board to operate primarily in digital form.
Provides for the Board to operate primarily in digital form.
Provides for the Board to operate primarily in digital form.
Provides for the Board to operate primarily in digital form.
Provides for the Board to operate primarily in digital form.
Provides for the Board to operate primarily in digital form.
Governs HR conditions for Board staff.
Governs HR conditions for Board staff.
Governs HR conditions for Board staff.
Governs HR conditions for Board staff.

Sets procedural requirements for appealing Board orders.

Sets procedural requirements for appealing Board orders.
Sets procedural requirements for appealing Board orders.
Sets procedural requirements for appealing Board orders.
Sets procedural requirements for appealing Board orders.
Sets procedural requirements for appealing Board orders.
Gives specified government authorities the power to seek
information andgovernment
Gives specified restrict disclosure of such
authorities therequests.
power to seek
information and restrict disclosure of such requests.
Gives specified government authorities the power to seek
information andgovernment
Gives specified restrict disclosure of such
authorities therequests.
power to seek
information
Gives specified government authorities therequests.
and restrict disclosure of such power to seek
information and restrict disclosure of such requests.
Gives specified government authorities the power to seek
information andgovernment
Gives specified restrict disclosure of such
authorities therequests.
power to seek
information and restrict disclosure of such requests.
Gives specified government authorities the power to seek
information andgovernment
Gives specified restrict disclosure of such
authorities therequests.
power to seek
information and restrict disclosure of such requests.
 Obligations

