Data Privacy & DPDP
Data privacy is a product design constraint before it is a compliance exercise. The choices you make about data flows, consent mechanisms, and storage architecture determine your compliance posture — not the other way around.
We advise technology companies on building privacy-compliant products from the ground up, navigating India's evolving data protection regime alongside cross-border requirements. Our approach is engineering-friendly: data flow mapping, consent architecture, lawful basis analysis, and vendor management frameworks that your development team can actually implement without rearchitecting the product.
What We Do
- DPDP Act compliance assessment and implementation roadmaps
- Privacy-by-design reviews integrated into product development cycles
- Data processing agreements and cross-border transfer mechanisms
- Consent management architecture and notice drafting
- Data Protection Impact Assessments (DPIAs)
- Privacy policy and cookie policy drafting
- Vendor and sub-processor due diligence frameworks
- Breach notification protocol design and incident response planning
Regulatory Context
India's data protection framework is anchored by the Digital Personal Data Protection Act 2023 (DPDP Act), supplemented by the IT (Reasonable Security Practices and Procedures) Rules 2011, and sector-specific regulations including RBI data localisation directives and SEBI cybersecurity frameworks. For companies with cross-border operations, EU GDPR compliance remains a parallel requirement. The regulatory landscape is still settling — subordinate rules under the DPDP Act are expected to add further compliance detail. We help clients build frameworks flexible enough to accommodate these developments as they materialise.
Who This Is For
Technology companies processing personal data at scale. Healthtech and edtech platforms handling sensitive categories. Fintech companies with KYC, AML, and data localisation obligations. Cross-border SaaS companies managing multi-jurisdictional compliance. If your product touches personal data — and most technology products do — this is relevant.