Saints and Masters

DPDPA

India Data Protection Act · DPDPA 2023

Saints & Masters helps organisations meet every DPDPA obligation — and use the process to build lasting data trust.

The organisations that treat DPDPA only as a compliance exercise will miss what it actually creates — a moment to demonstrate to customers, partners, and regulators that they handle personal data with genuine care.

Get this right and compliance becomes competitive advantage: customers who share more because they trust you, partners who choose you because your data practices are evidenced, and a regulatory relationship built on accountability rather than damage control.

Speak to our experts →
Check your readiness

🤝

Customer trust
Customers share more when they believe their data is safe. Consent that is genuinely informed, withdrawal that is genuinely easy, and rights requests that are actually fulfilled — these are the signals customers read.

🏢

Partner confidence
Partners increasingly require evidenced data practices before entering data-sharing arrangements. A DPB-ready evidence pack is not just a regulatory document — it is a commercial credential.

⚖️

Regulatory standing
The organisations the DPB investigates will not just be those that violated the Act. They will be those that could not demonstrate they took it seriously. Demonstrated accountability is a defence in itself.

Nov 2025
Data Protection Board — operational

Nov 2026
Consent Manager registration opens

13 May 2027
All obligations in force — no further phase-in

What the Act requires

Six obligations.
All of them binding.

The DPDPA establishes binding obligations for every organisation that collects, processes, or stores personal data of Indian residents — regardless of sector or size.

Most organisations have read the Act. The challenge is translating obligations into operational reality: discovering where personal data actually lives, hardening the systems that hold it, deploying consent mechanisms that genuinely work, and maintaining compliance as the organisation and the regulatory environment evolve.

Compliance that holds up to scrutiny requires sustained effort — not a project that ends when a consultant hands over a report.

01
Personal data inventory
Know exactly where personal data lives — databases, SaaS, shadow IT, third parties
02
Security safeguards
Ten mandatory technical controls — encryption, access, monitoring, key management, VAPT
03
Consent architecture
Specific, freely given, in 22 scheduled languages, withdrawal as easy as giving
04
Data Principal rights
Respond to access, correction, and erasure requests within 90 days, consistently
05
Breach response
Notify Data Principals and the DPB simultaneously, with a detailed report within 72 hours
06
SDF obligations
Annual DPIA, independent audit, India-resident DPO, algorithmic accountability

Our services

A complete suite —
assessment through
governance.

Every dimension of DPDPA compliance, from the initial data discovery most organisations have never done, to the managed governance capability that keeps compliance live year-on-year.

01
Personal Data Discovery & Classification
  • Structured and unstructured data scanning
  • Shadow IT and dark data audit
  • Data flow mapping & processor inventory
  • Records of Processing Activities (RoPA)
  • Legal basis mapping per processing activity
02
Security Safeguards Implementation
  • Encryption and key management architecture
  • MFA across all privileged access
  • Database activity monitoring
  • Vulnerability assessment and remediation
  • Processor contract security clauses
03
Breach Response Infrastructure
  • Automated breach detection and classification
  • Data Principal notification workflow
  • DPB first intimation & 72-hour report
  • CERT-In parallel reporting integration
  • Annual simulation exercise
04
Consent Management & Rights Infrastructure
  • Consent platform — 22 scheduled languages
  • Immutable consent artifact generation
  • Rights portal with multi-factor authentication
  • Withdrawal cascade to all downstream systems
  • DigiLocker parental consent
05
Governance, Risk & Regulatory Advisory
  • Risk register with regulatory exposure mapping
  • Board-level risk briefing and roadmap
  • DPB-ready evidence pack
  • Data Protection Impact Assessment (DPIA)
  • DPO-as-a-Service for Significant Data Fiduciaries
06
Retention, Deletion & Third-Party Governance
  • Retention policy configuration — all data types
  • Automated deletion workflows with certificates
  • DPA execution with all third-party processors
  • Cross-border transfer assessment
  • RoPA v2 with DPO sign-off

Ongoing compliance

Compliance is not
a project.
It is a capability.

Organisations that treat DPDPA as a one-time project will find themselves non-compliant within eighteen months. New systems will be deployed. New guidance will be issued. Data incidents will occur.

Our managed services practice operates as an embedded compliance function — monitoring your data estate continuously, managing the operational demands of the Act, and keeping your evidence of compliance current.

For most organisations, a qualified third party running compliance operations is the right model — not an internal team stretched across data engineering, security monitoring, legal interpretation, and regulatory affairs simultaneously.