All organisations must track which Rules are in force from

which date and align
All organisations mustimplementation timelines
track which Rules are in force from
which date and align implementation timelines
All organisations must track which Rules are in force from
which date and align
All organisations mustimplementation timelines
track which Rules are in force from
which date and align implementation
All organisations must track which Rules timelines
are in force from
which date and align implementation timelines
All organisations must track which Rules are in force from
which date and align
All organisations mustimplementation timelines
track which Rules are in force from
which date and align implementation timelines
All organisations must interpret terms as defined in the
Rules and the Actmust
All organisations and reflect those
interpret meanings
terms in internal
as defined in the
Rules and the Act and reflect those meanings in internal
All organisations must interpret terms as defined in the
Rules and the Actmust
All organisations and reflect those
interpret meanings
terms in internal
as defined in the
Rules and the Act and reflect those meanings in internal
All organisations must interpret terms as defined in the
Rules and the Actmust
All organisations and reflect those
interpret meanings
terms in internal
as defined in the
Rules and the Act and reflect those meanings in
Data Fiduciaries must provide clear stand alone noticesinternal
that
Dataitemise datamust
Fiduciaries and purposes, explain
provide clear standrights,
alonewithdrawal
notices
that itemise data and purposes, explain rights, withdrawal
Data Fiduciaries must provide clear stand alone notices
that
Dataitemise datamust
Fiduciaries and purposes, explain
provide clear standrights,
alonewithdrawal
notices
that itemise data and purposes, explain rights, withdrawal
Data Fiduciaries must provide clear stand alone notices
that
Dataitemise datamust
Fiduciaries and purposes, explain
provide clear standrights,
alonewithdrawal
notices
that itemise data and purposes, explain rights, withdrawal
Data Fiduciaries must provide clear stand alone notices
that
Dataitemise datamust
Fiduciaries and purposes, explain
provide clear standrights,
alonewithdrawal
notices
that itemise data and purposes, explain rights, withdrawal
Consent Managers must obtain and maintain registration,
meet
Consenteligibility
Managersand must
technical conditions,
obtain operate
and maintain secure
registration,
meet
Consenteligibility
Managersand must
technical conditions,
obtain operate
and maintain secure
registration,
meet eligibility and technical conditions, operate
Consent Managers must obtain and maintain registration, secure
meet
Consenteligibility
Managersand must
technical conditions,
obtain operate
and maintain secure
registration,
meet
Consenteligibility
Managersand must
technical conditions,
obtain operate
and maintain secure
registration,
meet
Consenteligibility
Managersand must
technical conditions,
obtain operate
and maintain secure
registration,
meet eligibility and technical conditions, operate
Consent Managers must obtain and maintain registration, secure
meet
Centraleligibility
and State andauthorities
technical conditions,
must processoperate
data forsecure
schemes
Central andstrictly
Stateper Second Schedule
authorities standards,
must process data forcollect
schemes
Central andstrictly
Stateper Second Schedule
authorities standards,
must process data forcollect
schemes strictly per Second Schedule standards,
Central and State authorities must process data for collect
schemes
Central andstrictly
Stateper Second Schedule
authorities standards,
must process data forcollect
schemes
Central andstrictly
Stateper Second Schedule
authorities standards,
must process data forcollect
schemes
Central andstrictly
Stateper Second Schedule
authorities standards,
must process data forcollect
schemes strictly per Second Schedule standards, collect
Implement technical and organisational measures such as
encryption/equivalent protections,
Implement technical and access
organisational control, such
measures logging,
as
encryption/equivalent protections, access control, logging,
Implement technical and organisational measures such as
encryption/equivalent protections,
Implement technical and access
organisational control, such
measures logging,
as
encryption/equivalent protections, access control, logging,
Implement technical and organisational measures such as
encryption/equivalent
Implement technical and protections, access
organisational control, such
measures logging,
as
encryption/equivalent protections, access control,
Implement technical and organisational measures such logging,
as
encryption/equivalent protections, access control,
Implement technical and organisational measures such as logging,
encryption/equivalent
Promptly notify affected protections,
individualsaccess
and thecontrol,
Board,logging,
provide
Promptlyprescribed information
notify affected and detailed
individuals follow-up
and the Board,
provide prescribed information and detailed follow-up
Promptly notify affected individuals and the Board,
provide
Promptlyprescribed information
notify affected and detailed
individuals follow-up
and the Board,
provide
Promptlyprescribed information
notify affected and detailed
individuals follow-up
and the Board,
provide
Promptlyprescribed information
notify affected and detailed
individuals follow-up
and the Board,
provide prescribed information and detailed follow-up
Promptly notify affected individuals and the Board,
provide prescribed
Apply Third Schedule information and detailed
inactivity periods; follow-up
pre deletion notice
where required; erase data when purpose exhausted
Apply Third Schedule inactivity periods; pre deletion notice
where required;
Apply Third eraseinactivity
Schedule data when purpose
periods; preexhausted
deletion notice
where
Apply Third Schedule inactivity periods; preexhausted
required; erase data when purpose deletion notice
where required; erase data when purpose exhausted
Apply Third Schedule inactivity periods; pre deletion notice
where required;
Apply Third eraseinactivity
Schedule data when purpose
periods; preexhausted
deletion notice
where required; erase data when purpose exhausted
Apply Third Schedule inactivity periods; pre deletion notice
where required; erase data when purpose exhausted
Publish and keep updated business contact details of the
DPO or authorised
Publish person on
and keep updated primary
business interfaces
contact and
details ofinthe
DPO or authorised
Publish person on
and keep updated primary
business interfaces
contact and
details ofinthe
DPO
Publish and keep updated business contact details ofinthe
or authorised person on primary interfaces and
DPO or authorised
Publish person on
and keep updated primary
business interfaces
contact and
details ofinthe
DPO or authorised
Publish person on
and keep updated primary
business interfaces
contact and
details ofinthe
DPO or authorised
Implement robust, person on mechanisms
auditable primary interfaces andanin
to verify
adult
Implement robust, auditable mechanisms to verify an or
parent using reliable identity/age means (tokens
adult parentrobust,
Implement using reliable identity/age
auditable mechanisms means (tokens
to verify an or
adult parentrobust,
Implement using reliable identity/age
auditable mechanisms means (tokens
to verify an or
adult parentrobust,
Implement using reliable identity/age
auditable mechanisms means (tokens
to verify an or
adult
Implement robust, auditable mechanisms to verify an or
parent using reliable identity/age means (tokens
adult parentrobust,
Implement using reliable identity/age
auditable mechanisms means (tokens
to verify an or
adult
Verifyparent
lawful using reliable per
guardianship identity/age means (tokens or
relevant laws;
collect/record proof or references;
Verify lawful guardianship treatlaws;
per relevant guardian as rights
collect/record proof or references; treat
Verify lawful guardianship per relevant laws;guardian as rights
collect/record proof or references;
Verify lawful guardianship treatlaws;
per relevant guardian as rights
collect/record proof or references;
Verify lawful guardianship treatlaws;
per relevant guardian as rights
collect/record proof or references;
Verify lawful guardianship treatlaws;
per relevant guardian as rights
collect/record proof or references; treat guardian asmeet
Confirm fit with Fourth Schedule classes/purposes, rights
conditions, document
Confirm fit with Fourthreliance,
Schedulereassess eligibility meet
classes/purposes,
conditions, document
Confirm fit with Fourthreliance,
Schedulereassess eligibility meet
classes/purposes,
conditions, document
Confirm fit with Fourthreliance,
Schedulereassess eligibility meet
classes/purposes,
conditions, document reliance, reassess eligibility meet
Confirm fit with Fourth Schedule classes/purposes,
conditions, document reliance, reassess eligibility
Confirm fit with Fourth Schedule classes/purposes, meet
conditions, document
Conduct annual DPIAs reliance, reassess
and audits, reporteligibility
material findings
to Board, perform due diligence on algorithms
Conduct annual DPIAs and audits, report andfindings
material
to Board,annual
Conduct perform due and
DPIAs diligence onreport
audits, algorithms andfindings
material
to Board,annual
Conduct perform due and
DPIAs diligence onreport
audits, algorithms andfindings
material
to Board,annual
Conduct perform due and
DPIAs diligence onreport
audits, algorithms andfindings
material
to Board, perform due diligence on algorithms
Conduct annual DPIAs and audits, report material andfindings
to Board,annual
Conduct perform due and
DPIAs diligence onreport
audits, algorithms andfindings
material
to Board,annual
Conduct perform due and
DPIAs diligence onreport
audits, algorithms andfindings
material
to Board,
Publish perform
means due diligence
to exercise rights on
andalgorithms and
operate grievance
mechanisms to resolve within at most ninety days.
Publish means to exercise rights and operate grievance
mechanisms
Publish meanstoto
resolve within
exercise at and
rights mostoperate
ninety days.
grievance
mechanisms to resolve within at most ninety days.
Publish means to exercise rights and operate grievance
mechanisms
Publish meanstoto
resolve within
exercise at and
rights mostoperate
ninety days.
grievance
mechanisms to resolve within at most ninety days.
Publish means to exercise rights and operate grievance
mechanisms to resolve within at most ninety days.
Publish means to exercise rights and operate grievance
mechanisms
Publish meanstoto
resolve within
exercise at and
rights mostoperate
ninety days.
grievance
mechanisms to resolve within at most ninety days.
Comply with any government orders prescribing
conditions
Comply withforany
making data available
government orders to foreign states or
prescribing
conditions
Comply withforany
making data available
government orders to foreign states or
prescribing
conditions
Comply withforany
making data available
government orders to foreign states or
prescribing
conditions for making data available to foreign states or
Comply with any government orders prescribing
conditions
Comply withforany
making data available
government orders to foreign states or
prescribing
conditions
Comply withforany
making data available
government orders to foreign states or
prescribing
conditions for making
Ensure processing data available
is genuinely to foreign
necessary states or
for research,
archiving or statistics, aligns with Second Schedule
Ensure processing is genuinely necessary for research,
archiving or statistics,
Ensure processing aligns with
is genuinely Second Schedule
necessary for research,
archiving or statistics, aligns with Second Schedule
Ensure processing is genuinely necessary for research,
archiving or statistics,
Ensure processing aligns with
is genuinely Second Schedule
necessary for research,
archiving or statistics, aligns with Second Schedule
Ensure processing is genuinely necessary for research,
archiving or statistics, aligns with Second Schedule
Ensure processing is genuinely necessary for research,
archiving or statistics, aligns with Second Schedule
Constitute the committee correctly and follow prescribed
process/criteria when recommending
Constitute the committee and
correctly and appointing
follow the
prescribed
process/criteria when recommending
Constitute the committee and
correctly and appointing
follow the
prescribed
process/criteria when recommending
Constitute the committee and
correctly and appointing
follow the
prescribed
process/criteria when recommending
Constitute the committee and
correctly and appointing
follow the
prescribed
process/criteria when recommending and appointing the
Apply salary, allowances, tenure, benefits, conflict rules
and other
Apply conditions
salary, per the
allowances, Fifthbenefits,
tenure, Schedule.conflict rules
and other conditions per the Fifth Schedule.
Apply salary, allowances, tenure, benefits, conflict rules
and other
Apply conditions
salary, per the
allowances, Fifthbenefits,
tenure, Schedule.conflict rules
and other conditions per the Fifth Schedule.
Apply salary, allowances, tenure, benefits, conflict rules
and other conditions per the Fifth Schedule.
Convene/conduct meetings per Rule; maintain quorum
and minutes; authenticate
Convene/conduct meetingsorders, directions
per Rule; maintainand
quorum
and minutes; authenticate orders, directions
Convene/conduct meetings per Rule; maintain and
quorum
and minutes; authenticate orders, directions
Convene/conduct meetings per Rule; maintain quorum and
and minutes; authenticate
Convene/conduct meetingsorders, directions
per Rule; maintainand
quorum
and minutes; authenticate orders, directions and
Board to function as digital office using techno-legal
measures; parties as
Board to function must be ready
digital office to interact
using digitally.
techno-legal
measures; parties as
Board to function must be ready
digital office to interact
using digitally.
techno-legal
measures; parties as
Board to function must be ready
digital office to interact
using digitally.
techno-legal
measures; parties as
Board to function must be ready
digital office to interact
using digitally.
techno-legal
measures; parties must be ready to interact digitally.
Board to function as digital office using techno-legal
measures; parties must
Board and Central be readytotoappoint
Government interact digitally.
officers/employees and manageto
Board and Central Government service
appointconditions per
officers/employees and manageto
Board and Central Government service
appointconditions per
officers/employees and manage service
Board and Central Government to appoint conditions per
officers/employees and manage service conditions per
Aggrieved parties must file appeals to the Tribunal in the
specified
Aggrievedform, manner,
parties timeframe
must file andthe
appeals to fees, using in
Tribunal digital
the
specified form, manner, timeframe and fees, using
Aggrieved parties must file appeals to the Tribunal indigital
the
specified form, manner, timeframe and fees, using digital
Aggrieved parties must file appeals to the Tribunal in the
specified
Aggrievedform, manner,
parties timeframe
must file andthe
appeals to fees, using in
Tribunal digital
the
specified form, manner, timeframe and fees, using digital
Aggrieved parties must file appeals to the Tribunal in the
specified
Authorisedform, manner,
officers timeframe
may require and fees,for
information using
Actdigital
purposes
Authorisedand may direct
officers non-disclosure
may require where
information fornecessary
Act
purposes and may direct non-disclosure where necessary
Authorised officers may require information for Act
purposes
Authorisedand may direct
officers non-disclosure
may require where
information fornecessary
Act
purposes
Authorised officers may require information fornecessary
and may direct non-disclosure where Act
purposes and may direct non-disclosure where necessary
Authorised officers may require information for Act
purposes
Authorisedand may direct
officers non-disclosure
may require where
information fornecessary
Act
purposes and may direct non-disclosure where necessary
Authorised officers may require information for Act
purposes
Authorisedand may direct
officers non-disclosure
may require where
information fornecessary
Act
purposes and may direct non-disclosure where necessary
 Control Objective

