SELF-ASSESSMENT FRAMEWORK · 40 CRITERIA · 200 POINTS

DPDP Readiness Assessment Framework
For Indian Financial Institutions

Structure

8 dimensions × 5 criteria = 40 assessable points

Scoring

0–5 per criterion; 25 per dimension; 200 total

Designed for

Banks, NBFCs, ARCs, fintechs, payment system operators

Statutory basis

DPDP Act 2023 · DPDP Rules 2025 (G.S.R. 846(E))

Typical timeline

2–4 weeks for a mid-sized bank; 6–8 weeks for universal banks

Target baseline

Complete before 13 May 2027 full enforcement

This framework is a 40-point self-assessment methodology for Indian banks, non-banking financial companies, asset reconstruction companies, and fintechs to evaluate their readiness for the Digital Personal Data Protection Act 2023 before comprehensive enforcement on 13 May 2027. It organises the obligations created by the Act and the DPDP Rules 2025 into eight operational dimensions, each containing five assessable criteria scored on a 0–5 scale. The output is a diagnostic baseline that boards, risk committees, and compliance teams can use to prioritise remediation investment over the 18-month runway from the 13 November 2025 notification.

The framework is a structured tool, not a legal opinion. Its purpose is to surface gaps quickly, to produce a defensible internal baseline, and to focus subsequent legal engagement on the highest-risk dimensions. By Advocate Subodh Bajpai, Unified Chambers and Associates.

WhatsApp Consultation Download DPDP Rules 2025

Context · Why a Framework

The Compliance Runway to 13 May 2027

The Digital Personal Data Protection Rules, 2025 were notified on 13 November 2025 through Gazette Notification G.S.R. 846(E). Rule 1 sets a tiered commencement: the Data Protection Board of India and appellate procedure took effect on notification; Consent Manager registration under Rule 4 takes effect on 13 November 2026; comprehensive obligations under Rules 3 and 5 to 16 — covering notice, security safeguards, breach notification, retention, children’s data, Significant Data Fiduciary duties, and cross-border transfer — take effect on 13 May 2027.

For regulated financial institutions, the runway is not a luxury. A bank’s DPDP compliance programme must interlock with its existing obligations under the Reserve Bank of India’s cyber security framework, the Prevention of Money Laundering Act 2002 KYC retention requirements, the CERT-In Directions 2022 issued under Section 70B of the Information Technology Act 2000, and — for listed entities — SEBI’s cyber resilience framework. Each of these regimes imposes overlapping but non-identical obligations on personal data. Compliance planning that treats DPDP as a standalone project, disconnected from existing regulatory architecture, risks producing policies that conflict with RBI expectations or duplicate CERT-In reporting timelines.

Self-assessment serves three purposes. First, it establishes a diagnostic baseline that is auditable and repeatable. Second, it makes the gap between current state and target state visible to the Board and Audit Committee in a form they can act upon. Third, it focuses external legal engagement on the highest-penalty-exposure dimensions — Section 8(5) security safeguards, Section 8(6) breach notification, Section 9 children’s data — where counsel involvement materially changes compliance posture.

This framework draws only on obligations that are either textually imposed by the Act or operationally prescribed by the Rules. It does not invent requirements. Where the Rules leave discretion — for example, the form of a DPIA methodology under Section 10(2)(c) — the framework assesses whether a methodology exists, not whether it conforms to a contested interpretation of what a DPIA should contain.

Methodology · How to Use This Framework

Team Composition, Cadence, and Scoring

The assessment is most productive when run by a small, senior, cross-functional team. Six to eight people is typical: the Chief Risk Officer or equivalent (chair), the Chief Information Security Officer, the Head of Compliance, the Head of Legal, the Head of Technology, one business representative from customer-facing operations, and a secretariat. The team should report to the Audit Committee or Risk Management Committee on conclusion.

Each criterion is scored on a 0–5 scale: 0 — no evidence of the control; 1 — informal or fragmentary evidence; 2 — documented intent without operationalisation; 3 — documented and partially operational across business lines; 4 — fully operational with identified residual gaps; 5 — fully operational, audited, and board-reported. Each dimension yields a maximum of 25 points; the total across eight dimensions is 200.

For a mid-sized scheduled commercial bank or large NBFC, the assessment takes two to four weeks of elapsed time with documented evidence collection for each score. For a universal bank with multiple subsidiaries, or a financial services group requiring consolidated assessment, six to eight weeks is more realistic. The assessment should be repeated at least annually, and semi-annually once comprehensive enforcement begins on 13 May 2027.

