Engagement type: DPDP Act readiness assessment + remediation roadmap · Sector: BFSI / Fintech · Duration: 6–8 weeks · Outcome: DPDP-aligned posture, prioritised remediation backlog
Context
A large Indian fintech, handling personal and financial data for millions of users across credit and lending workflows, engaged us to assess their readiness against the Digital Personal Data Protection Act, 2023 (DPDP). The brief: take the law, map it to their actual data flows, identify the gaps, and hand back a roadmap their engineering, product, and legal teams could execute against.
Scope
- Full personal data inventory across consumer-facing products, internal CRM, and downstream partner integrations
- End-to-end data flow mapping — collection, processing, storage, sharing, retention, deletion
- Consent capture and renewal flows across web and mobile
- Data principal rights — access, correction, erasure, grievance redressal
- Cross-border data transfer review
- Vendor / processor agreement review for DPDP obligations downstream
- Incident response and breach notification readiness against DPDP timelines
Methodology
- DPDP Act 2023 text mapped clause-by-clause to the client’s operating reality
- ISO/IEC 27701 aligned PIMS assessment framework as a structural backbone
- GDPR-equivalent control mapping where DPDP rules are still maturing, to future-proof the posture
- Interview-based discovery with product owners, engineering leads, marketing, and legal — to capture data flows as they actually run, not as documents claim
- Sample-based technical verification — selected data subjects traced end-to-end through the platform to validate the documented flows
- Vendor questionnaire distributed and analysed across the third-party processor inventory
Categories of findings
Without disclosing specifics covered under NDA, the engagement surfaced gaps across:
- Consent capture: implicit-consent patterns no longer compliant under DPDP’s specific-purpose requirements
- Retention: personal data retained well past the operational need; no documented retention-and-deletion policy applied programmatically
- Right-to-erasure flow: no productised path for data principals to request and verify deletion
- Processor agreements: several vendor contracts pre-dated DPDP and lacked the necessary processor obligations
- Breach notification readiness: incident playbooks did not map to DPDP’s notification timelines or the proposed Data Protection Board
- Cross-border flows: partner integrations transmitting data outside India without the necessary contractual or technical controls in place
- Grievance redressal: no designated officer publicly identified per DPDP’s grievance officer requirements
Deliverables
- Personal data inventory — every data class, system, purpose, retention rule, and downstream recipient
- Gap register mapped to DPDP clauses, severity-rated and ownership-tagged
- 90/180/365-day remediation roadmap — what to do now, next quarter, and within a year
- Consent re-collection plan — language, UX, and rollout sequencing
- Updated processor agreement template for the legal team to push to vendors
- Breach response playbook aligned to DPDP timelines
- Designated officer brief covering the responsibilities and public-facing requirements of the role
Outcome
- Client moved from “ad-hoc” to “DPDP-aware” posture within the engagement window
- Consent re-collection programme launched on the existing consumer base over the following two quarters
- Retention policies operationalised — automated deletion schedules now run against the personal data inventory
- Designated grievance officer appointed and publicly listed
- Vendor contracts re-papered for all critical processors within 90 days post-engagement
Specific data volumes, vendor names, and the client’s identity omitted under the engagement NDA.
Want a similar engagement?
DPDP is here. If your team has heard the law referenced in meetings but doesn’t yet have a clear map of where you stand against it — talk to us. We turn the Act into a roadmap your engineering, product, and legal teams can actually execute on.