All organisations: Maintain a legal register and

implementation
All organisations:roadmap
Maintainmapping each Rule
a legal register andto its
implementation
All organisations:roadmap
Maintainmapping each Rule
a legal register andto its
implementation
All organisations:roadmap
Maintainmapping each Rule
a legal register andto its
implementation
All organisations: Maintain a legal register andto its
roadmap mapping each Rule
implementation
All organisations:roadmap
Maintainmapping each Rule
a legal register andto its
implementation
All organisations:roadmap
Maintainmapping each Rule
a legal register andto its
implementation
All organisations:roadmap
Maintainmapping each Rule to its
a single authoritative internal
glossary used across policies, contracts, training and
All organisations: Maintain a single authoritative internal
glossary used across policies, contracts, training and
All organisations: Maintain a single authoritative internal
glossary used across
All organisations: policies,
Maintain contracts,
a single training and
authoritative internal
glossary used across policies, contracts, training and
All organisations: Maintain a single authoritative internal
glossary used across
All organisations: policies,
Maintain contracts,
a single training and
authoritative internal
glossary used across policies, contracts, training
Data Fiduciaries: Ensure every collection or consent and
journey is associated
Data Fiduciaries: with
Ensure an approved
every collectionRule 3 compliant
or consent
journey is associated
Data Fiduciaries: with
Ensure an approved
every collectionRule 3 compliant
or consent
journey is associated with an approved Rule 3 compliant
Data Fiduciaries: Ensure every collection or consent
journey is associated
Data Fiduciaries: with
Ensure an approved
every collectionRule 3 compliant
or consent
journey is associated
Data Fiduciaries: with
Ensure an approved
every collectionRule 3 compliant
or consent
journey is associated
Data Fiduciaries: with
Ensure an approved
every collectionRule 3 compliant
or consent
journey is associated with an approved Rule 3 compliant
Data Fiduciaries: Ensure every collection or consent
journey
ConsentisManagers:
associatedEvidence
with an approved
compliance Rule
with3 compliant
all
registration and ongoing conditions. Data
Consent Managers: Evidence compliance with all Fiduciaries:
registration and ongoing
Consent Managers: conditions.
Evidence Data with
compliance Fiduciaries:
all
registration and ongoing conditions. Data
Consent Managers: Evidence compliance with Fiduciaries:
all
registration and ongoing conditions. Data
Consent Managers: Evidence compliance with all Fiduciaries:
registration and ongoing
Consent Managers: conditions.
Evidence Data with
compliance Fiduciaries:
all
registration and ongoing conditions. Data
Consent Managers: Evidence compliance with all Fiduciaries:
registration and ongoing
Consent Managers: conditions.
Evidence Data with
compliance Fiduciaries:
all
registration and ongoing conditions. Data Fiduciaries:
State and public bodies as Data Fiduciaries: Document
each
State scheme andbodies
and public map toasRule
Data5Fiduciaries:
and SecondDocument
Schedule with
each
State scheme andbodies
and public map toasRule
Data5Fiduciaries:
and SecondDocument
Schedule with
each scheme and map to Rule 5 and Second Schedule with
State and public bodies as Data Fiduciaries: Document
each
State scheme andbodies
and public map toasRule
Data5Fiduciaries:
and SecondDocument
Schedule with
each
State scheme andbodies
and public map toasRule
Data5Fiduciaries:
and SecondDocument
Schedule with
each
State scheme andbodies
and public map toasRule
Data5Fiduciaries:
and SecondDocument
Schedule with
each scheme and map to Rule 5 and Second Schedule with
Data Fiduciaries: Apply a risk based security framework
mapped to Rule 6.Apply
Data Fiduciaries: Processors: Implement
a risk based securitycontrols at least
framework
mapped to Rule 6.Apply
Data Fiduciaries: Processors: Implement
a risk based securitycontrols at least
framework
mapped to Rule 6. Processors: Implement controls at least
Data Fiduciaries: Apply a risk based security framework
mapped to Rule 6. Processors: Implement controls at least
Data Fiduciaries: Apply a risk based security framework
mapped to Rule 6.Apply
Data Fiduciaries: Processors: Implement
a risk based securitycontrols at least
framework
mapped to Rule 6. Processors: Implement controls
Data Fiduciaries: Apply a risk based security frameworkat least
mapped to Rule 6.Apply
Data Fiduciaries: Processors: Implement
a risk based securitycontrols at least
framework
mapped to Rule 6.Incident
Data Fiduciaries: Processors: Implement
response controls
framework at least
to identify
DPDP breaches, assess
Data Fiduciaries: impact,
Incident and framework
response generate notifications
to identify
DPDP breaches, assess impact, and generate notifications
Data Fiduciaries: Incident response framework to identify
DPDP breaches, assess impact, and generate notifications
Data Fiduciaries: Incident response framework to identify
DPDP breaches, assess
Data Fiduciaries: impact,
Incident and framework
response generate notifications
to identify
DPDP breaches, assess impact, and generate notifications
Data Fiduciaries: Incident response framework to identify
DPDP breaches, assess
Data Fiduciaries: impact,
Incident and framework
response generate notifications
to identify
DPDP breaches, assess impact, and generate notifications
Data Fiduciaries: Drive retention and deletion via rules
