Lynx Legal Partners LLP is a dedicated data privacy and protection law practice based in Mumbai — advising businesses across India and globally on navigating India’s rapidly evolving digital data governance framework. We are legal strategists, advisors, and counsel for organisations that process personal data of Indian citizens — whether they are incorporated in India or operate from anywhere in the world.
India’s data protection landscape has entered its most consequential phase. The Digital Personal Data Protection Act, 2023 (DPDP Act) — India’s first comprehensive, standalone data protection legislation — was operationalised on 13 November 2025 when MeitY notified the Digital Personal Data Protection Rules, 2025 (DPDP Rules). The Data Protection Board of India is now operational. The 18-month phased compliance countdown has commenced, with full substantive obligations becoming enforceable by 13 May 2027. Penalties for non-compliance can reach up to ₹250 crore.
The window to prepare is real — but it is not unlimited. Organisations that begin their compliance journey now will build privacy architectures that are robust, defensible, and commercially advantageous. Those that wait will face compressed timelines, elevated risk, and enforcement exposure. We are equipped to guide clients through every dimension of this framework — from initial data mapping to full operational compliance — with the statutory precision and commercial pragmatism that the DPDP Act demands.
We serve every organisation that processes the digital personal data of individuals in India :
The DPDP Act and Rules introduce a fundamentally new data governance paradigm for India. The first obligation for every organisation is to understand where it stands — what data it holds, how it processes it, and what the gap is between current practices and full statutory compliance. We design and execute structured compliance programmes tailored to our clients’ industry, data footprint, and organisational complexity.
Data Mapping & Personal Data Inventory — Identifying and documenting all categories of personal data collected, processed, stored, shared, and deleted across the organisation — the foundational step upon which every subsequent compliance measure is built
DPDP Act Gap Assessment — Conducting a comprehensive legal gap analysis between current data practices and DPDP Act and Rules requirements — covering notice obligations, consent mechanisms, data processor contracts, breach response protocols, retention policies, and Data Principal rights management
Phased Compliance Roadmap — Designing a structured, priority-sequenced compliance roadmap aligned to the three-phase DPDP rollout — Phase I (November 2025): Data Protection Board operational; Phase II (November 2026): Consent Manager framework; Phase III (May 2027): Full substantive compliance — ensuring clients are prepared ahead of each statutory deadline
Data Protection Governance Framework — Building the internal governance infrastructure required for sustained DPDP compliance — including roles and responsibilities, privacy steering committees, Data Protection Officer (DPO) advisory, escalation protocols, and board-level privacy accountability
Privacy-by-Design Advisory — Advising product, technology, and business teams on embedding privacy-by-design principles into new products, features, and data processing workflows from inception — the most effective and cost-efficient approach to long-term DPDP compliance
DPDP Compliance for Specific Sectors — Sector-specific compliance advisory for fintech (payments data localisation obligations continue), healthtech (sensitive personal data considerations), edtech (children’s data), e-commerce (3-year retention limit for large platforms), and gaming (5 million user threshold obligations)
The DPDP Act is built on a consent-first foundation. Consent must be free, specific, informed, unconditional, and based on clear affirmative action. Notices must be provided in plain, itemised language — more prescriptive than even the EU GDPR’s requirements. Data Principals have enforceable rights of access, correction, erasure, and grievance redressal. We design legally compliant, commercially operable consent and notice frameworks that work in the real world.
Privacy Notice Drafting — Drafting DPDP-compliant privacy notices containing itemised descriptions of personal data processed, specified purpose of processing, goods or services offered, withdrawal mechanisms, and grievance redressal details — in clear, plain language as mandated by the Rules
Consent Management Architecture — Designing consent collection, logging, management, and withdrawal systems compliant with the DPDP Act’s requirements — including advising on whether to integrate with registered Consent Managers once the Phase II framework activates in November 2026
Consent Manager Advisory — Advising organisations on the Consent Manager construct — unique to the DPDP Act and unlike anything in the GDPR or CCPA — including the 7-year consent record retention obligation, technical integration requirements, and the governance and conflict-of-interest constraints that Consent Managers must satisfy
Deemed Consent & Legitimate Use Advisory — Advising on the permitted bases for processing without explicit consent under the DPDP Act, including voluntarily provided data, state benefits processing, medical emergencies, legal compliance, and employment-related processing — mapping these to specific business use cases
Data Principal Rights Framework — Building accessible, documented mechanisms for Data Principals to exercise their rights of access, correction, erasure, and nomination — including grievance redressal systems, response timelines, and escalation pathways to the Data Protection Board of India
Cookie Policy & Website Compliance — Reviewing and updating website cookie policies, consent banners, and digital collection mechanisms to align with DPDP Act notice and consent requirements — ensuring consent is obtained before any personal data is collected through digital channels
The Significant Data Fiduciary designation — applied by the Central Government based on volume of data processed, sensitivity of data, risk to Data Principals, national security considerations, and potential impact on sovereignty — triggers a substantially heightened compliance burden. Platforms likely to be designated as SDFs include major e-commerce platforms, social media intermediaries, fintech companies, and large-scale data aggregators. The SDF list has not yet been formally notified — but preparation must begin now, well in advance of the expected post-May 2027 designations.