External counsel is typically engaged after the first internal baseline is produced. Counsel then reviews the evidence base for each dimension, identifies interpretational risks the internal team may have missed, and advises on the sequencing of remediation. Engaging counsel before the internal baseline exists tends to produce diffuse advice; engaging counsel against a completed baseline produces targeted legal work.

Dimension 1 of 8 · Governance

Board-Level Accountability for Data Protection

The first dimension tests whether data protection sits at the board level, or is buried inside an IT or compliance silo. For Significant Data Fiduciaries, Section 10(2)(a) of the Act requires a Data Protection Officer responsible to the Board of Directors. Even for non-SDFs, RBI Corporate Governance expectations and director fiduciary duties support treating data protection as a board agenda item.

1.1 · Board-level accountability for DPDP compliance

Is there a named director or board committee with express accountability for DPDP compliance? Is the accountability recorded in the board charter or terms of reference? Are board minutes reflecting DPDP discussion available for the last four quarters?

1.2 · Data Protection Officer appointed (if SDF) — s.10(2)(a)

If notified as an SDF, is a DPO appointed who satisfies all four conditions: represents the SDF under the Act, is based in India, is an individual responsible to the Board, and is the grievance contact point? If not yet notified as an SDF but expecting notification, has a DPO-designate been identified?

1.3 · Data protection policy approved by Board

Is there a current Board-approved data protection policy that references DPDP Act sections and DPDP Rules 2025 provisions? Is the policy reviewed at least annually? Does it designate owners for each obligation?

1.4 · Management reporting cadence on data protection

Is there a documented quarterly or half-yearly report to the board on data protection posture? Does the report cover incidents, Data Principal complaints under Section 13, cross-border transfers, and remediation progress?

1.5 · Budget allocation for DPDP compliance programme

Is there a ring-fenced budget line item for DPDP compliance covering the 18-month runway to 13 May 2027? Are the costs tracked against plan? Does the budget envelope cover legal, technology, training, and audit components?

Common pitfall: delegating DPDP ownership to the CISO alone. Under Section 10(2)(a), the statutory reporting line for an SDF’s DPO is to the Board; a CISO-only reporting line is a structural non-compliance risk.

Dimension 2 of 8 · Data Mapping

Knowing What Personal Data You Process

Dimension 2 tests data visibility. Many DPDP obligations — purpose limitation under Section 5, erasure on purpose completion under Section 8(7), cross-border transfer assessment under Section 16 — presuppose that the institution knows what data it holds, for what purpose, and where it flows. Without a data inventory, none of these obligations can be discharged defensibly.

2.1 · Personal data inventory across all systems

Is there a comprehensive inventory of every personal data element processed, mapped to source system, business owner, and the purpose for which it is processed? Does the inventory distinguish personal data of Data Principals in India (Section 3 scope) from other personal data?

2.2 · Purpose documentation for each data category

For each data category in the inventory, is the processing purpose documented in terms aligned with Section 5 (purpose for which the Data Principal has given consent, or for a legitimate use under Section 7)? Are secondary uses of customer data identified and separately justified?

2.3 · Legal basis register (for retention-beyond-purpose)

For every category of data retained after the primary purpose is exhausted, is there a documented mapping to the specific law requiring continued retention — PML Act 2002, Companies Act 2013, Income-tax Act 1961, or other applicable laws? This register is what activates the Section 8(7) exception.

2.4 · Data flow mapping (including cross-border)

Are personal data flows across the institution mapped, including flows to processors, flows to group entities, and flows across borders? Is the map current (updated at least annually)? Does it identify countries to which data flows, for Section 16 assessment?

2.5 · Third-party data processor inventory

Is there a live register of every Data Processor the institution engages, with scope of processing, data categories handled, processor jurisdiction, and current contract status? Are processor engagements refreshed on DPDP-compliant contractual terms?

Dimension 3 of 8 · Consent Architecture

Notice, Consent, Withdrawal (Section 6 + Rule 3)

Consent is the most visible pillar of the Act. Section 5 requires notice, Section 6 requires consent that is free, specific, informed, unconditional, and unambiguous, and Rule 3 prescribes the form and minimum content of the notice. For banks and NBFCs with decades of customer relationships, the hardest question is what to do about legacy consent collected before the Act — a question Section 5(2) addresses through a grandfathering-by-notice mechanism.