from Third and Seventh
Data Fiduciaries: Schedules.
Drive retention andProcessors: Execute
deletion via rules
from Third and Seventh Schedules. Processors: Execute
Data Fiduciaries: Drive retention and deletion via rules
from Third and Seventh
Data Fiduciaries: Schedules.
Drive retention andProcessors: Execute
deletion via rules
from Third and Seventh Schedules. Processors: Execute
Data Fiduciaries: Drive retention and deletion via rules
from Third and Seventh
Data Fiduciaries: Schedules.
Drive retention andProcessors: Execute
deletion via rules
from Third and Seventh Schedules. Processors: Execute
Data Fiduciaries: Drive retention and deletion via rules
from Third and Seventh Schedules. Processors: Execute
Data Fiduciaries: Provide a visible, consistent and
functioning contact
Data Fiduciaries: pointafor
Provide data protection
visible, questions
consistent and
functioning contact
Data Fiduciaries: pointafor
Provide data protection
visible, questions
consistent and
functioning contact point for data protection
Data Fiduciaries: Provide a visible, consistent and questions
functioning contact
Data Fiduciaries: pointafor
Provide data protection
visible, questions
consistent and
functioning contact
Data Fiduciaries: pointafor
Provide data protection
visible, questions
consistent and
functioning contact
Data Fiduciaries point children’s
handling for data protection
data: Gatequestions
processing
behind a parental verification layer meeting
Data Fiduciaries handling children’s data: Gate Rule 10 tests;
processing
behind a parentalhandling
Data Fiduciaries verification layer meeting
children’s Rule
data: Gate 10 tests;
processing
behind a parentalhandling
Data Fiduciaries verification layer meeting
children’s Rule
data: Gate 10 tests;
processing
behind a parentalhandling
Data Fiduciaries verification layer meeting
children’s Rule
data: Gate 10 tests;
processing
behind a parental verification layer meeting Rule 10 tests;
Data Fiduciaries handling children’s data: Gate processing
behind a parentalhandling
Data Fiduciaries verification layer meeting
children’s Rule
data: Gate 10 tests;
processing
behind a parentalStructured,
Data Fiduciaries: verificationauditable
layer meeting Rule
process to10 tests;
identify,
verify and maintain
Data Fiduciaries: guardianship
Structured, statusprocess
auditable and route all
to identify,
verify and maintain guardianship status and route all
Data Fiduciaries: Structured, auditable process to identify,
verify and maintain
Data Fiduciaries: guardianship
Structured, statusprocess
auditable and route all
to identify,
verify and maintain
Data Fiduciaries: guardianship
Structured, statusprocess
auditable and route all
to identify,
verify and maintain
Data Fiduciaries: guardianship
Structured, statusprocess
auditable and route all
to identify,
verify and maintain guardianship status and route
Data Fiduciaries using child data exemptions: Ensure all
exemption claimsusing
Data Fiduciaries are legally justified,
child data controlled
exemptions: and
Ensure
exemption claimsusing
Data Fiduciaries are legally justified,
child data controlled
exemptions: and
Ensure
exemption claimsusing
Data Fiduciaries are legally justified,
child data controlled
exemptions: and
Ensure
exemption claims are legally justified, controlled
Data Fiduciaries using child data exemptions: Ensure and
exemption claims are legally justified, controlled and
Data Fiduciaries using child data exemptions: Ensure
exemption claims
Significant Data are legallyInstitutionalise
Fiduciaries: justified, controlled
DPDPand risk,
assurance, algorithmic control and localisation
Significant Data Fiduciaries: Institutionalise DPDP with
risk,
assurance, algorithmic control and localisation with
Significant Data Fiduciaries: Institutionalise DPDP risk,
assurance, algorithmic
Significant Data control
Fiduciaries: and localisation
Institutionalise DPDP with
risk,
assurance, algorithmic control and localisation with
Significant Data Fiduciaries: Institutionalise DPDP risk,
assurance, algorithmic
Significant Data control
Fiduciaries: and localisation
Institutionalise DPDP with
risk,
assurance, algorithmic control and localisation with
Significant Data Fiduciaries: Institutionalise DPDP risk,
assurance, algorithmic
Significant Data control
Fiduciaries: and localisation
Institutionalise DPDP with
risk,
assurance, algorithmic control and localisation
Data Fiduciaries & Consent Managers: Provide clear with
channels and capacity
Data Fiduciaries to meet
& Consent 90-day limit
Managers: withclear
Provide shorter
channels and capacity
Data Fiduciaries to meet
& Consent 90-day limit
Managers: withclear
Provide shorter
channels and capacity
Data Fiduciaries to meet
& Consent 90-day limit
Managers: withclear
Provide shorter
channels and capacity
Data Fiduciaries to meet
& Consent 90-day limit
Managers: withclear
Provide shorter
channels and capacity to meet 90-day limit with
Data Fiduciaries & Consent Managers: Provide clear shorter
channels and capacity
Data Fiduciaries to meet
& Consent 90-day limit
Managers: withclear
Provide shorter
channels and capacity
Data Fiduciaries to meet
& Consent 90-day limit
Managers: withclear
Provide shorter
channels and capacity to meet 90-day limit with shorter
Data Fiduciaries with cross border data flows: Maintain
inventory of all flows
Data Fiduciaries with and
crossevidence compliance
border data with Rule
flows: Maintain
inventory of all flows
Data Fiduciaries with and
crossevidence compliance
border data with Rule
