DPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalisedDPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalised
[01]Resource library

Playbooks, checklists, templates.

Everything we wish existed when we first read the DPDP Act. Open, free, updated whenever the regulator moves. Built for product, legal and engineering teams who would rather ship than schedule another offsite.

Playbooks
6
Articles
40+
Templates
120+
Last update
This week
[02]Playbooks

72-hour breach response playbook

A minute-by-minute runbook from first signal to Data Protection Board filing. Includes templated DPB notice, draft Data Principal disclosures, evidence preservation checklist and a post-incident review template.

Request access
  • Hour 0–4: containment & evidence
  • Hour 4–24: scope & classification
  • Hour 24–48: notifications
  • Hour 48–72: filings & post-mortem

Significant Data Fiduciary readiness checklist

37 controls mapped to §10 of the Act and the DPDP Rules. Covers DPO appointment, DPIA cadence, data audit, algorithmic accountability and grievance officer SLAs.

Request access
  • DPO charter template
  • DPIA workbook
  • Annual audit plan
  • Grievance escalation matrix

Notice template library — 22 languages

Legally reviewed itemised notices in English, Hindi, Tamil, Bengali, Telugu, Marathi, Kannada, Malayalam, Gujarati, Punjabi and 12 more. Updated whenever the Act, Rules or Board guidance change.

Request access
  • Account signup notice
  • Marketing consent notice
  • Cookie / web notice
  • Children's data parental consent

Vendor DPA & sub-processor library

A growing public registry of DPDP-aligned data processing agreements with the 40 most-used vendors in Indian SaaS and D2C stacks — Razorpay, Shopify, CleverTap, WebEngage, Segment, Mixpanel and more.

Request access
  • Pre-signed DPA shells
  • Sub-processor residency matrix
  • Cross-border transfer clauses
  • Audit rights riders

Data Principal Request operations guide

How to set up an intake form, identity-verify the requester, scope across systems, redact, package and ship — and what to do when a request collides with statutory retention.

Request access
  • Intake form spec
  • Identity-verification flows
  • Cross-system data map
  • Statutory retention conflict guide

Children's data: a §9 implementation guide

What 'verifiable parental consent' actually means, how to age-assure without creating new privacy harms, and how to gate analytics and recommendation engines for under-18 users.

Request access
  • Age-assurance approaches compared
  • Parental verification UX
  • Analytics gating patterns
  • §9-safe personalisation
[03]Reading

Selected writing.

  • What changed when the DPDP Rules were notified
    Regulatory analysis
    5 min read
    Read
  • Consent vs legitimate use: a working interpretation
    Legal opinion
    8 min read
    Read
  • Why your cookie banner is probably illegal
    Engineering
    6 min read
    Read
  • The economics of a ₹250 Cr penalty
    Board memo
    4 min read
    Read
  • Designing a multilingual notice that users actually read
    Design
    7 min read
    Read
  • DPDP for engineering managers: a one-page primer
    Engineering
    3 min read
    Read

Want these playbooks in your inbox?

One short email every fortnight: regulator moves, new templates, customer playbooks. No fluff, no upsell. Unsubscribe is one click.