← Back to The 2026 AI Compliance Framework

The 18-Month Countdown: Your DPDP Compliance Checklist for AI Products

A strategic digital illustration of an AI compliance checklist with Indian context.

The grace period is ending. Is your AI stack ready to "forget" what it learned?

If you are building AI in India, you have likely treated data like fuel: the more, the better. You scraped it, cleaned it, and fed it into your models to maximize accuracy.

But under the Digital Personal Data Protection (DPDP) Act 2023 (and the notified 2025 Rules), that fuel has become toxic.

The government has signaled an 18-month implementation window for businesses to align their architecture with the new law. For a standard e-commerce app, this is a database migration. For an AI product, it is an existential engineering crisis.

Why? Because of Machine Unlearning.

This guide provides a brutal, line-by-line DPDP compliance checklist 2025 to determine if your AI product is legal—or if you are building a liability engine.

Phase 1: The Identity Crisis (Are You a Significant Data Fiduciary?)

The first step is knowing your label. The Act distinguishes between a standard "Data Fiduciary" and a "Significant Data Fiduciary" (SDF).

If you fall into the SDF bucket, your compliance burden triples. You are an SDF if your AI:

SDF Obligations Checklist:

  • Appoint a Data Protection Officer (DPO): Must be based in India and report directly to the Board.
  • Appoint an Independent Data Auditor: To conduct periodic audits of your data practices.
  • Conduct Data Protection Impact Assessments (DPIA): Before deploying any new model update.

Phase 2: The "Machine Unlearning" Audit

The Law: Section 12 grants users the Right to Erasure. If a user withdraws consent, you must delete their data.

The Problem: You can delete a user's row from PostgreSQL, but if your LLM was trained on that user's chat history, the data is "remembered" in the model's weights.

If you cannot prove you have removed the user's influence from the model, you are non-compliant.

The Engineering Checklist:

  • Data Lineage Mapping: Can you trace exactly which training datasets (and which specific rows) went into Model_v2.1?
  • Model Retraining Protocols: Do you have the budget to retrain your model from scratch every time a batch of users withdraws consent?
    Alternative: Have you implemented SISA (Sharded, Isolated, Sliced, Aggregated) training frameworks to retrain only specific shards?
  • Unlearning Algorithms: Are you experimenting with "approximate unlearning" techniques to scrub weights without full retraining?

Phase 3: The Consent Architecture (UX Redesign)

The days of "By using this bot, you agree to everything" are over. Consent must be "Free, Specific, Informed, Unconditional, and Unambiguous."

The Product Checklist:

  • Granular Consent: Does your UI separate consent for "Service Delivery" (answering the query) vs. "Model Training" (improving the AI)? Users must be able to say YES to the chatbot but NO to training.
  • The "Consent Manager" Integration: Is your stack ready to integrate with government-registered Consent Managers (the interoperable platforms where users manage permissions)?
  • Withdrawal Mechanism: Is the "Withdraw Consent" button as easy to find as the "Sign Up" button? (The law mandates it must be).

Phase 4: Data Residency & The "Black Box"

While the 2023 Act softened the strict "Data Localization" stance of earlier drafts, the government retains the right to restrict transfers to certain "blacklisted" geographies.

The Infrastructure Checklist:

  • Cross-Border Mapping: If you use OpenAI (US-hosted) or Anthropic, are you sending PII (Personally Identifiable Information) across borders?
    Action: Implement PII Redaction / Masking before the prompt leaves Indian servers.
  • Vendor Risk Assessment: If your downstream model provider (e.g., a vector database hosted in Europe) suffers a breach, you are liable. Do your contracts reflect this?

Frequently Asked Questions (FAQ)

1. What happens if I can't "unlearn" data from my model?

This is the gray area of 2026. If exact unlearning is technically impossible, you may be forced to stop using that model entirely. Legal experts advise documenting your "best effort" technical measures (like RAG-based architectures where data is retrieved, not baked in) to argue compliance.

2. Does the DPDP Act apply to OpenAI/Google or to Me?

It applies to you (the Data Fiduciary). If you build an app on top of GPT-4, you determine the purpose of processing. You cannot blame OpenAI if your app mishandles Indian user data. You are the face of the liability.

3. Can I just anonymize the data to avoid the Act?

Yes, but the bar for "anonymization" is impossibly high in the AI era. If your AI can "re-identify" a user by correlating multiple data points (even without a name), the data is still considered "Personal Data." Simple masking is rarely enough.

4. What is the penalty for a data breach involving AI?

The Act prescribes penalties up to ₹250 Crore for failure to take reasonable security safeguards. For a startup, this effectively means bankruptcy. The penalty is per instance, meaning a sustained leak could theoretically trigger multiple fines.

Beyond Data Privacy

Compliance is a three-legged stool. Don't neglect the other two pillars.

Protect your privacy and secure your internet connection with Proton VPN. High-speed, encrypted internet access for everyone. Get protected today.

Proton VPN - Secure and Private Internet

This link leads to a paid promotion

Sources & References

  • Google's Machine Unlearning Challenge. Reference: Technical resources on feasibility. Concept: "Right to Erasure" in the context of LLMs (The "Model Inversion" risk).
  • Compliance Tools:
    • Consent Managers: Technical standards released by the Data Protection Board (upcoming).
    • PII Masking: Tools like Private AI or Presidio (Microsoft) for redacting data before inference.