flows: Maintain
inventory of all flows
Data Fiduciaries with and
crossevidence compliance
border data with Rule
flows: Maintain
inventory of all flows and evidence compliance with Rule
Data Fiduciaries with cross border data flows: Maintain
inventory of all flows
Data Fiduciaries with and
crossevidence compliance
border data with Rule
flows: Maintain
inventory of all flows
Data Fiduciaries with and
crossevidence compliance
border data with Rule
flows: Maintain
inventory of all flows
Data Fiduciaries and evidence
& Processors: compliance
Formal with
governance Rule
and
controls so only genuine research/archival uses benefit
Data Fiduciaries & Processors: Formal governance and
controls so only genuine
Data Fiduciaries research/archival
& Processors: uses benefit
Formal governance and
controls so only genuine research/archival uses benefit
Data Fiduciaries & Processors: Formal governance and
controls so only genuine
Data Fiduciaries research/archival
& Processors: uses benefit
Formal governance and
controls so only genuine research/archival uses benefit
Data Fiduciaries & Processors: Formal governance and
controls so only genuine research/archival uses benefit
Data Fiduciaries & Processors: Formal governance and
controls so only genuine research/archival uses benefit
Central Government & selection bodies: Transparent,
documented appointments
Central Government compliant
& selection with
bodies: Rule 17 and
Transparent,
documented appointments
Central Government compliant
& selection with
bodies: Rule 17 and
Transparent,
documented appointments
Central Government compliant
& selection with
bodies: Rule 17 and
Transparent,
documented appointments
Central Government compliant
& selection with
bodies: Rule 17 and
Transparent,
documented appointments compliant with
Central Government & Board administration: Rule 17 and
Ensure
service
Central conditions
Government comply so independence/validity
& Board administration: Ensurearen’t
service
Central conditions
Government comply so independence/validity
& Board administration: Ensurearen’t
service
Central conditions
Government comply so independence/validity
& Board administration: Ensurearen’t
service
Central Government & Board administration: Ensurearen’t
conditions comply so independence/validity
service conditions comply so independence/validity aren’t
Data Protection Board of India: Consistent governance for
meetings and decisions;
Data Protection Board ofevery
India:instrument
Consistent validly
governance for
meetings
Data Protection Board of India: Consistent validly
and decisions; every instrument governance for
meetings and decisions; every instrument validly
Data Protection Board of India: Consistent governance for
meetings and decisions;
Data Protection Board ofevery
India:instrument
Consistent validly
governance for
meetings and decisions; every instrument validly
Board: Secure digital operations without undermining
fairness/access. Regulated
Board: Secure digital entities/individuals:
operations Readiness
without undermining
fairness/access. Regulated
Board: Secure digital entities/individuals:
operations Readiness
without undermining
fairness/access. Regulated
Board: Secure digital entities/individuals:
operations Readiness
without undermining
fairness/access. Regulated
Board: Secure digital entities/individuals:
operations Readiness
without undermining
fairness/access. Regulated entities/individuals: Readiness
Board: Secure digital operations without undermining
fairness/access. Regulated
Board administration entities/individuals:
& relevant Readiness
ministries: Align HR
policies/practices with Rule 21 and Sixth Schedule.
Board administration & relevant ministries: Align HR
policies/practices with&Rule
Board administration 21 and
relevant Sixth Schedule.
ministries: Align HR
policies/practices with Rule 21 and Sixth Schedule.
Board administration & relevant ministries: Align HR
policies/practices with Rule 21 and Sixth Schedule.
Regulated entities/individuals: Protect appeal rights by
following
RegulatedRule 22 exactly. Tribunal
entities/individuals: administration:
Protect appeal rightsProvide
by
following
Regulated entities/individuals: Protect appeal rightsProvide
Rule 22 exactly. Tribunal administration: by
following Rule 22 exactly. Tribunal administration: Provide
Regulated entities/individuals: Protect appeal rights by
following
RegulatedRule 22 exactly. Tribunal
entities/individuals: administration:
Protect appeal rightsProvide
by
following Rule 22 exactly. Tribunal administration: Provide
Regulated entities/individuals: Protect appeal rights by
following
GovernmentRuleofficers:
22 exactly.
IssueTribunal
requestsadministration: Provide
only under proper
authority
Governmentwithofficers:
proportional scope. Data
Issue requests only under proper
authority with proportional scope. Data
Government officers: Issue requests only under proper
authority
Governmentwithofficers:
proportional scope. Data
Issue requests only under proper
authority with proportional scope. Data
Government officers: Issue requests only under proper
authority with proportional scope. Data
Government officers: Issue requests only under proper
authority
Governmentwithofficers:
proportional scope. Data
Issue requests only under proper
authority with proportional scope. Data
Government officers: Issue requests only under proper
authority
Governmentwithofficers:
proportional scope. Data
Issue requests only under proper
authority with proportional scope. Data
 Example Control Role Tags

