DPDP Act 2023 + DPDP Rules 2025

India's Digital Personal Data Protection Act 2023 with the final DPDP Rules notified 13 November 2025. Phased commencement: Phase I (13 Nov 2025) — Rules 1, 2, 17-21 + Act Sections 1, 2, 18-26 (DPBI operational); Phase II (13 Nov 2026) — Rule 4 (Consent Manager) + Section 6(9), 27(1)(d); Phase III (13 May 2027) — Rules 3, 5-16, 22, 23 + remaining Act sections. Penalties up to ₹250 crore (Section 8(5) safeguards), ₹200 crore (Section 8(6) breach notification and Section 9 children obligations), ₹50 crore (other Section 33 violations). 40 audit-checklist-defensible controls.

Composition

48 controls currently indexed; participates in 39 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI data governance — provenance, preparation, external reporting
• AI governance lifecycle — GOVERN function and inventory
• AI incident reporting — serious incidents to authorities
• AI post-deployment monitoring and incident response
• AI system impact assessment (AISIA / FRIA / DPIA convergence)
• Cloud Security Posture Management — continuous configuration assessment
• Cloud cryptographic key management — CMK/BYOK/HYOK
• Cloud data privacy lifecycle — CSA CCM v4 DSP control family
• Consent management — capture, modify, withdraw across jurisdictions
• Consumer / Data Subject / Data Principal rights response SLA
• Cross-jurisdiction breach notification timelines
• Cross-jurisdiction consumer / Data Principal rights — operational fabric
• Cyber security roles, responsibilities, and authority — Board through operational team
• Data Loss Prevention — multi-channel egress protection
• Data classification with protection controls — DLP, masking, retention, secure disposal
• Data localisation — DPDPA SDF traffic data + sectoral requirements
• Data subject / Data Principal rights — operational rights mechanism
• Data-at-rest protection — encryption, access, processor controls
• GDPR Article 33 / 34 breach notification + multi-jurisdiction coordination
• GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment
• GDPR Articles 44-49 international transfers
• GDPR accountability principle — Art 5(2) demonstrate compliance
• GDPR data subject rights — Articles 12-22 operational implementation
• India-specific AI risk classification reflecting societal context
• Multi-regulator incident notification with coordinated submission timelines
• PCI DSS PAN protection — storage minimisation, masking, encryption
• PCI DSS Targeted Risk Analysis (TRA) — flexibility and customised approach
• PCI DSS v4.0.1 customised approach with targeted risk analysis
• PCI DSS v4.0.1 universal MFA expansion to all CDE access
• PII principal rights — comprehensive ISO 27701-anchored programme
• PIMS context — Clauses 4-5 management system context and leadership
• PIMS cross-border PII transfers
• Personal data erasure — trigger-driven with propagation
• Privacy governance — legal, regulatory, contractual, and algorithmic obligations
• Processor (PII Processor) obligations — ISO 27701 controller relationship
• Processor / service provider contract requirements across jurisdictions
• Responsible AI use — operational guardrails
• SDF algorithmic due diligence and traffic-data localisation
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting