---

name: dpdp-compliance description: | DPDP Act 2023 Compliance Automation - India Digital Personal Data Protection Act compliance.

TRIGGERS: "DPDP", "India data protection", "consent management", "data privacy compliance", "PII scan", "DSAR implementation", "data retention policy", "breach notification"

USE WHEN: Users need to make applications compliant with India's DPDP Act 2023, scan codebases for personal data and compliance gaps, implement grounds for processing (Section 4), notice requirements (Section 5), consent management (Section 6), certain legitimate uses (Section 7), data security and encryption (Section 8), retention policies, data subject rights (Sections 11-14), right to nominate (Section 14), duties of data principal (Section 15), or cross-border transfer safeguards (Section 16).

TASK CATEGORIES:

• 🔴 DPDP MANDATORY: Cannot skip - required for legal compliance
• 🟡 OPTIONAL: User can skip - enhancements beyond legal requirements

license: Apache-2.0 compatibility: claude-code, claude-ai, cowork, codex-cli, cursor, github-copilot, windsurf metadata: version: 1.0.0 author: DPDP Compliance Team short-description: Automate DPDP Act 2023 compliance for Indian applications tags: - compliance - dpdp - india - data-protection - privacy - consent-management - gdpr allowed-tools: Read, Write, Bash, Grep, Glob

DPDP Compliance Automation Skill

Overview

End-to-end automation for India's Digital Personal Data Protection (DPDP) Act 2023 compliance.

Workflow:

1. Scan - Identify personal data and compliance gaps
2. Analyze - Prioritize gaps against DPDP requirements
3. Plan - Generate tech-stack-specific implementation plans
4. Implement - Execute tasks (user selects scope)
5. Verify - Ensure compliance without breaking functionality

Compliance Deadline: May 13, 2027

Task Categorization

🔴 DPDP MANDATORY (Cannot Skip)

| Category | Tasks | DPDP Section | |----------|-------|--------------| | Grounds | Processing justification, Purpose limitation | Section 4 | | Notice | Data principal notification, Purpose disclosure | Section 5 | | Consent | Database schema, Consent API, Validation middleware | Section 6 | | Legitimate | Employment, Medical, State functions processing | Section 7 | | Security | Fix SQL injection, Implement encryption | Section 8 | | Retention | Data deletion automation, 48-hour notification | Section 8 | | Breach | Breach notification system (72 hours) | Section 8 | | Audit | Immutable audit logging | Section 8 | | DSAR | Data export, Data deletion, Correction workflow | Sections 11-14 | | Nominate | Right to nominate mechanism, Nominee management | Section 14 | | Duties | Data principal obligations implementation | Section 15 | | Cross-Border | Transfer inventory, TIA, SCC, Technical controls | Section 16 | | Children | Age verification, Parental consent (if applicable) | Section 9 | | DPO/SDF | SDF assessment, DPO appointment, Annual DPIA, Board reports | Sections 10-11 | | Grievance | Grievance portal, 90-day SLA tracking | Section 13 |

Platform Support: Web apps, Mobile apps (iOS/Android/React Native), APIs

🟡 OPTIONAL Enhancement Tasks (User Can Skip)

| Category | Tasks | |----------|-------| | UI/UX | Consent UI components, User dashboard | | Logging | PII redaction in logs (best practice) | | Documentation | Third-party inventory, DPA templates |

The agent will ALWAYS complete DPDP-required tasks before presenting optional tasks.