Legal register listing every Rule with commencement dates All organisations
Compliance programme tracker mapping Rules to owners and All organisations
tasks
Project plans with design and go live milestones aligned to All organisations
commencement
Board or leadership briefings recording readiness All organisations
Versioned policies and procedures with explicit effective dates All organisations
Horizon scanning process to capture amendments or new All organisations
notifications
Communication records showing changes were briefed before All organisations
legal
Centralgo DPDP
live glossary reproducing statutory definitions All organisations
Policy requirement that all privacy documents use the glossary All organisations
Contract templates aligned to statutory terms and avoiding All organisations
conflicting
Inclusion ofdefinitions
glossary content in privacy training All organisations
Periodic review of policies and templates to remove conflicting All organisations
foreign terminology
Legal review for any new internal definition touching DPDP All organisations
concepts
Notice library with templates mapped to Rule 3 fields Data Fiduciaries
Legal or privacy approval workflow for every new or amended Data Fiduciaries
notice
Processing register linking each activity to a notice version Data Fiduciaries
Front end block preventing consent if notice not displayed Data Fiduciaries
Logs or screenshots evidencing notice display before consent Data Fiduciaries
Stored language variants (English plus relevant Eighth Schedule Data Fiduciaries
languages)
Embedded links to withdrawal and rights channels Data Fiduciaries
Periodic production sampling to confirm notices match Data Fiduciaries
approved
Registration versions
dossier containing application, evidence and Board Consent Managers; Data Fiduciaries
order
Control map to First Schedule conditions with annual review Consent Managers; Data Fiduciaries
Central consent event store with timestamps, purposes and Consent Managers; Data Fiduciaries
target
Securefiduciaries
authenticated APIs for forwarding consent instructions Consent Managers; Data Fiduciaries
plus outbound logs security and compliance assessments
Periodic independent Consent Managers; Data Fiduciaries
with remediation
Inventory tracking
of all Consent Managers and their registration status Consent Managers; Data Fiduciaries
Integration tests confirming end to end correctness of consent Consent Managers; Data Fiduciaries
flows
Contract clauses requiring Consent Managers to maintain Consent Managers; Data Fiduciaries
registration
Register of alland notify suspension
schemes or cancellation
relying on section 7(b) with legal State and public bodies as Data
authorisations
Data element catalogues per scheme with necessity Fiduciaries
State and public bodies as Data
justification
Scheme level mapping to Second Schedule standards Fiduciaries
State and public bodies as Data
Documented retention and deletion rules per scheme dataset Fiduciaries
State and public bodies as Data
Role based access controls on scheme data Fiduciaries
State and public bodies as Data
Correction and grievance procedures for scheme participants Fiduciaries
State and public bodies as Data
Internal audits checking practice against documented scheme Fiduciaries
State and public bodies as Data
design and safeguards Fiduciaries
Security control catalogue mapped to each Rule 6 requirement Data Fiduciaries; Processors
(traceability matrix)
Information asset inventory with risk classification for personal Data Fiduciaries; Processors
data systems
Encryption in transit and at rest with key management Data Fiduciaries; Processors
procedures
Strong authentication and role based access control with Data Fiduciaries; Processors
quarterly access reviews
Central logging and monitoring with at least one year retention Data Fiduciaries; Processors
Backup and disaster recovery plans with tested restoration Data Fiduciaries; Processors
Processor contracts with security, incident reporting and audit Data Fiduciaries; Processors
rights
Regular vulnerability assessment and penetration testing with Data Fiduciaries; Processors
remediation tracking
Incident response plan with DPDP breach decision tree Data Fiduciaries; Processors
Central incident intake and escalation channel including Data Fiduciaries; Processors
processors
Incident tracking tool with timeline, facts, impact, decisions and Data Fiduciaries; Processors
notifications
Pre approved notification and Board report templates aligned Data Fiduciaries; Processors
to Rule 7 contracts with rapid incident reporting obligations
Processor Data Fiduciaries; Processors
Regular breach simulation exercises with legal, privacy and Data Fiduciaries; Processors
security
Training teams
for incident responders on DPDP thresholds and Data Fiduciaries; Processors
timeframes
Retention policy referencing Third and Seventh Schedules Data Fiduciaries; Processors
System logic tracking last interaction/rights exercise and Data Fiduciaries; Processors
computing
Automatedinactivity dates
jobs for deletion/archiving after inactivity with legal Data Fiduciaries; Processors
hold screening
Pre deletion notifications at least 48 hours before scheduled Data Fiduciaries; Processors
deletion
Deletion where required
logs with identifiers, dates, method and systems Data Fiduciaries; Processors
Processes to propagate deletion instructions to processors and Data Fiduciaries; Processors
capture
Retentionconfirmations
configuration for Seventh Schedule activities to at Data Fiduciaries; Processors
least one year then deletion unless legal hold
Formal designation of privacy contact (e.g., DPO) with Data Fiduciaries
responsibilities
Publish contact details on privacy policy, help pages and Data Fiduciaries
apps/portals
Standard notice/templates reusing the same contact details Data Fiduciaries
Dedicated monitored mailbox/phone/web form for privacy Data Fiduciaries
queries
Procedure to log queries and route into rights or grievance Data Fiduciaries
workflows
Release checklist ensuring privacy contact details remain Data Fiduciaries
accurate
Policy defining child age thresholds and parental consent Data Fiduciaries
triggers
Onboarding flows collecting minimal data to verify parent Data Fiduciaries
identity/age and trusted
Integration with link to child
identity or digital locker tokens (store Data Fiduciaries
token refs, not documents)
Logs of all verification checks with identifiers and timestamps Data Fiduciaries
System rules blocking services until parental verification Data Fiduciaries
completed where
Periodic testing of required
verification flows for accuracy, UX and fraud Data Fiduciaries
resistance
Training for support/product teams on parental consent Data Fiduciaries
scenarios
Guidance describing when guardianship applies with citations Data Fiduciaries
SOP for collecting copies or references of court/authority Data Fiduciaries
orders
Account flag linking guardian identity to the Data Principal Data Fiduciaries
Rights/consent workflows checking guardian flags Data Fiduciaries
Process to update/remove guardianship status when Data Fiduciaries
documents change/expire
Secure storage for guardianship evidence with restricted access Data Fiduciaries
and retention
Exemption register listing all Rule 12/Fourth Schedule uses Data Fiduciaries
Legal memos mapping processing to schedule clauses and Data Fiduciaries
conditions
Documented controls satisfying schedule conditions Data Fiduciaries
System configuration distinguishing exempt vs non exempt Data Fiduciaries
processing
Annual review cycle for each exemption entry with outcomes Data Fiduciaries
Senior legal/risk sign off before adding or altering exemption Data Fiduciaries
entries
Record of government notification defining SDF scope and Significant Data Fiduciaries
perimeter
DPIA methodology and register for high risk processing and Significant Data Fiduciaries
periodic reassessment
Annual independent DPDP audit plan/reports with remediation Significant Data Fiduciaries
tracking
Algorithm inventory with purposes, inputs, outputs and risk Significant Data Fiduciaries
assessments
Testing framework for algorithms addressing fairness and Significant Data Fiduciaries
potential harm
Localisation register listing datasets/traffic data subject to non Significant Data Fiduciaries
transfer rules and locations
