Overview
Draft and validate a Data Protection Impact Assessment for Significant Data Fiduciaries under India’s Digital Personal Data Protection Act 2023. Covers processing inventory, consent framework, data principal rights, and cross-border transfers.
Example Conversation
You: We’re a Significant Data Fiduciary under the DPDP Act and need a DPIA. We need to document consent, data principal rights, cross-border transfers, and grievance redressal. Can you draft it and run the checker?
Agent: I’ll draft the DPIA with processing inventory, consent mechanism (clear, specific, informed, withdrawable), data principal rights (access, correction, erasure, grievance redressal, nomination), cross-border transfer assessment, DPO appointment, and grievance redressal mechanism. Then I’ll run
dpdp_sdf_compliance_checker.
Agent: Created
dpia-india-dpdp.md. Runningdpdp_sdf_compliance_checker…
Agent: Check PASS — consent mechanism with statutory requirements is documented, all data principal rights are addressed, cross-border destinations are assessed, DPO is documented, and grievance redressal mechanism is described. If you process children’s data, we can add a section and re-run.
What the Tools Validate
dpdp_sdf_compliance_checker scans the DPIA document for:
- Consent mechanism — Described with DPDP statutory requirements (clear, specific, informed, unconditional, withdrawable).
- Data principal rights — Access, correction, erasure, grievance redressal, nomination must be addressed.
- Cross-border transfers — Destination assessment (restricted/permitted list) must be documented.
- DPO appointment — For Significant Data Fiduciaries, DPO appointment must be documented.
- Grievance redressal — Mechanism for handling complaints must be described.
- Children’s data — If applicable, verifiable parental consent and safeguards must be addressed (note only; not required for PASS).
Output: PASS if the first five are present; otherwise FAIL with a line per missing element. Fix gaps and re-run until the check passes.
Output Excerpt
DPIA (excerpt):
## Consent management
- Consent obtained in clear, specific language; purposes and data categories disclosed at collection.
- Consent is withdrawable via [portal/email]; withdrawal does not affect prior lawful processing.
- Legitimate uses (non-consent bases) documented per processing activity in the inventory.
## Grievance redressal
- Data principals may contact the DPO at [contact]. Complaints acknowledged within 7 days and resolved within 30 days per DPDP rules. Escalation to the Data Protection Board where applicable.
dpdp_sdf_compliance_checker report (excerpt):
=== DPDP SDF COMPLIANCE CHECK ===
Result: PASS
Document: dpia-india-dpdp.md
Consent mechanism is described with statutory requirements...
Data principal rights (access, correction, erasure, grievance redressal, nomination) are addressed.
DPIA meets DPDP SDF compliance expectations.
Getting Started
Add your source materials to the project workspace (e.g. processing inventory or consent flows), then activate the India DPDP Act — Data Protection Impact Assessment skill. The agent will guide you through drafting the DPIA and running dpdp_sdf_compliance_checker until the check passes.