Data localisation — DPDPA SDF traffic data + sectoral requirements
Primary statement
Data localisation per DPDPA Rule 13(4) SDF traffic-data localisation + RBI payment data localisation + CERT-In log retention in India + ISO 27018 PII transfer + RBI CSF cyber range. Sectoral localisation layered on top of DPDPA.
Audit-fatigue payoff
A unified localisation programme — DPDPA SDF + RBI payment data + CERT-In logs — satisfies localisation across all 4 contributing frameworks.
Strictness matrix
Scope
Scope: SDF personal data + traffic data localised in India per Rule 13(4). Plus RBI payment data per October 2018.
Ceiling source: dpdpa:DPDP.34
Rationale: DPDPA Rule 13(4) traffic-data scope is uniquely strict.
Threshold
Threshold: SDF designation triggers Rule 13(4) localisation. Binary.
Ceiling source: dpdpa:DPDP.34
Rationale: DPDPA SDF-designation threshold is binary.
Method
Method: localisation policy + sectoral overlay (RBI payment) + traffic routing within India + CERT-In log retention + ISO 27018 transfer controls + CSP data residency audit.
Ceiling source: dpdpa:DPDP.34
Rationale: DPDPA + RBI + CERT-In combined are most prescriptive.
Frequency
Enforcement: continuous. CSP residency audit: annual. Policy review: annual.
Ceiling source: dpdpa:DPDP.34
Rationale: Continuous enforcement with annual audit is the cadence.
Evidence
Evidence: localisation policy + CSP residency audit + traffic routing evidence + CERT-In log retention.
Ceiling source: dpdpa:DPDP.34
Rationale: DPDPA Rule 13(4) evidence is comprehensive.
Auditor test pattern
Step 1: For SDF entities, inspect localisation policy. Step 2: Verify traffic routing in India. Step 3: For RBI-regulated, verify payment data residency. Step 4: Verify CERT-In log retention.
Common findings
Common findings: (1) SDF localisation prep not started; (2) Payment data residency unverified; (3) Logs replicated outside India; (4) CSP residency assumed.