SDF Designation Risk Assessment — Evaluating whether an organisation is likely to be designated as a Significant Data Fiduciary based on the volume, sensitivity, and risk profile of its data processing activities — and building a compliance posture in advance of formal notification
Data Protection Officer (DPO) Appointment & Advisory — Advising on the appointment of a DPO based in India as required for SDFs — including DPO role definition, reporting structure, independence requirements, and the interface between the DPO, the organisation’s legal team, and the Data Protection Board of India
Annual Data Protection Impact Assessment (DPIA) — Designing and managing the annual DPIA process required for SDFs — assessing the impact of data processing activities on Data Principal rights, identifying risks, and preparing the independent report to be submitted to the Data Protection Board
Independent Data Protection Audit — Managing the annual independent data protection audit obligation for SDFs — including audit scope, engagement of independent auditors, review of audit findings, and regulatory reporting
Algorithmic Risk Assessment — Advising SDFs on the obligation to conduct due diligence on technical and algorithmic systems — including AI tools, recommendation engines, and profiling mechanisms — to ensure they do not pose risks to Data Principals’ rights
Large-Scale Fiduciary Data Retention Compliance — Advising e-commerce platforms (20 million+ users), social media intermediaries (20 million+ users), and online gaming platforms (5 million+ users) on mandatory personal data erasure within 3 years of last user interaction — including the 48-hour erasure notice obligation and traffic data retention for a minimum 1-year period
India’s data breach response obligations now operate under two overlapping frameworks — the DPDP Act’s immediate notification requirement to the Data Protection Board and affected Data Principals, and CERT-In’s 6-hour mandatory reporting obligation for cybersecurity incidents notified in April 2022. All breaches must be reported — regardless of whether damage has occurred. An incident response plan that is legally sound, operationally tested, and regulator-ready is no longer optional. We build and stress-test these frameworks for our clients.
Personal Data Breach Response Framework — Designing a legally compliant, operationally executable incident response framework covering detection, containment, internal escalation, regulatory notification, and Data Principal communication — aligned with the DPDP Act’s requirement for immediate notification without delay
Breach Notification Drafting — Drafting legally precise breach notifications to the Data Protection Board of India and affected Data Principals — covering the nature and extent of the breach, timing and location, consequences, and mitigating measures taken
CERT-In 6-Hour Reporting Compliance — Advising on and managing compliance with CERT-In Directions 2022 — including the mandatory 6-hour reporting window for cybersecurity incidents, log retention obligations (180 days), synchronisation of system clocks to IST, and mandatory engagement with CERT-In for forensic investigations
Data Processor Contract Obligations — Advising on mandatory contractual obligations between Data Fiduciaries and Data Processors — including breach notification obligations, security standards, compliance verification, and the absence of DPDP-standard contractual clauses (unlike GDPR’s SCCs) requiring bespoke drafting aligned with Rule 6 obligations
Incident Response Tabletop Exercises — Conducting simulated data breach exercises for legal, IT, communications, and leadership teams — stress-testing the organisation’s response protocols before a real incident occurs, identifying gaps, and ensuring all stakeholders know their obligations and timelines
Post-Breach Regulatory Defense — Representing organisations before the Data Protection Board of India in breach investigations, show-cause proceedings, and penalty hearings — with strategy focused on demonstrating reasonable security safeguards, good-faith notification, and mitigating measures to reduce financial exposure
The DPDP Act introduces some of its most stringent obligations in the context of children’s data — defined as individuals under 18 years of age. Processing a child’s personal data without verifiable parental or guardian consent is prohibited. Processing that is likely to cause detrimental effects on a child’s wellbeing is absolutely prohibited. For platforms serving children — edtech, gaming, social media, streaming — compliance is not merely a legal obligation but a reputational imperative.