Technical measures (region pinning, access controls) enforcing Significant Data Fiduciaries
domestic processing
Senior governance forum reviewing DPIA/audit findings and Significant Data Fiduciaries
Board
Public reporting
privacy rights page explaining each right and required Data Fiduciaries; Consent Managers
identifiers
At least one digital and one assisted rights/grievance channel Data Fiduciaries; Consent Managers
Case management tool logging requests with timestamps, Data Fiduciaries; Consent Managers
owner and outcome
Configured due dates per case tied to internal SLA and 90-day Data Fiduciaries; Consent Managers
limit
SOPs for each right type with refusal conditions Data Fiduciaries; Consent Managers
Metrics/dashboards on volumes, timeliness and backlog for Data Fiduciaries; Consent Managers
management
Regular training for support and privacy teams on rights Data Fiduciaries; Consent Managers
handling
Nomination handling integrated with lifecycle records and Data Fiduciaries; Consent Managers
authentication
Data flow map identifying storage and access locations Data Fiduciaries
Register of foreign vendors/affiliates processing personal data Data Fiduciaries
Legal monitoring process for DPDP transfer related orders and Data Fiduciaries
notifications
Per-flow assessment records explaining how orders/restrictions Data Fiduciaries
are met
Access/network controls restricting access from any notified Data Fiduciaries
restricted countries
Contract clauses with foreign recipients to comply with Indian Data Fiduciaries
requirements
Periodic reviewand
of support audits
cross border arrangements for continued Data Fiduciaries
compliance
Policy with criteria and approvals for using research/statistics Data Fiduciaries; Processors
exemption
Project forms stating purpose, data, techniques and necessity Data Fiduciaries; Processors
Exemption register listing approved projects and sponsors Data Fiduciaries; Processors
Pseudonymisation/aggregation on research data where Data Fiduciaries; Processors
possible
Access control limiting research datasets to authorised users Data Fiduciaries; Processors
with logging
Defined retention limits for research/archival data in retention Data Fiduciaries; Processors
schedule
Control prohibiting reuse of research data for Data Fiduciaries; Processors
operational/marketing unless re-onboarded under full DPDP
Terms of reference for Search cum Selection Committee with Central Government; selection bodies
membership list
Records of committee meetings, deliberations and Central Government; selection bodies
recommendations
Documented candidate identification and evaluation process Central Government; selection bodies
with criteria
Conflict of interest declarations for committee members and Central Government; selection bodies
candidates
Preserved appointment orders and approvals in accessible Central Government; selection bodies
archive
Appointment order templates incorporating Fifth Schedule Central Government; Board
conditions
Tenure tracking with alerts near end of term administration
Central Government; Board
Records of salary/allowance determinations and adjustments administration
Central Government; Board
with approvals
Periodic conflict of interest declarations with recorded administration
Central Government; Board
outcomes
Documentation for removal, resignation or reappointment per administration
Central Government; Board
rules administration
Internal rules of procedure for Board meetings reflecting Rule Data Protection Board of India
19
Meeting calendar and agenda planning process Data Protection Board of India
Detailed minutes including decisions and approvals Data Protection Board of India
Authentication protocol with signatories/digital signatures Data Protection Board of India
Register of all Board orders and directions linked to Data Protection Board of India
proceedings
Secure online portals for complaints, filings and submissions Data Protection Board of India;
Digital case management recording filings, notices, hearings Regulated entities
Data Protection and of
Board individuals
India;
and orders electronic signature mechanisms for Board
Recognised Regulated entities and individuals
Data Protection Board of India;
instruments
Guidance and help resources for digital procedures Regulated entities
Data Protection and of
Board individuals
India;
Registry of official electronic contact points for regulator Regulated entities and individuals
Data Protection Board of India;
communications
E-discovery/document management processes for digital Regulated entities
Data Protection and of
Board individuals
India;
evidence
HR policies referencing the Sixth Schedule Regulated entities and individuals
Board administration; Central
Standard recruitment/appointment procedures Government
Board administration; Central
Personnel files evidencing compliance with service conditions Government
Board administration; Central
Periodic checks comparing staff terms/benefits to Sixth Government
Board administration; Central
Schedule and updating as needed Government
Internal playbook from order receipt to appeal decision Regulated entities and individuals;
Calendar tracking appeal windows for each Board order Appellate
RegulatedTribunal
entities and individuals;
Standard templates for appeal petitions and supporting Appellate
RegulatedTribunal
entities and individuals;
documents
Capability for electronic signing and digital filing Appellate Tribunal
Regulated entities and individuals;
Records of filing receipts and Tribunal acknowledgements Appellate
RegulatedTribunal
entities and individuals;
Electronic filing and case tracking platform with published Appellate Tribunal
Regulated entities and individuals;
guidance
List of officers authorised to issue Rule 23 requisitions Appellate
GovernmentTribunal
officers; Data Fiduciaries;
Standard request templates with legal basis, purpose, data Intermediaries
Government officers; Data Fiduciaries;
sought
Internaland timeframerecords of reasons and any non-disclosure
government Intermediaries
Government officers; Data Fiduciaries;
directions
Centralised intake channel (legal/compliance) for official Intermediaries
Government officers; Data Fiduciaries;
information requests
Verification step to confirm authenticity and authority of Intermediaries
Government officers; Data Fiduciaries;
requisitions
Assignment of response owners and due dates with tracking Intermediaries
Government officers; Data Fiduciaries;
Secure transmission channels for requested information Intermediaries
Government officers; Data Fiduciaries;
Internal log of what was provided, when and under what Intermediaries
Government officers; Data Fiduciaries;
authority
Rules limiting internal awareness when non-disclosure applies Intermediaries
Government officers; Data Fiduciaries;
Intermediaries
 Category Suggested Frequency Control Owner Evidence

Process Ongoing TBD TBD

Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Per Change TBD TBD
Process Ongoing TBD TBD
Process Per Change TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Per Change TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Per Change TBD TBD
Process Ongoing TBD TBD
Process Annual TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD

Technical Ongoing TBD TBD

Technical Ongoing TBD TBD
Policy Ongoing TBD TBD
Technical Quarterly TBD TBD
Technical Annual TBD TBD
Technical Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Annual TBD TBD

Process Ongoing TBD TBD

Policy Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Per Change TBD TBD
Technical Ongoing TBD TBD
Technical Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Per Change TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Annual TBD TBD
Process Ongoing TBD TBD
Process Per Change TBD TBD
Technical Ongoing TBD TBD
Process Annual TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD

Process Ongoing TBD TBD

Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Vendor Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD

Policy Ongoing TBD TBD

Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Per Change TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD

Policy Ongoing TBD TBD

Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Policy Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Process Ongoing TBD TBD
Technical Ongoing TBD TBD
Process Ongoing TBD TBD