3.1 · Consent notices meet Section 5 and Rule 3 requirements

Are consent notices presented independently of other information (Rule 3(a))? Are they in clear and plain language (Rule 3(b))? Do they contain the itemised description of personal data, specific purposes, and goods or services provided (Rule 3(c))?

3.2 · Granular opt-in/opt-out mechanism

Does the institution distinguish between consent for each specific purpose, rather than bundling multiple purposes into a single consent? Can a Data Principal consent to the core banking service while declining marketing analytics?

3.3 · Withdrawal mechanism with equal ease (s.6(4))

Is consent withdrawal possible through a mechanism with the same ease as consent was given? If consent was given by a single in-app tap, does withdrawal require only a comparable action? A multi-step callback-based withdrawal against a single-tap grant is a Section 6(4) violation.

3.4 · Legacy consent re-consenting plan (s.5(2) grandfathering)

For customers onboarded before the Act’s commencement, is there a documented plan for issuing Section 5(2) grandfathering notices — or for obtaining fresh consent where processing materially exceeds what the legacy consent covered? Is the plan phased across the customer book?

3.5 · Verifiable parental consent for children (s.9(1))

For any processing of personal data of a person under 18 (Section 2(f) definition), is verifiable parental consent obtained? For products aimed at minors (student banking, custodial accounts), is the verification mechanism robust enough to satisfy Section 9(1)?

Dimension 4 of 8 · Data Principal Rights

Operational Rights Workflows (Sections 11–14)

Sections 11 to 14 of the Act create four enforceable rights: access (Section 11), correction and erasure (Section 12), grievance redressal (Section 13), and nomination (Section 14). Each right is a customer-facing workflow that must work reliably at scale. Dimension 4 tests whether these workflows exist, are documented, and perform within SLAs.

4.1 · Access request workflow (s.11)

Is there a documented workflow by which a Data Principal can request a summary of personal data and processing activities? Can the workflow return the identities of Data Fiduciaries and Data Processors with whom data has been shared? Is the channel published on the institution’s website or app?

4.2 · Correction and erasure workflow (s.12)

Can a Data Principal request correction of inaccurate data, completion of incomplete data, update of out-of-date data, and erasure where retention is no longer necessary? Is the erasure determination aligned with the legal basis register (Criterion 2.3)?

4.3 · Grievance redressal mechanism (s.13)

Is a readily available grievance redressal mechanism published, with a designated Grievance Officer identified by name and contact? Does the institution respond within the period prescribed in the Rules? Is escalation to the Data Protection Board documented?

4.4 · Nomination mechanism (s.14)

Can a Data Principal nominate another individual to exercise her rights in the event of death or incapacity? Is the nomination mechanism integrated with the institution’s customer onboarding and account management systems?

4.5 · Response time tracking and SLAs

Are response times for each of the four rights tracked and reported? Are missed SLAs escalated? Is aggregate rights-request volume and compliance rate reported to the board quarterly?

Dimension 5 of 8 · Security Safeguards

Rule 6 Minimum Security Controls

Rule 6 gives operational content to the Section 8(5) reasonable security safeguards obligation — the single highest-penalty contravention in the DPDP Schedule (Sl.1, Rs 250 crore). Financial institutions already operate under overlapping security frameworks (RBI cyber security guidelines, NIST-aligned controls, ISO 27001). Dimension 5 tests whether those existing controls satisfy the five specific minimum standards Rule 6 identifies.

5.1 · Encryption, masking, tokenisation of personal data

Is personal data protected through encryption, obfuscation, masking, or virtual tokens mapped to personal data (Rule 6(1)(a))? Is the coverage documented across data at rest, data in transit, and data in use? Are key management protocols aligned to the sensitivity of the data?

5.2 · Access control for computer resources

Are access controls implemented for computer resources used by the Data Fiduciary or its Data Processor (Rule 6(1)(b))? Is access granted on a least-privilege basis? Are privileged accounts monitored and recertified periodically?

5.3 · Logging, monitoring, review of access

Is there visibility through logs and monitoring sufficient to detect unauthorised access, investigate it, and support corrective action (Rule 6(1)(c))? Are logs reviewed on a documented cadence? Is there a SIEM capability tuned to personal data access patterns?

5.4 · Backup and continuity measures

Are there backup and continuity measures sufficient to ensure continued processing in the event of loss or compromise of confidentiality, integrity, or availability (Rule 6(1)(d))? Are restoration tests performed and evidenced?

