AI compliance in 2026 India is a moving target. Regulations exist, are evolving, and overlap. This module gives you the practitioner perspective: what you must do today, what is coming, how to document it for an inevitable audit.
DPDP Act 2023 — what applies to AI
DPDP governs personal data processing in India. AI implications: (1) training data — using personal data to train models requires lawful basis (consent or legitimate interest under §7); document the basis per dataset. (2) inference — the trained model that retains knowledge of personal data is itself a processing activity; needs basis. (3) cross-border transfer — sending Indian user data to OpenAI/Anthropic for inference may trigger transfer restrictions; whitelist of permitted countries pending. (4) data subject rights — access, correction, erasure, grievance redressal. Erasure is genuinely hard for trained models; current regulator stance unclear. Notification: 72 hours to Data Protection Board on personal-data breaches; AI breaches (model leaks PII) count.
Book a free 30-minute scoping call
Our senior consultants will review your stack and tell you honestly what to fix first. No slide deck. No obligation. Indian businesses only.