DPDP readiness gap analysis: a 90-day self-assessment for Indian CISOs before 14 May 2027

It is June 2026. The Digital Personal Data Protection Rules, 2025 have been on the statute book for seven months (notified by MeitY on 14 November 2025 under s.40 DPDPA), the Data Protection Board of India is operational under Rules 17 to 21, and the substantive compliance backbone (Rules 3, 5 to 16 and 22 to 23) goes live on or around 14 May 2027. That gives an Indian CISO roughly forty-six weeks to convert a draft privacy policy into a defensible compliance posture.

The Indian CISO sitting on a 200 to 5,000 person Data Fiduciary is not short on awareness. The problem is that most readiness conversations are still framed as a checklist (consent banner, breach SOP, DPO appointment) when the DPB will eventually evaluate evidence at the artefact level: Records of Processing Activities, DPIA reports under Rule 13, breach intimation logs under Rule 7, parental verification flows under Rule 10. A checklist passes a tabletop. It fails a Section 28 inquiry.

So the practical question this post answers is direct. What does an honest DPDP readiness gap analysis look like in June 2026, which eight control domains carry the highest weight against the Schedule (Rs 250 crore for s.8(5), Rs 200 crore each for s.8(6) and s.9, Rs 150 crore for s.10), and which of those gaps should the CISO close in the first 90 days before the FY27 budget cycle hardens? The grid below walks the diagnostic, the pass-fail criteria and the sequenced remediation plan you can take to the board this quarter.

The mistake teams make in month one is treating readiness as a maturity score on a five-point scale. The DPB will not score you. It will request artefacts and read them. A readiness exam therefore has to mirror the regulator's actual evidence demand, not a vendor's heatmap.

Three structural shifts separate a real exam from a comfort exercise. First, the unit of analysis is the personal data processing activity, not the function. A single ERP rollout can contain twelve processing activities, each with its own lawful basis, retention period and cross-border footprint. Second, the assessor must distinguish between sections that bind every Data Fiduciary on day one of enforcement (ss.4 to 8, plus Rule 3 notice and Rule 7 breach mechanics) and obligations that bind only after Central Government notification as a Significant Data Fiduciary under s.10. The seven s.10(1) factors (volume and sensitivity, risk to Data Principal rights, sovereignty and integrity, electoral democracy, security of the State, public order, and the residual factor) decide whether Rule 13's twelve-monthly DPIA plus audit, the India-resident DPO and the algorithmic due-diligence duty apply to you. As Ikigai Law has noted, the Rules still do not spell out a detailed process for SDF designation, so the self-assessment has to be qualitative and documented.

Third, the exam has to weight findings by penalty head. A gap in security safeguards under s.8(5) is not the same as a gap in retention policy under s.8(7); the Schedule caps the first at Rs 250 crore and the second falls under the catch-all at Rs 50 crore. A readiness scorecard that does not assign rupee-weighted severity to each domain produces a deck the audit committee cannot act on.

For our retainer engagements at DPDP Act 2023 compliance consulting, we run the exam in three weeks: data-flow inventory in week one, eight-domain scoring against DPDPA sections and Rule articles in week two, board-grade gap report with a 90-day plan in week three.

The first domain is the one most teams assume is solved by a privacy policy update. It is not. S.4 permits processing only for a lawful purpose with consent (s.6) or under a s.7 legitimate use. S.5 read with Rule 3 requires an itemised notice in clear and plain language listing the personal data collected, the purpose, the mechanism for exercising rights, the consent-withdrawal route, and the channel for lodging a complaint with the Board.

Pass criteria for a clean audit:

• The Record of Processing Activities lists every processing activity with its lawful basis (s.6 consent or specific s.7 legitimate use). Bundled or omnibus consent fails s.6's "specific" and "unambiguous" requirements.
• Notice is delivered before or at the point of data collection, is independent of any other document (Rule 3 requires it to be understandable on its own), and is available in English plus the regional languages of the Data Principal base.
• Consent capture is logged with timestamp, version, and the exact text shown. Withdrawal is operationally as simple as grant, with the consequence of withdrawal disclosed up front.
• The grievance redressal channel under s.13 is published with a named contact, response SLA, and an escalation path to the Board.

Fail signals: a single global cookie banner doing the work of a Rule 3 notice; consent text last reviewed in 2024; no version control on the notice; legitimate-use processing not separately enumerated; and a privacy email that bounces. Around 40 percent of the gap reports we have produced in the last three quarters flag at least three of these.

Domain two carries the largest single rupee exposure. S.8(5) anchors the Rs 250 crore ceiling for failure of reasonable security safeguards and s.8(6) anchors the Rs 200 crore ceiling for failure to intimate the Board and Data Principals. Rule 7 prescribes the two-track notification: each affected Data Principal "without delay" with the description, consequences, mitigation, safety steps and contact; and the Board "without delay" followed by a detailed report within 72 hours.

Pass criteria:

• A documented incident response runbook with named owners, mapped to the Rule 7 two-track notification and stacked on the parallel six-hour CERT-In Direction (April 2022) where personal data is involved.
• Detection telemetry covers authentication, application, network egress, cloud control-plane and database audit layers, retained for at least 180 days inside Indian jurisdiction.
• Pre-approved Data Principal notice template and DPB intimation template, version-controlled, with standing General Counsel sign-off so the 72-hour clock is not eaten by legal review.
• Tabletop exercise conducted in the last twelve months with the CISO, DPO, General Counsel, Communications and CEO at the table.