5.5 · One-year log retention per Rule 6(e)

Are personal data logs retained for at least one year to enable detection of unauthorised access and remediation? Is the retention synchronised with applicable RBI and other law requirements that may mandate longer retention?

Dimension 6 of 8 · Breach Response

Multi-Regulator Notification Choreography

The breach response obligation under Section 8(6) and Rule 7 does not exist in isolation. A bank suffering a personal data breach must coordinate notifications to CERT-In under the CERT-In Directions 2022 (issued under Section 70B of the IT Act 2000), to the Data Protection Board of India, and to affected Data Principals — each with distinct timelines and content requirements. Breach of Section 8(6) carries penalty up to Rs 200 crore under Schedule Sl.2.

6.1 · Incident detection and response SOP documented

Is there a documented Incident Response SOP that specifies personal-data-breach triggers, role allocations, forensic preservation protocols, and escalation paths? Is the SOP tested through tabletop exercises at least annually?

6.2 · CERT-In 6-hour notification procedure (IT Act s.70B)

Is the CERT-In Directions 2022 6-hour notification obligation operationalised? Is the reporting channel, format, and designated officer identified? Is the 6-hour clock synchronised with the institution’s incident declaration criteria?

6.3 · DPBI preliminary notification procedure (Rule 7(2)(a))

Is there a documented process to notify the Board without delay with preliminary breach information — nature, extent, time, location, and likely impact? Is the preliminary notification template drafted?

6.4 · DPBI detailed report within 72 hours (Rule 7(2)(b))

Is there a documented process to file the detailed report with the Board within 72 hours of knowledge of the breach, covering causes, remedial measures, findings on the person responsible, and a report on notices given to affected Data Principals? Is the 72-hour extension request procedure understood?

6.5 · Data Principal notification template (Rule 7(1))

Is the affected-Data-Principal notification template pre-drafted with all five Rule 7(1) content elements — description, consequences, mitigation measures, safety measures, and business contact? Is the delivery channel (registered user account or other registered communication) confirmed for the customer book?

Dimension 7 of 8 · Significant Data Fiduciary Obligations

Section 10 Duties (If Notified)

Under Section 10(1), the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries based on volume and sensitivity of personal data, risk to Data Principal rights, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. For large banks, NBFCs, payment system operators, and major fintechs, SDF notification is a realistic prospect. Breach of Section 10 obligations carries penalty up to Rs 150 crore under Schedule Sl.4.

7.1 · DPO appointment (India-based, reports to board) — s.10(2)(a)

Is a DPO appointed who (i) represents the SDF under the Act, (ii) is based in India, (iii) is an individual responsible to the Board, and (iv) is the point of contact for the grievance redressal mechanism? Is the DPO’s role charter documented?

7.2 · Independent data auditor appointed — s.10(2)(b)

Is an independent data auditor appointed to evaluate compliance with the Act? Is the auditor’s independence from the institution’s management documented? Is the scope of audit defined in writing?

7.3 · DPIA methodology and schedule — s.10(2)(c)

Is a Data Protection Impact Assessment methodology documented, addressing the rights of Data Principals, the purpose of processing, and the assessment and management of risk to such rights? Is a DPIA schedule mapped to high-risk processing activities?

7.4 · Periodic audit framework

Is a periodic audit framework defined, with scope, frequency, responsible auditor, and management action protocols? Are findings reported to the Board? Are remediation plans tracked to closure?

7.5 · Algorithmic fairness measures for automated decision-making

For credit scoring, fraud detection, and other automated decision-making affecting Data Principals, are algorithmic fairness measures in place? Is there documentation of model validation, bias testing, and human-in-the-loop overrides?

Dimension 8 of 8 · Operational Resilience

Contracts, Transfers, Training, Counsel, Insurance

The final dimension covers the operational and commercial controls that surround DPDP compliance. None of these controls is prescribed in a single Rule; together they determine whether the institution can execute its compliance obligations under real-world conditions — a major processor engagement, a cross-border transfer, a staff turnover event, or a Data Protection Board inquiry.

8.1 · Vendor and processor contracts updated for DPDP

Are all Data Processor contracts refreshed on DPDP-compliant terms, incorporating the reasonable security safeguards obligation under Rule 6(1)(f)? Is there a rolling refresh schedule for legacy contracts?

8.2 · Cross-border transfer assessment (s.16)

For each cross-border transfer of personal data, is there a documented assessment against Section 16? Does the institution monitor any Central Government notifications restricting transfer to specified countries or territories?