When to Use

Trigger on:

• "Make my application DPDP compliant"
• "Scan my code for GDPR/DPDP issues"
• "Help me implement consent management"
• "Implement right to erasure / data subject access requests"
• Any mention of: DPDP, data privacy, consent management, PII, compliance

Workflow

Phase 1: Discovery & Scanning (15-30 mins)

Step 1: Understand the Application

Ask the user:

I'll help make your application DPDP compliant. First:

1. What type of application? (web app, mobile app, API)
2. Tech stack?
   - Backend: Python/Django, Node/Express, Java/Spring, etc.
   - Frontend: React, Vue, Angular, etc.
   - Database: PostgreSQL, MySQL, MongoDB, etc.
3. What personal data do you collect?
4. Primary purpose of data processing?
5. Codebase location? (path to scan)

Step 2: Run Codebase Scan

python scripts/scan_codebase.py /path/to/codebase scan_results.json

Detects:

• Personal data fields (identifiers, financial, sensitive)
• Existing consent mechanisms
• Security vulnerabilities (SQL injection, encryption gaps)
• PII in logging statements
• Third-party integrations requiring DPAs

Phase 2: Gap Analysis (10-15 mins)

Step 3: Analyze Compliance Gaps

python scripts/gap_analysis.py scan_results.json gap_analysis_report.json

Covers all 15 DPDP requirement areas:

1. Grounds for Processing (Section 4)
2. Notice Requirements (Section 5)
3. Consent Management (Section 6)
4. Certain Legitimate Uses (Section 7)
5. Data Security (Section 8)
6. Data Retention (Section 8)
7. Breach Notification (Section 8)
8. Children's Data Protection (Section 9)
9. Data Subject Rights (Sections 11-14)
10. Cross-Border Transfer (Section 16)
11. Audit Trail & Logging (Section 8)
12. Data Processing Records/ROPA (Section 8)
13. Third-Party Management (Section 8)
14. Right to Nominate (Section 14)
15. Duties of Data Principal (Section 15)

Step 4: Review with User

📊 Gap Analysis Results:

Overall Compliance Score: 45%

Critical Gaps (Must Fix Immediately):
1. [Security] No encryption for sensitive PII (Priority: 100)
2. [Consent] Missing consent management system (Priority: 95)

High Priority Gaps (0-3 months):
3. [DSAR] No data export/deletion system (Priority: 85)

Total Gaps: 15
Estimated Timeline: 6-12 months

Would you like to:
1. See the full gap analysis report
2. Generate an implementation plan
3. Focus on specific areas first

Phase 3: Implementation Planning (15-30 mins)

Step 5: Generate Implementation Plan

python scripts/generate_implementation_plan.py gap_analysis_report.json implementation_plan.json

Plan includes for each task:

• Task ID, title, description
• Priority and effort estimate
• Dependencies
• Code snippets (adapted to tech stack)
• Testing requirements
• Rollback plan
• DPDP section reference

Step 6: Review Plan with User

📋 Implementation Plan Generated

Total Tasks: 25
DPDP Required Tasks: 18 | Optional Tasks: 7

════════════════════════════════════════════════════════════════
🔴 DPDP MANDATORY (Cannot Skip - Required for Legal Compliance)
════════════════════════════════════════════════════════════════

Phase 1 - Critical Security (Immediate):
  ✓ TASK-001: Fix SQL injection vulnerabilities (12h) [Section 8]
  ✓ TASK-002: Implement field-level encryption (24h) [Section 8]

Phase 2 - Core Compliance (0-3 months):
  ✓ TASK-003: Create consent database schema (8h) [Section 6]
  ✓ TASK-004: Implement consent API (16h) [Section 6]
  ✓ TASK-005: Consent validation middleware (8h) [Section 6]
  ✓ TASK-006: Implement DSAR system (32h) [Sections 11-14]
  ✓ TASK-007: Data retention automation (20h) [Section 8]
  ✓ TASK-008: Breach notification system (16h) [Section 8]
  ✓ TASK-009: Audit logging system (20h) [Section 8]

Total DPDP Required: 156 hours

════════════════════════════════════════════════════════════════
🟡 OPTIONAL ENHANCEMENTS (User Can Skip)
════════════════════════════════════════════════════════════════

  ? TASK-010: Build consent UI dashboard (12h) [Skip/Include]
  ? TASK-011: PII redaction in logs (8h) [Skip/Include]