Children’s Data Compliance Framework — Designing platform-specific compliance frameworks for organisations whose users include children — covering verifiable parental consent mechanisms, age-verification systems, content restrictions, and the prohibition on processing likely to cause detrimental effects
Verifiable Parental Consent Systems — Advising on and designing legally compliant systems for obtaining verifiable parental consent before processing a child’s personal data — a technically and operationally complex obligation unique to the DPDP Act
Exemptions for Children’s Data — Advising on the Schedule IV exemptions from certain children’s data obligations — including for health and education services and for processing by state entities — and designing compliance programmes that correctly apply available exemptions without overextending their scope
Persons with Disabilities — Lawful Guardian Consent — Advising on the obligation to obtain verifiable consent from a lawful guardian before processing the personal data of a person with a disability who has such a guardian — under Rule 11 of the DPDP Rules
Edtech & Gaming Platform Compliance — Sector-specific advisory for edtech platforms and online gaming intermediaries — two sectors at the intersection of children’s data, the 5 million / 20 million user thresholds, SDF designation risk, and 3-year mandatory erasure obligations — requiring a carefully integrated compliance approach
The DPDP Act adopts a “negative list” or blacklist approach to cross-border data transfers — fundamentally different from the GDPR’s adequacy framework. Personal data may be freely transferred to any country or territory outside India, unless the Central Government specifically restricts transfers to that jurisdiction by notification. No countries have been blacklisted yet. However, SDF-specific data localisation obligations may be imposed for notified categories of personal data — and existing sectoral localisation requirements (such as RBI’s payments data localisation mandate) continue to apply independently of the DPDP Act.
Cross-Border Transfer Risk Assessment — Assessing the current cross-border data transfer flows of an organisation — identifying transfers that may be affected by future blacklist notifications, SDF-specific localisation obligations, or existing sectoral requirements — and designing transfer frameworks that are compliant across all applicable regimes
Data Processor Agreements for Cross-Border Processing — Drafting and negotiating contracts with offshore Data Processors — including mandatory DPDP compliance obligations, breach notification terms, security standards, and audit rights — noting that India provides no standard contractual clause templates, requiring bespoke drafting unlike the GDPR’s SCC framework
GDPR & DPDP Dual Compliance Advisory — Advising multinational corporations on the intersection and divergences between India’s DPDP Act and the EU GDPR — noting key differences in consent standards, cross-border transfer mechanisms (blacklist vs. adequacy), data portability (not yet available under DPDP), exemptions for publicly available data, and the absence of GDPR-equivalent categories of sensitive personal data
RBI Payments Data Localisation Compliance — Advising fintech companies and payment system operators on continued compliance with RBI’s payments data localisation requirements — which operate independently of the DPDP Act and require all data related to payment systems to be stored exclusively within India
Global Privacy Programme Extension to India — Advising GDPR-ready multinationals on extending their existing privacy architecture to cover Indian operations — identifying gaps, recalibrating consent flows, and implementing India-specific notice, retention, and breach response obligations within the existing group compliance framework
Adequacy & Future Transfer Framework Monitoring — Monitoring developments on potential DPDP-specific adequacy determinations, bilateral data flow agreements, and evolution of the Central Government’s blacklist — and advising clients proactively as the cross-border transfer landscape develops through 2027 and beyond
India’s data and privacy governance is not a single-statute regime. Until the DPDP Act’s substantive provisions fully activate in May 2027, the Information Technology Act, 2000 and the IT (SPDI) Rules, 2011 continue to govern the privacy landscape. Intermediary liability, platform content obligations, CERT-In directions, and sectoral regulations each create additional layers of compliance obligation. We advise clients across this full multi-statutory landscape — and represent them before the Data Protection Board when compliance issues arise.
IT Act & SPDI Rules Transitional Compliance — Advising organisations on continued compliance with Section 43A of the IT Act and the IT (Reasonable Security Practices and SPDI) Rules, 2011 during the transitional period until DPDP substantive provisions fully replace this regime in May 2027 — noting that both regimes are simultaneously in force during the phased rollout
Intermediary Liability & IT Rules 2021 Compliance — Advising digital platforms, social media intermediaries, and online content hosts on their obligations under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — including due diligence obligations, grievance officer appointment, takedown timelines, and the interface with DPDP Act data principal rights
Data Protection Board — Complaint & Investigation Defense — Representing organisations before the Data Protection Board of India in complaints filed by Data Principals, Board-initiated investigations, and show-cause proceedings — with strategy focused on demonstrating substantive compliance, good-faith efforts, and proportionate remediation
Penalty Mitigation & Regulatory Response — Advising on the DPDP Act’s penalty framework — which ranges from ₹50 crore (for non-fulfilment of Data Principal rights) to ₹250 crore (for failure to prevent a data breach) — and building the legal and factual record needed to demonstrate mitigating factors and minimise financial exposure
Data Protection Retainer Services — Providing ongoing data privacy counsel on a retainer basis — covering regulatory updates, policy reviews, new product compliance checks, contract reviews, breach response support, and representation — ensuring organisations have dedicated legal expertise as India’s data protection regime continues to evolve through its phased implementation and beyond
Copyright© 2026 Lynx Legal Partners LLP