8.3 · Training programme for staff

Is there a documented DPDP training programme covering all staff who process personal data? Is training refreshed annually? Is completion tracked and reported? Is role-specific training provided for front-line staff, call-centre agents, and grievance officers?

8.4 · Legal counsel engaged for DPBI readiness

Is external legal counsel engaged specifically for DPDP advisory? Is counsel involved in breach response playbook development, DPIA review for SDFs, and Section 18 Board inquiry defence planning?

8.5 · Insurance coverage reviewed for DPDP penalty exposure

Is cyber and professional indemnity insurance reviewed against DPDP penalty exposure (potentially Rs 250 crore under Schedule Sl.1)? Are directors’ and officers’ liability policies evaluated for DPDP coverage? Are exclusions for regulatory penalties understood?

Scoring Interpretation

Reading the Aggregate Score

Score	Maturity Band	Recommended Action
0–50	Critical gaps	Immediate remediation; engage senior counsel; board escalation
51–100	Significant gaps	6-month remediation plan; prioritise Dimensions 1, 2, 5, 6
101–150	Moderate maturity	Targeted improvements; annual audit cycle
151–180	Strong readiness	Maintain and refine; prepare for SDF notification
181–200	Best-in-class	Template for industry; share anonymised baseline

The aggregate score is a signal, not a certification. A score of 170 with a 5-of-25 result on Dimension 5 (Security Safeguards) is more concerning than a score of 150 with balanced mid-range results across all eight dimensions, because a weakness on Dimension 5 maps directly to the highest-penalty contravention under Schedule Sl.1. Dimension-by-dimension reading is therefore more important than the headline total.

Next Steps

From Baseline to Compliance Programme

Completing the 40-point assessment produces an internal baseline. The baseline becomes a compliance programme only when four further steps are taken: (i) the Board receives the results with an accompanying remediation plan and costed timeline; (ii) external counsel reviews the weakest dimensions and advises on interpretational risks; (iii) the remediation plan is sequenced against the 13 May 2027 full-enforcement date, with interim milestones; and (iv) the assessment is re-run at defined intervals — at minimum annually, and at six-monthly intervals once the Rules are in full force.

Unified Chambers and Associates advises boards, risk committees, and general counsel teams on the legal architecture of DPDP compliance — from baseline assessment through policy drafting, DPIA methodology, Significant Data Fiduciary readiness, breach response playbook design, and representation before the Data Protection Board of India under Section 18. The firm’s minimum annual retainer for DPDP advisory is Rs 50 lakhs.

Frequently Asked Questions

DPDP Readiness Framework — Key Questions

Is this framework a legal opinion or a statutory requirement?

The 40-point framework set out here is a methodological self-assessment tool developed by Unified Chambers and Associates to help Indian financial institutions structure their internal evaluation of Digital Personal Data Protection Act 2023 and DPDP Rules 2025 readiness. It is not a statutory requirement, nor is it a legal opinion on your institution's compliance posture. Neither the DPDP Act nor the DPDP Rules 2025 prescribe a mandatory scoring methodology; they prescribe substantive obligations. The framework organises those obligations into eight dimensions and forty assessable criteria so that boards, risk committees, and compliance teams can produce a structured internal baseline before engaging external counsel. A completed framework score is a starting point for remediation planning, not a certificate of compliance. Formal legal advice, documented DPIA methodology for Significant Data Fiduciaries under Section 10(2)(c), and independent data auditor evaluation under Section 10(2)(b) remain obligations that must be discharged through appropriate professional engagement.

Which institutions should complete the framework before 13 May 2027?

Every institution that processes digitised personal data of individuals in India falls within the Act's scope under Section 3. For the financial sector, that includes all scheduled commercial banks, regional rural banks, co-operative banks, non-banking financial companies (NBFCs), asset reconstruction companies (ARCs), housing finance companies, payment system operators, prepaid payment instrument issuers, stockbrokers, mutual funds, insurance companies, and fintech platforms. The framework is calibrated for institutions that are likely to be notified as Significant Data Fiduciaries under Section 10(1) — that is, entities processing large volumes of financial personal data, entities whose processing affects payment ecosystems or credit ecosystems, and entities whose breach could impair public order or the sovereignty and integrity of India. Smaller regulated entities that fall below any SDF threshold should still use Dimensions 1–6 and Dimension 8; Dimension 7 becomes directly applicable only on SDF notification.

How long does the 40-point assessment typically take to complete?