Total Optional: 40 hours

Proceed with:
1. All DPDP required tasks only (156 hours) ← Recommended
2. All tasks including optional (196 hours)
3. Select specific optional tasks to include

Phase 4: Implementation (Variable)

Step 7: Execute Implementation

For each task:

1. Prepare: Read task details
2. Check dependencies: Ensure dependent tasks completed
3. Implement: Create/modify files using provided code snippets
4. Test: Execute testing requirements
5. Document: Update implementation log
6. Review: Show user what was done

Critical: Preserve Existing Functionality

Before modifying any file:

1. Git commit or create backup
2. Read and understand existing code
3. Run existing tests first
4. Make minimal changes
5. Test again to ensure nothing broke
6. Document rollback plan

User Interaction:

🔧 Implementing TASK-005: Fix SQL injection vulnerabilities

Found 3 vulnerable queries in:
- api/users.py:45
- api/orders.py:78

Fixing api/users.py...
  ✓ Replaced string concatenation with parameterized query
  ✓ Existing tests still pass

Summary:
✓ 3 vulnerabilities fixed
✓ All existing tests pass
📄 Rollback: git revert abc123

Ready to continue? (yes/review/stop)

Phase 5: Verification (30-60 mins)

Step 8: Verify Implementation

python scripts/verify_implementation.py /path/to/codebase implementation_plan.json verification_report.json

Verifies:

• Compliance requirements met
• Security posture improved
• Existing tests pass
• No breaking changes

Step 9: Review Results

✅ Verification Complete!

Overall Status: PASSED WITH WARNINGS
Compliance Score: 95%

✓ Compliance Checks: 15/15 passed
✓ Security Checks: 7/8 passed
⚠ Functionality Checks: 4/5 passed

Action Items:
1. Update 2 tests for consent validation
2. Add PII filtering to logs (optional)

Step 10: Generate Documentation

📄 Generating compliance documentation...

Created:
- compliance_report.pdf
- ropa.md (Record of Processing Activities)
- privacy_policy_template.md
- audit_checklist.md

Tools Reference

1. Codebase Scanner (scan_codebase.py)

python scripts/scan_codebase.py <codebase_path> [output_file]

Detects PII fields, security vulnerabilities, consent mechanisms, third-party integrations.

2. Gap Analyzer (gap_analysis.py)

python scripts/gap_analysis.py <scan_results.json> [gap_report.json]

Analyzes 10 DPDP requirement areas, outputs gap analysis with roadmap.

3. Implementation Plan Generator (generate_implementation_plan.py)

python scripts/generate_implementation_plan.py <gap_report.json> [plan.json]

Generates task breakdown with code snippets adapted to detected tech stack.

4. Implementation Verifier (verify_implementation.py)

python scripts/verify_implementation.py <codebase_path> <plan.json> [verification_report.json]

Verifies compliance, security, and existing functionality.

Important Considerations

Risk Mitigation

• Run existing tests before and after changes
• Create git commits before modifications
• Use feature flags for gradual rollout
• Maintain backward compatibility
• Test on staging first

Task Selection

Non-selectable (critical):

• Security vulnerability fixes
• Core database schema
• Consent management core
• Data retention automation

User-selectable:

• UI enhancements
• Documentation
• Non-critical integrations

Compliance is Ongoing

Implementation is just the start:

• Regular audits needed
• Policy updates required
• Monitoring continuous
• Documentation maintained

Reference Documents

See references/ folder for:

• DPDP_REQUIREMENTS.md: Complete DPDP Act 2023 requirements
• patterns.md: Implementation code patterns
• troubleshooting.md: Common issues and solutions

Resources

• DPDP Act: https://www.meity.gov.in/dpdp-act
• DPDP Rules 2025: https://www.meity.gov.in/dpdp-rules
• Data Protection Board: https://www.dpb.gov.in