Free reference · DPDP Act 2023

DPDPA Policy → Obligation Map

Every privacy policy in your stack should map to a specific obligation under India’s Digital Personal Data Protection Act. That mapping is what makes a policy defensible — when the Board asks “show me your rule for this,” you can point to a policy, an owner, and the duty it satisfies. Use this map to build and audit your policy stack.

Privacy Policy (apex)
Accountability — you must be able to demonstrate compliance
Consent & Notice
Valid consent; itemised notice
Data Principal Rights
Access, correction, erasure & grievance redressal
Retention & Erasure
Storage limitation; erase when the purpose is served
Breach / Incident
Notify the Data Protection Board & affected individuals within 72 hours
Access Control
Reasonable security safeguards
Vendor / DPA
A processor may be engaged only under a valid contract
DPIA
Data Protection Impact Assessment (a Significant Data Fiduciary duty)
Children's Data
Verifiable parental consent; no tracking or harmful processing
Cross-Border Transfer
Transfer allowed except to countries the Government restricts

The linked modules are part of the Certified DPDPA Professional program and open to enrolled learners. Not enrolled yet? See the program or talk to us.

How to use this map

Building a policy stack

For every policy you write, record the DPDPA obligation it satisfies. If a policy has no obligation, ask why it exists.

Auditing an existing one

Run down the list. Any obligation with no policy behind it is a gap — and a gap is where penalties start.

Training a team

Click through to the module that teaches each obligation. It turns a static policy list into a learning path.

Don’t just map DPDPA — learn to build it

The Certified DPDPA Professional program is 100% practical: you build a real RoPA, DPIA, breach runbook, policy map and audit — with a portfolio to prove it.