For a mid-sized bank or NBFC with a functioning information security governance structure, the assessment typically takes 2 to 4 weeks of elapsed calendar time with a cross-functional team of six to eight people. Week 1 covers Dimensions 1 and 2 (Governance and Data Mapping), which depend heavily on board documentation, data inventory exercises, and processor registers. Week 2 covers Dimensions 3 and 4 (Consent Architecture and Data Principal Rights), which require technical product reviews and legacy consent record evaluation. Week 3 covers Dimensions 5 and 6 (Security Safeguards and Breach Response), which overlap substantially with existing RBI cybersecurity and CERT-In Directions 2022 obligations. Week 4 covers Dimensions 7 and 8 (SDF Obligations and Operational Resilience), which require legal and vendor-contracting workstreams. For larger universal banks or group-level assessments covering multiple subsidiaries, six to eight weeks is more realistic. The assessment should be repeated at least annually until full enforcement on 13 May 2027, and semi-annually thereafter.

Does the 200-point scoring rubric map to any regulatory benchmark?

No. The 0–200 scoring rubric is an internal diagnostic scale, not an external regulatory benchmark. No regulator — neither the Data Protection Board of India, nor the Reserve Bank of India, nor the Securities and Exchange Board of India, nor the Insurance Regulatory and Development Authority of India — has issued a mandatory DPDP scoring methodology. The DPDP Act prescribes obligations and the DPDP Rules 2025 (G.S.R. 846(E) dated 13 November 2025) prescribe operational requirements. Whether an institution satisfies those obligations is a legal question assessed against the substantive text of the Act and Rules, not a numerical score. The rubric's purpose is to make board-level discussions tractable, to allow year-on-year trend tracking, to enable comparison across business lines, and to prioritise remediation investment. An institution scoring 160 on the rubric has a defensible baseline; the same institution has not thereby been certified as DPDP-compliant.

When should a Data Protection Officer be appointed and what is the reporting line?

Under Section 10(2)(a) of the DPDP Act, only a Data Fiduciary notified as a Significant Data Fiduciary is statutorily required to appoint a Data Protection Officer (DPO). The DPO must (i) represent the SDF under the Act, (ii) be based in India, (iii) be an individual responsible to the Board of Directors or similar governing body of the SDF, and (iv) be the point of contact for the grievance redressal mechanism under Section 13. The statutory reporting line is therefore direct to the Board, not to a functional head. For large banks, NBFCs, and fintechs that expect SDF notification under Section 10(1), appointing a DPO on a voluntary basis during the 18-month compliance runway to 13 May 2027 is prudent — it allows the institution to operationalise the role, test reporting lines, and build internal data governance muscle before enforcement begins. For Data Fiduciaries not notified as SDFs, there is no statutory DPO mandate; a senior compliance officer with delegated responsibility for data protection is typically sufficient.

How does the framework treat the conflict between DPDP erasure and RBI retention rules?

Section 8(7) of the DPDP Act resolves this tension in the institution's favour where retention is necessary for compliance with any law for the time being in force. RBI retention mandates — for example, KYC records retention under the Prevention of Money Laundering Act 2002 and rules made thereunder, transaction records retention under RBI Know Your Customer Master Direction, and loan file retention under various RBI directions — constitute such law. The framework's Dimension 2, Criterion 2.3 (Legal basis register for retention-beyond-purpose) captures this: each category of personal data retained after the primary purpose is exhausted must be mapped to a specific statutory provision mandating continued retention. Criterion 5.5 (One-year log retention per Rule 6(e)) deals with the separate security-logging retention. The institution's documented position should distinguish between (a) data retained because the purpose continues, (b) data retained because another law requires it, and (c) data retained without legal basis — only category (c) must be erased. Institutions that fail to maintain the legal basis register expose themselves to Section 8(7) arguments being unavailable during a Board inquiry.

By Advocate Subodh Bajpai

Run the 40-Point Assessment
With Senior Counsel in the Room

Unified Chambers and Associates advises banks, NBFCs, ARCs, fintechs, and payment system operators on DPDP Act 2023 and DPDP Rules 2025 compliance. Senior Partner response within one business day. Minimum annual retainer: Rs 50 lakhs.

WhatsApp +91 84008 60008 DPDP Compliance Guide

All statutory references verified against the Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) and DPDP Rules, 2025 (G.S.R. 846(E) dated 13 November 2025). Official PDFs hosted at unifiedchambers.com/dpdp-documents.

DPDP Readiness Assessment FrameworkFor Indian Financial Institutions