  • Continuous data estate monitoring
    Weekly scans, automated new-store alerts, new systems onboarded within 10 working days
  • DSR queue management — 90-day SLA
    We operate the queue, triage requests, coordinate responses, maintain the audit trail
  • Security operations & breach readiness
    Monthly monitoring reports, quarterly policy reviews, annual end-to-end breach simulation
  • Annual DPIA & independent audit coordination
    Full DPIA cycle managed end-to-end, including algorithmic assessment for AI systems
  • Quarterly Board reporting
    Compliance score, open risks, DSR performance, regulatory developments — every quarter
  • DPO-as-a-Service
    Named India-resident DPO, published contact details, DPB correspondence records maintained

Our approach

Four phases.
Structured delivery.

Every engagement runs these phases in sequence. Managed services continues as Phase 4 — the default end-state, not an optional add-on.

1
Phase One
Discover
  • Complete IT system inventory
  • Database & unstructured data scan
  • Shadow IT & third-party audit
  • Consent landscape mapping
  • RoPA v1 with DPO acknowledgement
2
Phase Two
Assess
  • 10-control security gap scorecard
  • Consent and rights gap analysis
  • Regulatory exposure quantification
  • Board-level risk briefing
  • Remediation roadmap
3
Phase Three
Implement
  • All security controls deployed
  • 72-hour breach pipeline certified
  • Consent platform & rights portal live
  • DPAs executed, RoPA v2 signed
  • DPB-ready evidence pack
4
Phase Four — Ongoing
Govern
  • Continuous data monitoring
  • DSR queue — 90-day SLA
  • Monthly compliance reports
  • Quarterly Board briefings
  • Annual DPIA cycle
  • Annual breach simulation
  • DPO function where required

Technology stack

Enterprise
platforms.
Chosen for
the requirement.

We use a combination of enterprise technologies, selected based on what each organisation already has and what the requirement demands. Not every client needs every tool. We advise on the right configuration for each environment.

Database Security · GRC · SIEM
Guardium DAP
Real-time database activity monitoring, encryption, dynamic data masking
QRadar SIEM & SOAR
Threat detection, breach automation, CERT-In reporting
OpenPages GRC
Risk register, DPIA workflow, retention management
IBM Verify
Enterprise IAM, privileged access management

Identity · Endpoint · Data Security
Purview
Data classification, DLP, retention policies across M365 environments
Sentinel
SIEM, SOC monitoring, Logic Apps breach automation
Defender
Endpoint protection, EDR, email security
Entra ID
RBAC, conditional access, MFA, privileged identity management

India-specific
Indian PII Classification Pack
BFSI Adapter — Finacle & FLEXCUBE
DigiLocker Wrapper
Data Principal Rights Portal
72-hr Breach Hub Playbook
22-Language Consent SDK

Our team

One pod.
Every specialist.
Every phase.

Each engagement is delivered by a dedicated specialist pod. Not a project manager coordinating generalists — five people with deep expertise in their domain, working together from discovery through governance.

📋
Engagement Manager
Programme delivery · Board briefing · evidence pack
⚖️
DPDPA Consultant
Legal interpretation · consent design · DPIA lead
🔐
Database Security Engineer
Database monitoring · encryption · breach pipeline
⚙️
Tech Lead
Architecture · consent platform · rights portal · QA
🏛️
DPO Lead
DPO function · DPB correspondence · DPIA sign-off

Implementation, not advisory.

We do not produce a gap report and hand you to vendors. Our team deploys the security controls, configures the consent platform, certifies the breach pipeline, and delivers the evidence pack. One engagement. One accountable partner.

Built for every Data Fiduciary.

The DPDPA applies to every organisation processing personal data of Indian residents — financial services, healthcare, e-commerce, technology, manufacturing, and the public sector. Our framework adapts to the specific data landscape and existing technology investments of each client.

DPB-ready from day one.

Every document we produce is structured for regulatory scrutiny. The evidence pack at the end of each engagement is versioned, signed, and self-evidencing. If the DPB investigates, you are prepared to respond.

Self-assessment

Check your DPDPA
readiness.

Answer 10 questions. Get an instant readiness score with a breakdown of your highest-risk areas. No sign-up required.

1 of 10

Get started

Looking for a quick
DPDPA review?

Take our free self-assessment to check your readiness in under 5 minutes — or speak directly with our experts for a deeper conversation about your compliance posture.

Check your readiness →
Speak to our experts

Let’s start working together

info@saintsandmasters.com

© Copyright by Saintsandmasters