Fail signal: the IR plan still references the old CERT-In-only workflow with no Rule 7 layer. This is the most common gap we close inside the first 30 days of an engagement, often paired with a fresh round of VAPT services to evidence the s.8(5) "reasonable" standard.

Domain three is the one that hits Data Principal contact volume on day one of enforcement. Ss.11 to 14 give the Data Principal a right to summary of processing, identity of fiduciaries and processors with whom data is shared (s.11), correction, completion, updating and erasure (s.12), grievance redressal (s.13), and nomination (s.14).

Pass criteria: a published, multilingual rights request portal with a verified identity step; a documented SLA (we use 30 days as the working benchmark in the absence of a statutory SLA in the final Rules); a downstream propagation workflow that pushes correction and erasure to all data processors and integrated systems; and a retention register that maps every data element to a legal basis for continued storage under s.8(7).

Fail signal: erasure handled by an email inbox that nobody owns, no propagation to processors, no audit trail of fulfilment. The s.14 nomination right is the one most rights portals forget to surface; build it into the form schema from day one.

The Central Government has not, as of June 2026, issued any SDF designation notification. That is not a reason to defer. The s.10(1) factors are visible in the statute and the operational lift under Rule 13 is so heavy that pretending you are not in the candidate set is the riskier move.

The factor assessment a CISO should run:

If two or more factors are present, the prudent posture is to build to Rule 13(1) (twelve-monthly DPIA and audit), Rule 13(2) (Board reporting of significant findings), Rule 13(3) (algorithmic due diligence) and Rule 13(4) (localisation hook on specified categories) regardless of whether designation has formally arrived. The cost of pre-building is materially lower than the cost of a 12-month sprint after designation.

S.9 bans tracking, behavioural monitoring and targeted advertising directed at children, plus any processing "likely to cause any detrimental effect on the well-being of a child." Rule 10 requires verifiable parental consent through identity and age information voluntarily provided by the parent or a DigiLocker-issued virtual token. PRS Legislative Research has flagged the undefined "detrimental effect" standard as a drafting gap.

Pass criteria: an age-gating workflow at signup; a verifiable parental consent mechanism integrated with a recognised identity rail; a separate processing register for under-18 users; and a sign-off that advertising and recommender systems exclude under-18 cohorts. Any sectoral overlay you rely on (for example healthcare or educational technology workflows) needs its own documented evidence trail rather than an unwritten assumption.

Fail signal: any platform with consumer reach and no age gate. The penalty ceiling here is Rs 200 crore. The exam needs a clear yes or no.

S.16 operates a negative-list model and as of June 2026 no country has been notified. That is not a free pass. SFLC has noted Rule 14 adds an obligation that any transfer outside India is subject to requirements the Central Government may specify on making personal data available to foreign States or persons under their control. Sectoral overlays survive: RBI's 2018 payment-data localisation circular continues to bind regulated entities and the proviso to s.16 preserves stricter regimes.

Pass criteria: a complete vendor and sub-processor register with the country of processing for each Data Principal element; contractual flow-down of DPDPA Data Processor duties into every processor and sub-processor contract; transfer-impact notes for every non-India processor; and a re-architecture readiness plan for the localisation categories the Central Government may notify under Rule 13(4). Pair the vendor exam with regular penetration testing services against the third-party integrations that carry the highest volume of personal data.

S.8(7) requires erasure once the purpose is fulfilled unless retention is required by law. Rule 8 prescribes retention triggers and Data Principal notification before deletion in specified cases.

Pass criteria: a retention schedule mapped to each processing activity with the legal basis for the retention period; an automated deletion workflow that fires on the schedule (not a manual quarterly job); and Data Principal notification before deletion where Rule 8 requires it. Fail signal: a retention policy that says "as long as required" with no system-level enforcement. Data minimisation should also be evidenced: the s.8(3) accuracy, completeness and consistency obligation cannot be met against a database that nobody has pruned in five years.

The last domain is the one that decides whether the other seven close. S.10(2)(a) requires SDFs to appoint an India-based DPO responsible to the Board of Directors. Non-SDFs must designate a "person to answer questions" under s.8(9), commonly the Data Privacy Contact. Governance is what converts the gap report into a delivered roadmap.

A board-defensible 90-day plan looks like this:

1. Days 1 to 15. Stand up the steering committee (CEO, CISO, DPO or Data Privacy Contact, General Counsel, CFO). Commission the eight-domain gap analysis. Confirm SDF self-assessment posture.
2. Days 16 to 45. Close domain 2 (breach detection plus Rule 7 templates), domain 1 (notice and consent capture), and domain 3 (rights request portal). These are the three domains that bind every Data Fiduciary and carry the largest combined rupee exposure under the Schedule.
3. Days 46 to 75. Close domain 4 (build to Rule 13 even pre-designation), domain 6 (vendor and cross-border register), domain 7 (retention automation). Run the first DPIA on the highest-risk processing activity to set the methodology.
4. Days 76 to 90. Close domain 5 (children's data) where applicable, complete domain 8 (governance forum cadence, DPO mandate letter, escalation matrix). Schedule the first independent audit for Q4 FY27 so the artefact is ready before 14 May 2027.

The plan we take to client boards lands the FY27 spend in the Rs 2.5 to 5 crore range for non-SDFs and Rs 6 to 10 crore for SDF candidates, with the breakdown weighted to domains 2, 4 and 6. The number the CFO actually wants is the gap-weighted rupee exposure, mapped to the Schedule heads, with the s.33(2) mitigation factors (nature and gravity, type of data, repetition, gain or loss avoided, mitigation, proportionality, and impact on the person) built in. The number the CISO wants is the artefact list the DPB would request on day one. Both come out of the same gap analysis.